23c00296cc88aea69188ec28b1bf6e2aaf686d1642415421118c5b770f239def

General

Target

2f1424be5734a2fe7414ebc7362c57cc.exe
Size

313KB
MD5

2f1424be5734a2fe7414ebc7362c57cc
SHA1

1b2705318b4d0ec18d2d2c7a55e319002e5bf62e
SHA256

23c00296cc88aea69188ec28b1bf6e2aaf686d1642415421118c5b770f239def
SHA512

224e13357f484cd27caeebbdf3180d1c5dd238c3c7be11d7ffbc4b87ceff9080b81093fb10bfa7ff6ad48a67dbe327dca4111237eb3ef9d93aa3eb14603f3811
SSDEEP

6144:ArkA9uEo2S1YnQmCX492DkwNP3qpYF0lu7tIYxFtApNhiYLE2/5yr3+LijYN:Ark4u6/eIo4nlu7trxFtApfgMyrpjYN

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
5080	2f1424be5734a2fe7414ebc7362c57cc.exe
5080	2f1424be5734a2fe7414ebc7362c57cc.exe
5080	2f1424be5734a2fe7414ebc7362c57cc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2f1424be5734a2fe7414ebc7362c57cc.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	2f1424be5734a2fe7414ebc7362c57cc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5080	2f1424be5734a2fe7414ebc7362c57cc.exe
5080	2f1424be5734a2fe7414ebc7362c57cc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4136	5080	2f1424be5734a2fe7414ebc7362c57cc.exe	95
PID 5080 wrote to memory of 4136	5080	2f1424be5734a2fe7414ebc7362c57cc.exe	95
PID 5080 wrote to memory of 4136	5080	2f1424be5734a2fe7414ebc7362c57cc.exe	95

C:\Users\Admin\AppData\Local\Temp\2f1424be5734a2fe7414ebc7362c57cc.exe
"C:\Users\Admin\AppData\Local\Temp\2f1424be5734a2fe7414ebc7362c57cc.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin6FE1.bat"
  2⤵
  PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\A1B840EE\cfg\1.ini

Filesize
918B

MD5
b38963a71adc08929e64acbcf01386df

SHA1
f6c971d309d68904c249d1d89ad95cebd02151cd

SHA256
ab1ef2212236c3e6cdd7c47ffe7d1a21a943b82c556a794f820c1ec38b72b31e

SHA512
ffd75cf15ffcd1e0f30910f1812280186f9c7906a398dcdeab39f4bdd4f62397be43b9e538ef5edf97b8b1fa6924519600bc09665162149305402a7d5c3cb65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsuAF4D6476.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6FE1.bat

Filesize
50B

MD5
f7dd8a705a3905ce4a432797f64dbb69

SHA1
5fc3c952a43c35383e6efba16317821a900b639c

SHA256
b9daf5fc2b2ddde7d4b8a9a43661b0ecaf2b79deb32c1e6e64194edf4ad989dc

SHA512
78b72f15c2c8e373c9fa0c89091ae98c883a9b631fc4163fe4c21e1fecf2368a1daa64f91272c5eda03c16de1bd57264e4d722a8156b6e0925cb9aa23ef892b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BB1470AD-D720-4CBF-AE54-9F0260F7525B}\Custom.dll

Filesize
91KB

MD5
ed92e425cd374788afede25d2dd9d84a

SHA1
666fcb0dc635af7ba075e48c8f8c72a16dd30a67

SHA256
a50e3750c29b54f7b304064bb843972dba4094ee9ceef4e6942c61d2a5690d46

SHA512
8afa88d37eaef17822c7fe9285f30d4766af63cabf0dea05b5e74b5a2cd5dfced7729418d42979a7ab006cda6a17731c59b93400c4f2be3f3b59e81e2800687d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BB1470AD-D720-4CBF-AE54-9F0260F7525B}\Readme.txt

Filesize
2KB

MD5
4a8f844355927fbe8bd85e03aab45e0b

SHA1
9d978f61b6a6ce746de4bbde9e1252575ca28caf

SHA256
d98c50857b3915c7af124a2982165e6139cc378aaad92df699ca2cc95c930d08

SHA512
f912d4bc848eab7d1d39e75448e6b81ef313bed2426a06524ddc1162b2ed379ed16aad362e3576419a56979c5926c0e64f8316e08dce38fa573a43be2f247727

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BB1470AD-D720-4CBF-AE54-9F0260F7525B}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BB1470AD-D720-4CBF-AE54-9F0260F7525B}\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BB1470AD-D720-4CBF-AE54-9F0260F7525B}\_Setup.dll

Filesize
169KB

MD5
204a2b4cd7d5022c92d0d15d33051795

SHA1
7742a0d36b16c07dde8c2d29b8d2bbeed17130d2

SHA256
d6267d0770d1e2ae443e2217ed5f326cf17a0a67454783af4e109db5f040fe85

SHA512
b4aeda6dbb92e070a5d650dfe28f1c0fac5125d9bc1603c8321124aa335d4842da774d68dc6c0f6415579b337a3527d991bc444e5a6167c672f8920759de86e3

Download Submit

Analysis

Sharing