2273c4b82ed1c094edcc4e0d6c98f1a88e1e2b77b34968522a07d3b73be3e9fe

General

Target

aba238f6cae1b585418817f486f5e78d.exe
Size

327KB
MD5

aba238f6cae1b585418817f486f5e78d
SHA1

f6385335b3b30c7812a393359cf328fa5feae8bf
SHA256

2273c4b82ed1c094edcc4e0d6c98f1a88e1e2b77b34968522a07d3b73be3e9fe
SHA512

24214a9dd4d518bd95e9156acd4b2b3d38e7f61eaa182b356320922368aba57c1191d14fa6e1ef630185d464f7304b8d451dedd213f099731d17c9428f561228
SSDEEP

6144:/rhbUzkuvcBYC47l2xpi30XNFBLe8zl0yRNGNm3XPUwPa6Y+J/l:/rikuveY3+tNFhJrNf8lw

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2524	aba238f6cae1b585418817f486f5e78d.exe
2524	aba238f6cae1b585418817f486f5e78d.exe
2524	aba238f6cae1b585418817f486f5e78d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	aba238f6cae1b585418817f486f5e78d.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	aba238f6cae1b585418817f486f5e78d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2524	aba238f6cae1b585418817f486f5e78d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2516	2524	aba238f6cae1b585418817f486f5e78d.exe	28
PID 2524 wrote to memory of 2516	2524	aba238f6cae1b585418817f486f5e78d.exe	28
PID 2524 wrote to memory of 2516	2524	aba238f6cae1b585418817f486f5e78d.exe	28
PID 2524 wrote to memory of 2516	2524	aba238f6cae1b585418817f486f5e78d.exe	28

C:\Users\Admin\AppData\Local\Temp\aba238f6cae1b585418817f486f5e78d.exe
"C:\Users\Admin\AppData\Local\Temp\aba238f6cae1b585418817f486f5e78d.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin674E.bat"
  2⤵
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\CDE6BBCE\cfg\1.ini

Filesize
368B

MD5
3a9830a2f57ef1e602de02bd9cc8eb56

SHA1
5135a0295755e536b833c6c6010900ff99cdbabf

SHA256
8d138bedf3228f7ef9405940526a73f49395fd2917aa22e7d5596297e222da42

SHA512
87ed85acdc1509bb02e437f50e7a90695f66b2a7a996a526f0310ba277de9ce8d7343983e2ae0b5dbedcca832bb90da802d7182972f1b14be0a203cfbd14cc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin674E.bat

Filesize
50B

MD5
bb95e91e11faa9eb36d95503d310fa01

SHA1
f130c5f20873dc6193f770f190b41738068b2731

SHA256
37fddfe85c99126a5ede12d36dc7d301779166f07a38bb85d82750371d182b2d

SHA512
2d6161e08340a6a6b7c15960403b1033efa19fe3f9afa202da32a93263cae9af147aeff5c8e957187d61e7d3208d2735656acb58f8b7d035da6e792a7aeb4e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3974011A-F3B8-497D-AB96-BB9AE29723EC}\Readme.txt

Filesize
2KB

MD5
c6170c4c8df492954df34d41839bdbd5

SHA1
814858aaa1b959033f6a9027191b4363a4d47a32

SHA256
356417f4cc6ad15bc541eb4e896416c70c4b281bf711a9c5d23ec36695bf9eaa

SHA512
dd0762a7f99e3aa82f9121da0a4c8c3c9638984ce030d62dd14d482c7388e6511faa7ba8ddb236bdb8cb5f9dafd7c08b0545508e49f5ebac03ae0e7cd9a8e914

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3974011A-F3B8-497D-AB96-BB9AE29723EC}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3974011A-F3B8-497D-AB96-BB9AE29723EC}\Setup.ico

Filesize
14KB

MD5
a869d21eb457ca588d16f43a91126be6

SHA1
0ccd2a84d9053d4188a3d34ffc2285000860d433

SHA256
88ab6715c4d86b3b191611dec390f32ea69aa1e1c796ac212f20ac237e0a0097

SHA512
8d0e3ce7d73f8481bc954465d07c55a5b996ef3bb21fdd0452206117c6a56df3c531bb67227f8d41a8fac28dcde549d86f1f7a0b3a226dda7c736105b42964fc

Download Submit
\Users\Admin\AppData\Local\Temp\Tsu9587C439.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{3974011A-F3B8-497D-AB96-BB9AE29723EC}\Custom.dll

Filesize
91KB

MD5
81856796ffc64fadd39fa921a1b45ddb

SHA1
360313131e7ae57002c2403dfc48bc20718d2cb0

SHA256
ec9146dfb838ad477bdf3cbde578baf014c8151d741559568dcb3803d6c9a0eb

SHA512
299771bc1f57eeb59665cfcfaedd0c4c196771173f1b65cfa21a1592ab46ab8a1733ef4a7560a74adde00c075dc7147ab9d0a885c5c7e0218f1f955b39aa2be0

Download Submit
\Users\Admin\AppData\Local\Temp\{3974011A-F3B8-497D-AB96-BB9AE29723EC}\_Setup.dll

Filesize
183KB

MD5
3530911a0588f1bbae2d8bba350b4474

SHA1
998bd2fe9abc3a81669330353b695e4d879b5e93

SHA256
4c2fdb86e7690e62dfd26a9b36d6b5f7a12b11d33c40ff0faa1aca54b667b6ee

SHA512
f183b9338232a59b000c758726c24cbbf74d7e5e3ad02da4977400ef9bcf1320ff211647de6a9273afc6605efc15257a838482810de828c4605f294b6faa6e14

Download Submit

Analysis

Sharing