036b4f505edd828838268927adc7251d62d4415f388dd894d7501fd1263bbbd9

General

Target

036b4f505edd828838268927adc7251d62d4415f388dd894d7501fd1263bbbd9.exe
Size

299KB
MD5

9f713c935acbd5ab63362efe61e622ad
SHA1

e36778b3d00ef6445922377e9a256aafe7fcd073
SHA256

036b4f505edd828838268927adc7251d62d4415f388dd894d7501fd1263bbbd9
SHA512

c7b6ce191251647911157f7ba1292b813e30850997752d5d3a12f989afc8280dcd8d56a44b865f6fdb653cc91b1af8b5121fe25022207be60b2f77341f98e1af
SSDEEP

6144:Orka9uEo2S1YnQmCX492DkwNP3qpYF1aZpbdnMne3SLFjpjhGdO503+rhcLS:OrkCu6/eIo4Zf5nMmOjVG+US

Score

9^/10

discovery

Malware Config

Signatures

Detects executables referencing many IR and analysis tools 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c52-19.dat	INDICATOR_SUSPICIOUS_References_SecTools

Loads dropped DLL 3 IoCs

pid	Process
2804	036b4f505edd828838268927adc7251d62d4415f388dd894d7501fd1263bbbd9.exe
2804	036b4f505edd828838268927adc7251d62d4415f388dd894d7501fd1263bbbd9.exe
2804	036b4f505edd828838268927adc7251d62d4415f388dd894d7501fd1263bbbd9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	036b4f505edd828838268927adc7251d62d4415f388dd894d7501fd1263bbbd9.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	036b4f505edd828838268927adc7251d62d4415f388dd894d7501fd1263bbbd9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2804	036b4f505edd828838268927adc7251d62d4415f388dd894d7501fd1263bbbd9.exe

C:\Users\Admin\AppData\Local\Temp\036b4f505edd828838268927adc7251d62d4415f388dd894d7501fd1263bbbd9.exe
"C:\Users\Admin\AppData\Local\Temp\036b4f505edd828838268927adc7251d62d4415f388dd894d7501fd1263bbbd9.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\3C38E468\cfg\1.ini

Filesize
524B

MD5
91f6c1b0eb4eb31c6db8597e3e24f237

SHA1
a8540996a3c374efe2c57017bc98e657d625f06e

SHA256
5b4f976deef13d2c400d0aec8e806b8e3feac9d72509f7c97b975525124b4db3

SHA512
14c33059ea6b5e4fb52724441b9772ddcc7d2565a7ab287bca1908a28833bf4acaf3243363a2283d485e87e70e7a385b8967b459674f27bb9e7a430b5d062ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7A828DAA-77B8-4D89-AF62-3F9AA161AF5C}\Readme.txt

Filesize
2KB

MD5
de2fa3f89b61bd3a3537c56bd00f3b22

SHA1
1fd91a11e6e9046ee385d3a87d9468f3cfafdc14

SHA256
6ec08c1ba7302e4f0e9e8fa246fdf827fa555306dfcca09e803d0c5cc7914a54

SHA512
7227fa7bf84fc09e34404dc34cecf9e728370d18db43e7622fc311f3d41cb235ba24a28ca1e5285c5e3ed6a1fa925d0352b11984d0b1df7a0dd2e11191dee766

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7A828DAA-77B8-4D89-AF62-3F9AA161AF5C}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7A828DAA-77B8-4D89-AF62-3F9AA161AF5C}\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
\Users\Admin\AppData\Local\Temp\TsuBA8E78E4.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{7A828DAA-77B8-4D89-AF62-3F9AA161AF5C}\Custom.dll

Filesize
70KB

MD5
cf8871d9353de6ec6885450d470c6e62

SHA1
0478926e48a4f76b365cc3d1877e2408f00415d4

SHA256
d5dcd241fcad38b8bfbd7a32ec85c71cf96b8a9671d96eb988264b00bfc2b373

SHA512
09d1356582188f6df358607af261afb5faa5e9055b1c84de8782109fb1db82320f739edeab751674a3bd8da758b1188ad212dc1d6d8b14a23a4edc48c3e1cf2c

Download Submit
\Users\Admin\AppData\Local\Temp\{7A828DAA-77B8-4D89-AF62-3F9AA161AF5C}\_Setup.dll

Filesize
160KB

MD5
3d99f53c75ee301fd7bc5abe8d883dbb

SHA1
35264d2ed3c675f152ac54045ce817693234fe06

SHA256
4ba7a5ffcfa4409eca57e201bedf9357d59a28bfd08b23081eb48f93ed8abea0

SHA512
a58054619c56b4dc1653876050a0b67df9bcffcf078b62f8cd88b96511a370e3ae9c67effc36d0b152eb5429f60eba52e5e58afca85a58527a3bf3600a89a42f

Download Submit

Analysis

Sharing