0d8bfba24c94912b675bb2b0c82255908dde5d327462c86a69cd257a4f233f25

General

Target

Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe
Size

6.9MB
MD5

d868b655d271ae44026642ce12db070e
SHA1

21e53641d81f6d73bbba18678073388c45af32d1
SHA256

0d8bfba24c94912b675bb2b0c82255908dde5d327462c86a69cd257a4f233f25
SHA512

33a28189f18793da4da41d9b2cc322f6575892541d1820bc6c6c5e1bd737de3e475371f6f224f21cb4c2b70999dafcefd36b6b55d301a9fcf2af4dc18797ddef
SSDEEP

196608:OvfXF+3LN1k9IJJCJ4ANDgEkpsBmD6bTZ9RraOMPHe:O3ALGIJU/gEqs86DMe

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 5 IoCs

pid	Process
324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp
2832	pinnacle-windows-amd64.exe
2448	pinnacle-windows-amd64.exe
1164	pinnacle-windows-amd64.exe
2808	pinnacle-windows-amd64.exe

Loads dropped DLL 12 IoCs

pid	Process
2904	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe
324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp
324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp
324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp
324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp
324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp
324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2596	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2596	AUDIODG.EXE
Token: 33	2596	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2596	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 324	2904	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe	29
PID 2904 wrote to memory of 324	2904	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe	29
PID 2904 wrote to memory of 324	2904	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe	29
PID 2904 wrote to memory of 324	2904	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe	29
PID 2904 wrote to memory of 324	2904	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe	29
PID 2904 wrote to memory of 324	2904	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe	29
PID 2904 wrote to memory of 324	2904	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe	29
PID 324 wrote to memory of 2832	324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp	30
PID 324 wrote to memory of 2832	324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp	30
PID 324 wrote to memory of 2832	324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp	30
PID 324 wrote to memory of 2832	324	Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp	30

C:\Users\Admin\AppData\Local\Temp\Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe
"C:\Users\Admin\AppData\Local\Temp\Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\is-B4S28.tmp\Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-B4S28.tmp\Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp" /SL5="$401B0,5792470,1371648,C:\Users\Admin\AppData\Local\Temp\Alpine_Client_Setup_1_8_2_x86_64_34967856f4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Users\Admin\AppData\Local\Programs\Alpine Client\pinnacle-windows-amd64.exe
    "C:\Users\Admin\AppData\Local\Programs\Alpine Client\pinnacle-windows-amd64.exe"
    3⤵
    - Executes dropped EXE
    PID:2832

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2880

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Users\Admin\AppData\Local\Programs\Alpine Client\pinnacle-windows-amd64.exe
"C:\Users\Admin\AppData\Local\Programs\Alpine Client\pinnacle-windows-amd64.exe"
1⤵
- Executes dropped EXE
PID:2448

C:\Users\Admin\AppData\Local\Programs\Alpine Client\pinnacle-windows-amd64.exe
"C:\Users\Admin\AppData\Local\Programs\Alpine Client\pinnacle-windows-amd64.exe"
1⤵
- Executes dropped EXE
PID:1164

C:\Users\Admin\AppData\Local\Programs\Alpine Client\pinnacle-windows-amd64.exe
"C:\Users\Admin\AppData\Local\Programs\Alpine Client\pinnacle-windows-amd64.exe"
1⤵
- Executes dropped EXE
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Programs\Alpine Client\pinnacle-windows-amd64.exe

Filesize
8.8MB

MD5
58242b67c1dca5aa44bd073c467fef52

SHA1
4007d7df8496c2ad478b926fdc68d45b469ce1d0

SHA256
bbc5a9c4197f314800b4c0298dfc64b2ac7a88222855d9f70b332e7c22a034c8

SHA512
30c6acb4d7f8ba2aba1a630f3cccd08dddfe88df2d7a32e5b644c39bd5b9450d2293053008b222ec18fdd83737f5012234727b89ee89fe4d562ee209163585c8

Download Submit
\Users\Admin\AppData\Local\Programs\Alpine Client\unins000.exe

Filesize
3.7MB

MD5
b70bb5d5c57a0f5f06a5f5986630a422

SHA1
e0913caa03762e8d18da8df62996b45114a3477c

SHA256
909192c54928190e346b206e6aec674b300aa753bc3f8978748249d179bde2e7

SHA512
3f97fa9ebad579c21e70146738753843b7606bcf119fdb541de9c91e72ed58bc17d7bec8376e201cf7c1112137f7922723ea9b59b0aabc2da13229ce6aa6a597

Download Submit
\Users\Admin\AppData\Local\Temp\is-B4S28.tmp\Alpine_Client_Setup_1_8_2_x86_64_34967856f4.tmp

Filesize
3.7MB

MD5
795014b00406eb92780fd7ce644cf9ff

SHA1
b0d8608879517ee26ca8244be1de20f473227f2e

SHA256
cc8bc64d6783e2fdf64a95a7c8bac518fe57d7e96fa64ee99ba0579d251d105a

SHA512
f298135ee28746cb218d1a474fd57258b2c5ab56fd114c267ab6c3ab25c6d6748d12ff55a5aaa283911b1ff838e7d11a9c6ccfd870263d213c5280fb4a3908c0

Download Submit
\Users\Admin\AppData\Local\Temp\is-NPFDN.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
memory/324-8-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/324-15-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/324-14-0x0000000000200000-0x00000000005BC000-memory.dmp

Filesize
3.7MB

Download
memory/324-36-0x0000000000200000-0x00000000005BC000-memory.dmp

Filesize
3.7MB

Download
memory/324-45-0x0000000000200000-0x00000000005BC000-memory.dmp

Filesize
3.7MB

Download
memory/2904-13-0x0000000000A70000-0x0000000000BCD000-memory.dmp

Filesize
1.4MB

Download
memory/2904-2-0x0000000000A71000-0x0000000000B19000-memory.dmp

Filesize
672KB

Download
memory/2904-0-0x0000000000A70000-0x0000000000BCD000-memory.dmp

Filesize
1.4MB

Download
memory/2904-46-0x0000000000A70000-0x0000000000BCD000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing