169a1a8de7208ce525f8640ba1ca4a25f1098914f743a33020b186a8271efc66

General

Target

5f7e1683ca4403249b6aa71a200d17ac.exe
Size

321KB
MD5

5f7e1683ca4403249b6aa71a200d17ac
SHA1

de4c1187bb888e1fdae97842918883d35e7166c8
SHA256

169a1a8de7208ce525f8640ba1ca4a25f1098914f743a33020b186a8271efc66
SHA512

c898f49b2246d7d155afe6cbf267956ca0b10b15f644b01360bd43dd7cbff5155284661e0dc1b6c1da9c6cd4cfe2df9c8935a72756dc34659de1640fcabd8e85
SSDEEP

6144:5rIv1va9uEo2S1YnQmCX492DkwNP3qpYFp6UwkkZTyqCcbVdgXqUt4JRZ0nNMKi9:5rIv1qu6/eIo4EwTmq9dgXb4JRMNHi3N

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
904	5f7e1683ca4403249b6aa71a200d17ac.exe
904	5f7e1683ca4403249b6aa71a200d17ac.exe
904	5f7e1683ca4403249b6aa71a200d17ac.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5f7e1683ca4403249b6aa71a200d17ac.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	5f7e1683ca4403249b6aa71a200d17ac.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
904	5f7e1683ca4403249b6aa71a200d17ac.exe
904	5f7e1683ca4403249b6aa71a200d17ac.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 2316	904	5f7e1683ca4403249b6aa71a200d17ac.exe	94
PID 904 wrote to memory of 2316	904	5f7e1683ca4403249b6aa71a200d17ac.exe	94
PID 904 wrote to memory of 2316	904	5f7e1683ca4403249b6aa71a200d17ac.exe	94

C:\Users\Admin\AppData\Local\Temp\5f7e1683ca4403249b6aa71a200d17ac.exe
"C:\Users\Admin\AppData\Local\Temp\5f7e1683ca4403249b6aa71a200d17ac.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinFFFE.bat"
  2⤵
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\44DAD144\cfg\1.ini

Filesize
40KB

MD5
f2b28b165747468c88ef4e1df60a6601

SHA1
0515cb22048f232872251630c28b97bcb4f18dda

SHA256
be70bd6ea6c6c0779570a02324dc1fb8847a6202faf35efb9a189ef2f19138c4

SHA512
9b0abea9158437a8c5ff422b5debeaf7600611efc4b845dffb3098884d3a090ecf3449b66b4051a9e1319141096a5542f0b6ba9454960561bff85be0a3f303ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsuD9AF9F18.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinFFFE.bat

Filesize
50B

MD5
7b8fe7565899b0d397508ed71eb89d4c

SHA1
ca011e88128a7d1d94e836df05d1236368f5ef68

SHA256
f5d89018cce2d736b33c037abc3012f2fab1139d1b19916dd2bdb19ef80fb331

SHA512
8070b04148d8017731931362b22d2deaefe32e131497c74ee241fd07f375013edf8e7c952344a44e0bea134e01f3ff9e2793f384131ba325bd878596ddbc5a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D453B27-C385-4469-A682-8BA786A619D1}\Custom.dll

Filesize
73KB

MD5
62c8a55c003044bc4810bc2db3e514c3

SHA1
0bcc928b4d0ab8c62b31fa026ecb8fa43629c7ae

SHA256
ad0b22b2a4d5e125517e1440207b96e9a6640f3c80c934f045df466d36388e14

SHA512
64a05460c4e5bc140b91d369a733745eb00a095d1ef0a83fb3ed8f4693ace77e0b7eea170b98d4f599ed50635cb993a6dad468f0fbbdc18281a746142df6f5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D453B27-C385-4469-A682-8BA786A619D1}\Readme.txt

Filesize
2KB

MD5
afcf1dd833afa7aee9036b81f804e938

SHA1
1c86863ac16d1d2dc489906b02c1e7b3d045c3fa

SHA256
f67c73626eb69628860edcfed782dc57570e34c6aab53132fa2653c4263c4b5a

SHA512
f2529427706608b8e39acb0a97b44353ed12e4546bed1ed2997493069a8aefcdb2488853d5237aba8ab5bb82091274b712bf2cce75378fd5e605b26b1c0b928f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D453B27-C385-4469-A682-8BA786A619D1}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D453B27-C385-4469-A682-8BA786A619D1}\Setup.ico

Filesize
18KB

MD5
d770a03b797211a6565c286b80747436

SHA1
debd3c69f90244ee2ce1173918bb7945d0834709

SHA256
8bd4e3e5c3a0b24c720979b6e33450ed58996438ac5a82fb1dd40b4bcba63627

SHA512
1456c3a0746dae9f9d842e04faac060ee19c4ec3f23f20a44e0331ef49768b4e68835d6df5b0faabc722a78ccfca7b9a16419e2296af5ff2cce09f89a50c2720

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D453B27-C385-4469-A682-8BA786A619D1}\_Setup.dll

Filesize
180KB

MD5
10a45f1ab43c12615706a95b6d5406cb

SHA1
3bce9901f02460e6e9174cc5f4b7b07eafecea81

SHA256
86e17751c8c63422b06809136252867ac47684956327c42804905447ddbf62f1

SHA512
0e16bc6976f942eea6516b59048c509ffde8ab357e2f62e4733f2c0a4083d97b28d6d70aa30d0713bb5a0eb0d860efcf54a55623fa20e93ad93c9db332b9d2cd

Download Submit

Analysis

Sharing