20916e9bafdb6d5e5a919e9fd8fcf2e168b22a12837dc544bf43e7060dcf3544

General

Target

99f7ada73a4c4f1dac4fa96156dd344d.exe
Size

326KB
MD5

99f7ada73a4c4f1dac4fa96156dd344d
SHA1

63389f9a650fbf7f1c9119c2a3f5485bb62c34f2
SHA256

20916e9bafdb6d5e5a919e9fd8fcf2e168b22a12837dc544bf43e7060dcf3544
SHA512

2f23fd67c0018f57f8ceeb09008b7f8de7d67673eedde253ce23f8fa7c944ff57ad47d70c2a3325e9e6437e54d798cb2d6bb8bb34354f30db3876dfff59355b2
SSDEEP

6144:6r4I9uEo2S1YnQmCX492DkwNP3qpYFuT9U1FZA5MRwxuhhfch6clge:6r4gu6/eIo4nULZKMRwxuPfk6m

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1120	99f7ada73a4c4f1dac4fa96156dd344d.exe
1120	99f7ada73a4c4f1dac4fa96156dd344d.exe
1120	99f7ada73a4c4f1dac4fa96156dd344d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	99f7ada73a4c4f1dac4fa96156dd344d.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	99f7ada73a4c4f1dac4fa96156dd344d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1120	99f7ada73a4c4f1dac4fa96156dd344d.exe
1120	99f7ada73a4c4f1dac4fa96156dd344d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 100	1120	99f7ada73a4c4f1dac4fa96156dd344d.exe	86
PID 1120 wrote to memory of 100	1120	99f7ada73a4c4f1dac4fa96156dd344d.exe	86
PID 1120 wrote to memory of 100	1120	99f7ada73a4c4f1dac4fa96156dd344d.exe	86

C:\Users\Admin\AppData\Local\Temp\99f7ada73a4c4f1dac4fa96156dd344d.exe
"C:\Users\Admin\AppData\Local\Temp\99f7ada73a4c4f1dac4fa96156dd344d.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin34ED.bat"
  2⤵
  PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\186D44B9\cfg\1.ini

Filesize
1024B

MD5
3612b1539591a78d48358bb6142e8637

SHA1
66accce223b0781410aeb6bc88054c7b3335e68c

SHA256
b9f2b788edfcfdbd2f48325b6f8780615f452d1420dad418ca1c40053cbfd490

SHA512
b1b0f6998c227d21e2449dec50ecabc923ba7b140e0866a12fcb77e1703daa481061a423e6b3f2a66ca40ff3556c338d54c81cd24350d0efaf5cdbcdac11a6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu2F4C2B44.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin34ED.bat

Filesize
50B

MD5
089d98835d1f30f1fd430bd2fb04b2ec

SHA1
06e5f4776d00f6c887120e76fea2533c38405ed1

SHA256
724efb7371dd9f8e1d89497fc4c1dadac66235632c5391438a85c4b8894f02dd

SHA512
bc7ad3eaf4febb923fa0ce331cb3b1db7c13028e1422066e44f2a0b798d6727e4b6b9110c45d18d471975e009fafc1f70f178f4cec33f90b989094ff3846e9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{598C2172-B81B-4B5A-A9B1-F039826F0384}\Custom.dll

Filesize
91KB

MD5
396573acf88c363e3406677f3353d886

SHA1
95d078a2ff0eb1a884b932e08805cf178796b19b

SHA256
e269f87987fb85313f0d1b276656020470b04e5e545784f5b3e03f9ca611b482

SHA512
a5a0c72287044ebeba9ec45f46716592b945479a219b71a78e070f842a6d1c9c0c79d253946bf793b19b9dbbc2b05459ff7fdb0efaadc474c0b5190d828cc6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{598C2172-B81B-4B5A-A9B1-F039826F0384}\Readme.txt

Filesize
2KB

MD5
7992e88b2763c99c24416d6ebce88122

SHA1
0574110d8032aa337c4cbb0837ecca40e187d883

SHA256
8e72c04f8b95fe2af21a350739461527136b17730059722ed85a2b73b7df1538

SHA512
68aa293d6ee68ce5605490304a37cfda8abf5b4e8362946d492abb879773d79824519cf73368a01c13fea4eecf46f3e4e5afe0fea44bd56288b6379dcf6a25c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{598C2172-B81B-4B5A-A9B1-F039826F0384}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{598C2172-B81B-4B5A-A9B1-F039826F0384}\Setup.ico

Filesize
14KB

MD5
fd7ffd6a90536af8391733e3695e3740

SHA1
6774868b160ec653a594a8c29ebc5c432a6615bb

SHA256
dddc311ded9236e2c582d9df11639b8119c2d9265799f225d9efb047c9f3118a

SHA512
3279d7277d587df6c20ddccb487a24fb2cd41f88b701a93b1166bb8f3653b752509fd675858ccf12d7c47fea6b82c2e201e96bc54500b76fd9a6169681527638

Download Submit
C:\Users\Admin\AppData\Local\Temp\{598C2172-B81B-4B5A-A9B1-F039826F0384}\_Setup.dll

Filesize
179KB

MD5
7f1a24ce168088160daed38269c01b78

SHA1
675c432b4a7b15f9a34fff8dd5f6c3984de5cb80

SHA256
6a97e35fbd5b3a8eab2ee6ddf440d381301476c16f9d7b4c22fcb1db77122762

SHA512
9d0e5ce57e446e04807b1fae4754874f967ece17b7692b06b2ce3e5f0388d896b39244cd4199f7f8e401a28a43b968194a14a9a252432b9542cfccb5d4f971e2

Download Submit

Analysis

Sharing