20916e9bafdb6d5e5a919e9fd8fcf2e168b22a12837dc544bf43e7060dcf3544

General

Target

99f7ada73a4c4f1dac4fa96156dd344d.exe
Size

326KB
MD5

99f7ada73a4c4f1dac4fa96156dd344d
SHA1

63389f9a650fbf7f1c9119c2a3f5485bb62c34f2
SHA256

20916e9bafdb6d5e5a919e9fd8fcf2e168b22a12837dc544bf43e7060dcf3544
SHA512

2f23fd67c0018f57f8ceeb09008b7f8de7d67673eedde253ce23f8fa7c944ff57ad47d70c2a3325e9e6437e54d798cb2d6bb8bb34354f30db3876dfff59355b2
SSDEEP

6144:6r4I9uEo2S1YnQmCX492DkwNP3qpYFuT9U1FZA5MRwxuhhfch6clge:6r4gu6/eIo4nULZKMRwxuPfk6m

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2040	99f7ada73a4c4f1dac4fa96156dd344d.exe
2040	99f7ada73a4c4f1dac4fa96156dd344d.exe
2040	99f7ada73a4c4f1dac4fa96156dd344d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	99f7ada73a4c4f1dac4fa96156dd344d.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	99f7ada73a4c4f1dac4fa96156dd344d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2040	99f7ada73a4c4f1dac4fa96156dd344d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 636	2040	99f7ada73a4c4f1dac4fa96156dd344d.exe	30
PID 2040 wrote to memory of 636	2040	99f7ada73a4c4f1dac4fa96156dd344d.exe	30
PID 2040 wrote to memory of 636	2040	99f7ada73a4c4f1dac4fa96156dd344d.exe	30
PID 2040 wrote to memory of 636	2040	99f7ada73a4c4f1dac4fa96156dd344d.exe	30

C:\Users\Admin\AppData\Local\Temp\99f7ada73a4c4f1dac4fa96156dd344d.exe
"C:\Users\Admin\AppData\Local\Temp\99f7ada73a4c4f1dac4fa96156dd344d.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin34ED.bat"
  2⤵
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\74BCC1EB\cfg\1.ini

Filesize
1023B

MD5
aca9706e2a6a8d91f125ee45a3bc14d3

SHA1
0fa05b18943ab34d2b0063ac35c848be38207b3f

SHA256
4bb5adf0b5599283e522026c9f029bc8ced6f7fc346f91128aee260d880a0d5c

SHA512
cd391a16cdfa42bb6fac905a44b2ae09b2d19b295ae46799428a235358753821f52d04e19749e5a79b60b485cc35d33538bdd0724cdaca3f012e8a34c8f902b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin34ED.bat

Filesize
50B

MD5
e2a3c1cacd0b7c252f8ef01df7e9a608

SHA1
806afceab72757c6ddfde1a17ddd9e731885efe4

SHA256
193898461444e2e1dcb05b39cd78972af3bd2a3c21fba7d328ff9a8ef113d5b6

SHA512
bcb139a17594afdd50d44134afe191bcff76ffc9c950f9af1afb146cdb5665d0efbceba1bc35b94db9e4df95bbfe88cc1a887c5b93526222d20c2e23fb9225a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{738DDE52-9983-441C-A6F7-D1A1A86EFCA4}\Readme.txt

Filesize
2KB

MD5
7992e88b2763c99c24416d6ebce88122

SHA1
0574110d8032aa337c4cbb0837ecca40e187d883

SHA256
8e72c04f8b95fe2af21a350739461527136b17730059722ed85a2b73b7df1538

SHA512
68aa293d6ee68ce5605490304a37cfda8abf5b4e8362946d492abb879773d79824519cf73368a01c13fea4eecf46f3e4e5afe0fea44bd56288b6379dcf6a25c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{738DDE52-9983-441C-A6F7-D1A1A86EFCA4}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{738DDE52-9983-441C-A6F7-D1A1A86EFCA4}\Setup.ico

Filesize
14KB

MD5
fd7ffd6a90536af8391733e3695e3740

SHA1
6774868b160ec653a594a8c29ebc5c432a6615bb

SHA256
dddc311ded9236e2c582d9df11639b8119c2d9265799f225d9efb047c9f3118a

SHA512
3279d7277d587df6c20ddccb487a24fb2cd41f88b701a93b1166bb8f3653b752509fd675858ccf12d7c47fea6b82c2e201e96bc54500b76fd9a6169681527638

Download Submit
\Users\Admin\AppData\Local\Temp\Tsu1113E07B.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{738DDE52-9983-441C-A6F7-D1A1A86EFCA4}\Custom.dll

Filesize
91KB

MD5
396573acf88c363e3406677f3353d886

SHA1
95d078a2ff0eb1a884b932e08805cf178796b19b

SHA256
e269f87987fb85313f0d1b276656020470b04e5e545784f5b3e03f9ca611b482

SHA512
a5a0c72287044ebeba9ec45f46716592b945479a219b71a78e070f842a6d1c9c0c79d253946bf793b19b9dbbc2b05459ff7fdb0efaadc474c0b5190d828cc6b6

Download Submit
\Users\Admin\AppData\Local\Temp\{738DDE52-9983-441C-A6F7-D1A1A86EFCA4}\_Setup.dll

Filesize
179KB

MD5
7f1a24ce168088160daed38269c01b78

SHA1
675c432b4a7b15f9a34fff8dd5f6c3984de5cb80

SHA256
6a97e35fbd5b3a8eab2ee6ddf440d381301476c16f9d7b4c22fcb1db77122762

SHA512
9d0e5ce57e446e04807b1fae4754874f967ece17b7692b06b2ce3e5f0388d896b39244cd4199f7f8e401a28a43b968194a14a9a252432b9542cfccb5d4f971e2

Download Submit

Analysis

Sharing