6d5952633a4426170c88ee93645e6d7373db79c30d2aa1ef66d82a164194a3aa

General

Target

48f66e4072c8f91b86ae7e22586f5580N.exe
Size

327KB
MD5

48f66e4072c8f91b86ae7e22586f5580
SHA1

399636d10bc2df6179b85c506311d5ddf6ecfd12
SHA256

6d5952633a4426170c88ee93645e6d7373db79c30d2aa1ef66d82a164194a3aa
SHA512

87f59354cbce5bb60c3baf00fff216da257f78b7f5c4a2671197a86fde4bb693427f027a6667ebae6c856b17a2f94d0019b6ebc36699850219dfe3ff6189d910
SSDEEP

6144:8rPbUzkuvcBYC47l2xx+DOd2cHRcsgIEHQi8KePBE:8rEkuveY3LDO8IRcsgISQBKePK

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3700	48f66e4072c8f91b86ae7e22586f5580N.exe
3700	48f66e4072c8f91b86ae7e22586f5580N.exe
3700	48f66e4072c8f91b86ae7e22586f5580N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	48f66e4072c8f91b86ae7e22586f5580N.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	48f66e4072c8f91b86ae7e22586f5580N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3700	48f66e4072c8f91b86ae7e22586f5580N.exe
3700	48f66e4072c8f91b86ae7e22586f5580N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 2672	3700	48f66e4072c8f91b86ae7e22586f5580N.exe	87
PID 3700 wrote to memory of 2672	3700	48f66e4072c8f91b86ae7e22586f5580N.exe	87
PID 3700 wrote to memory of 2672	3700	48f66e4072c8f91b86ae7e22586f5580N.exe	87

C:\Users\Admin\AppData\Local\Temp\48f66e4072c8f91b86ae7e22586f5580N.exe
"C:\Users\Admin\AppData\Local\Temp\48f66e4072c8f91b86ae7e22586f5580N.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin6711.bat"
  2⤵
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\D4732F93\cfg\1.ini

Filesize
368B

MD5
3a9830a2f57ef1e602de02bd9cc8eb56

SHA1
5135a0295755e536b833c6c6010900ff99cdbabf

SHA256
8d138bedf3228f7ef9405940526a73f49395fd2917aa22e7d5596297e222da42

SHA512
87ed85acdc1509bb02e437f50e7a90695f66b2a7a996a526f0310ba277de9ce8d7343983e2ae0b5dbedcca832bb90da802d7182972f1b14be0a203cfbd14cc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu2FC9EE1C.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6711.bat

Filesize
50B

MD5
2eb6aa89284ed817a27ece0c9f9c87d1

SHA1
04f5d967ea5c506432351cb11b2841e9c66d8062

SHA256
63a24009792c8483eeaba9ed9a012c5416a43902a81af8820726cd433de64182

SHA512
9df31bbda79c7362777df916fae3ae7d395780c2f6de7db7fa14438db9b6b654eff47b57840d0e9cdf1c52886412beca1795b54bcbce0d74a1cd01872185230f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A9B49CE1-793C-4355-A1BE-311E7257BE17}\Custom.dll

Filesize
91KB

MD5
1e003f7cd537f729059dbf13c4b177ed

SHA1
8b13d68eeee3e3be94d961e03a57353245df2fdd

SHA256
3b4b5014529df5e4884b64e60c2bbb0a21c986a15f84d82dc2d4490a020741f4

SHA512
7ca111f01d6e9180bf1c5b8d6875e92182edf40c211888716ee1288d08dd7b68dacaeeaf2acc614d2cf4ca49a1eaa5228b5124572f628a937f895b05f5764fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A9B49CE1-793C-4355-A1BE-311E7257BE17}\Readme.txt

Filesize
2KB

MD5
0741869b7a2ba1b03c786427671272be

SHA1
d66e5450264d65653cfbd28cf61e88847da2c86b

SHA256
11e23a437ea1071bea16172258577ef7a8fb2b86382f895597f58953695f03f9

SHA512
403bf96446e10d04b5f540780907ebe3f75ce43764e5fb5126b2d9b891553fc14d7f1d110e34ef70fe68df8df45df8859cd16b9770afea9e92ec394120d882fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A9B49CE1-793C-4355-A1BE-311E7257BE17}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A9B49CE1-793C-4355-A1BE-311E7257BE17}\Setup.ico

Filesize
14KB

MD5
a869d21eb457ca588d16f43a91126be6

SHA1
0ccd2a84d9053d4188a3d34ffc2285000860d433

SHA256
88ab6715c4d86b3b191611dec390f32ea69aa1e1c796ac212f20ac237e0a0097

SHA512
8d0e3ce7d73f8481bc954465d07c55a5b996ef3bb21fdd0452206117c6a56df3c531bb67227f8d41a8fac28dcde549d86f1f7a0b3a226dda7c736105b42964fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A9B49CE1-793C-4355-A1BE-311E7257BE17}\_Setup.dll

Filesize
183KB

MD5
3530911a0588f1bbae2d8bba350b4474

SHA1
998bd2fe9abc3a81669330353b695e4d879b5e93

SHA256
4c2fdb86e7690e62dfd26a9b36d6b5f7a12b11d33c40ff0faa1aca54b667b6ee

SHA512
f183b9338232a59b000c758726c24cbbf74d7e5e3ad02da4977400ef9bcf1320ff211647de6a9273afc6605efc15257a838482810de828c4605f294b6faa6e14

Download Submit

Analysis

Sharing