1023090cae82b76507432d66052ced1b03ea2e440ba2556e98f2a6598617d459

General

Target

b56688477fe12024c9fc867204f5f459.exe
Size

313KB
MD5

b56688477fe12024c9fc867204f5f459
SHA1

09e299cef33d42f82db1687fe727647956101fa3
SHA256

1023090cae82b76507432d66052ced1b03ea2e440ba2556e98f2a6598617d459
SHA512

6d6cf4ebf79460b99300df929bad33c3333ee83e737708ca2d97ca451ed05d6ebe23fa682c626741ff437abfb8b8c1b0a1478f0f0b5ba2ac12199fc83115ebf9
SSDEEP

6144:YrkA9uEo2S1YnQmCX492DkwNP3qpYF0lu7tIYxFtApNhiYLE2/5yr3+LijYbz:Yrk4u6/eIo4nlu7trxFtApfgMyrpjYbz

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1712	b56688477fe12024c9fc867204f5f459.exe
1712	b56688477fe12024c9fc867204f5f459.exe
1712	b56688477fe12024c9fc867204f5f459.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b56688477fe12024c9fc867204f5f459.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	b56688477fe12024c9fc867204f5f459.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1712	b56688477fe12024c9fc867204f5f459.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2932	1712	b56688477fe12024c9fc867204f5f459.exe	30
PID 1712 wrote to memory of 2932	1712	b56688477fe12024c9fc867204f5f459.exe	30
PID 1712 wrote to memory of 2932	1712	b56688477fe12024c9fc867204f5f459.exe	30
PID 1712 wrote to memory of 2932	1712	b56688477fe12024c9fc867204f5f459.exe	30

C:\Users\Admin\AppData\Local\Temp\b56688477fe12024c9fc867204f5f459.exe
"C:\Users\Admin\AppData\Local\Temp\b56688477fe12024c9fc867204f5f459.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin6FE1.bat"
  2⤵
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\078A8C15\cfg\1.ini

Filesize
941B

MD5
2ff436e1a1fff5fc9eef8bb17f519e50

SHA1
d4f73dd8a7494ccd6f46c61bf71bd29bca80afe5

SHA256
493e7dc54cef97ff1875986ef2f159ea653ad947a36b27c1f226acff902386d8

SHA512
5d0ab0273b84f960f2591514aa383717a29a6e2682dbd4a30250e2e88e212a573ef533df0e9776a161b97f583f12ca7a1f2e66c7e00311648a9c5b3ce5e181a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6FE1.bat

Filesize
50B

MD5
515b2a6717e0b6cab520a1c26b7b7f72

SHA1
8fdda6e8c300d53509777493ca8168d4e8bc5677

SHA256
18f68e18d0be819e904adf7fcc4caf100195a102ebd4a152944f16620577a123

SHA512
d9c57cf8b7baf55f71afd5eb8e5ce686256a8e4eee2a9fc29046596b2f36f40fbd8d6340b80bee626c22220837c0f1ef7997f581e07abb812bd60e85c58135c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A6EA8832-51AE-4361-A18A-198C7D09AAC4}\Readme.txt

Filesize
2KB

MD5
4a8f844355927fbe8bd85e03aab45e0b

SHA1
9d978f61b6a6ce746de4bbde9e1252575ca28caf

SHA256
d98c50857b3915c7af124a2982165e6139cc378aaad92df699ca2cc95c930d08

SHA512
f912d4bc848eab7d1d39e75448e6b81ef313bed2426a06524ddc1162b2ed379ed16aad362e3576419a56979c5926c0e64f8316e08dce38fa573a43be2f247727

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A6EA8832-51AE-4361-A18A-198C7D09AAC4}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A6EA8832-51AE-4361-A18A-198C7D09AAC4}\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
\Users\Admin\AppData\Local\Temp\Tsu7F5BBAF1.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{A6EA8832-51AE-4361-A18A-198C7D09AAC4}\Custom.dll

Filesize
91KB

MD5
ed92e425cd374788afede25d2dd9d84a

SHA1
666fcb0dc635af7ba075e48c8f8c72a16dd30a67

SHA256
a50e3750c29b54f7b304064bb843972dba4094ee9ceef4e6942c61d2a5690d46

SHA512
8afa88d37eaef17822c7fe9285f30d4766af63cabf0dea05b5e74b5a2cd5dfced7729418d42979a7ab006cda6a17731c59b93400c4f2be3f3b59e81e2800687d

Download Submit
\Users\Admin\AppData\Local\Temp\{A6EA8832-51AE-4361-A18A-198C7D09AAC4}\_Setup.dll

Filesize
169KB

MD5
204a2b4cd7d5022c92d0d15d33051795

SHA1
7742a0d36b16c07dde8c2d29b8d2bbeed17130d2

SHA256
d6267d0770d1e2ae443e2217ed5f326cf17a0a67454783af4e109db5f040fe85

SHA512
b4aeda6dbb92e070a5d650dfe28f1c0fac5125d9bc1603c8321124aa335d4842da774d68dc6c0f6415579b337a3527d991bc444e5a6167c672f8920759de86e3

Download Submit

Analysis

Sharing