124245ba280858010828261355f19bfe1ef7e0d7d89d879f4cb432bb6ebf222c

General

Target

f74198fcd1f1c92d48c7b0b63c1786d2.exe
Size

323KB
MD5

f74198fcd1f1c92d48c7b0b63c1786d2
SHA1

e3a11481828c5e4070e9f85bdf60f2d812f5e4b4
SHA256

124245ba280858010828261355f19bfe1ef7e0d7d89d879f4cb432bb6ebf222c
SHA512

6cbc24ae08a3300f9a6f2720cf3961ce58f64888a08436a34323334b36d012fc3a3852891e5145aba6e6a4844828e75f8e66b32f324eec3391cb21a6770260b7
SSDEEP

6144:nrw66Y0JQBkQRl7174NpNUM+UHs+QERfq0ZjgTSPjTy7N6XNSqweEO7Vsy7WybC:nrV63yRl1uqM+gs+QgiMgTwjO7IkE7VM

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3780	f74198fcd1f1c92d48c7b0b63c1786d2.exe
3780	f74198fcd1f1c92d48c7b0b63c1786d2.exe
3780	f74198fcd1f1c92d48c7b0b63c1786d2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f74198fcd1f1c92d48c7b0b63c1786d2.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	f74198fcd1f1c92d48c7b0b63c1786d2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3780	f74198fcd1f1c92d48c7b0b63c1786d2.exe
3780	f74198fcd1f1c92d48c7b0b63c1786d2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 4264	3780	f74198fcd1f1c92d48c7b0b63c1786d2.exe	98
PID 3780 wrote to memory of 4264	3780	f74198fcd1f1c92d48c7b0b63c1786d2.exe	98
PID 3780 wrote to memory of 4264	3780	f74198fcd1f1c92d48c7b0b63c1786d2.exe	98

C:\Users\Admin\AppData\Local\Temp\f74198fcd1f1c92d48c7b0b63c1786d2.exe
"C:\Users\Admin\AppData\Local\Temp\f74198fcd1f1c92d48c7b0b63c1786d2.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin6A6B.bat"
  2⤵
  PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\FC90FF43\cfg\1.ini

Filesize
40KB

MD5
f2b28b165747468c88ef4e1df60a6601

SHA1
0515cb22048f232872251630c28b97bcb4f18dda

SHA256
be70bd6ea6c6c0779570a02324dc1fb8847a6202faf35efb9a189ef2f19138c4

SHA512
9b0abea9158437a8c5ff422b5debeaf7600611efc4b845dffb3098884d3a090ecf3449b66b4051a9e1319141096a5542f0b6ba9454960561bff85be0a3f303ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu6B9AB0A1.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6A6B.bat

Filesize
50B

MD5
453aae44ba7b5f24ae84cd8a1d637c16

SHA1
222740c26c3237c2c96095ebc526e8aeb35eb7bb

SHA256
3754b3d56e0f481550f3c482ea6c592f4e2de25e4d7bd8151ed80aeb59475c4b

SHA512
3fec2ac5926db2265c677cb436653ca88e74a2a4f607e236bf9ea9a98dfc3386ba80c350a273330f4dda83f96484206b9c916cd2402b8a9a310b8eb68cd5398f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6239D887-F2F2-4996-AB7D-BAD0B9DAFA71}\Custom.dll

Filesize
73KB

MD5
56a2a892987268718445147b7ddd0a98

SHA1
d56fe3883d4d286322981ea07d027554ad52a955

SHA256
5a5245919bb55d392a5e45563af2dc22a15a48a6e9e70b964b7ce339eb02a40f

SHA512
ef0d74fb6747006f9c997e6a43beb4de7cf72fc19000d7949da2c1a6251b9c07aa0c082a549a0b3d3e4a2f5a62682e0346ff8234457ba385488ef874fc600401

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6239D887-F2F2-4996-AB7D-BAD0B9DAFA71}\Readme.txt

Filesize
2KB

MD5
fedb5476eafd0efba58655e53451e69f

SHA1
735b6e89dca99120485015316fc905d42c0ea712

SHA256
b6cd6c7e780806c2e0c3a94139ccb2b94210dd9a3b2c96f0971ca760b1c0c792

SHA512
f8bb5dd3ee273920389ee33c86368433d50fc70fff772cbc2b6d096e4702c9cdcd1a8625176b1b78a9f9f8c4778b1915496e5d5947e6fba6e1d762d10b9c7723

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6239D887-F2F2-4996-AB7D-BAD0B9DAFA71}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6239D887-F2F2-4996-AB7D-BAD0B9DAFA71}\Setup.ico

Filesize
14KB

MD5
67748856779022418c44c8f112cffe8f

SHA1
3419bb77d3ddcc789548348c1ef2dbba516e8b26

SHA256
672b40b7f1500d49df4a4d267df7399290539e3d014f61e8a69480a94c52356c

SHA512
b3120cbf847e020bd9ab7c2a9d8d01e4bbfe28fb95337c6071b3aeac860a0ffe70e3346fa50ff23446072ef9ede776f0936ee61b6ccbec41346715fc6ae8a91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6239D887-F2F2-4996-AB7D-BAD0B9DAFA71}\_Setup.dll

Filesize
177KB

MD5
ca4b19929486ea6d1c9de6f229011a1b

SHA1
bc74a324a153874c579c6d0447ab91c30d1f1be8

SHA256
7c6325a1b66a36400af3c38a0ebea271845ddd7dd5042f641387920fa8bf1c31

SHA512
8aacc11c3a5babc3876387e89cf294d08e328b9466b69a371d2f1e8e4ef88bb1059b7361bb5737d3b426ee09c118b2dbf2b6065483c7c0c8b7bd198aa71b9d44

Download Submit

Analysis

Sharing