79bbb63e4ad87a6cf16160dba2a7e1c9a92b1aee7278020aa8e8591b75d30fcb

Analysis

max time kernel
122s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2023, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FLIR_Thermal_Studio_Installer (1).exe
Size

132.8MB
MD5

4ef5ceb4f91120ccb9ef482331d26c85
SHA1

469ad57936485f1a421c73edc3db2df7f807f514
SHA256

79bbb63e4ad87a6cf16160dba2a7e1c9a92b1aee7278020aa8e8591b75d30fcb
SHA512

5a6948103354525f403bba07ee5c5de44aaa108bf3cab7c4da65158f363713f55046fb26d2c22696ddf117c464720f5d577e8d2deebba8f4c9c287416b22183a
SSDEEP

3145728:BFMxC088FmdPCdjczzLvsHV7ZyOhRU9SDsYU0+8ys1ZUSVq4:j0aumdqdQXLvs175GSG0+8ys1mS84

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1228	FLIR_Thermal_Studio_Installer (1).exe

Loads dropped DLL 1 IoCs

pid	Process
1228	FLIR_Thermal_Studio_Installer (1).exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 1228	4984	FLIR_Thermal_Studio_Installer (1).exe	83
PID 4984 wrote to memory of 1228	4984	FLIR_Thermal_Studio_Installer (1).exe	83
PID 4984 wrote to memory of 1228	4984	FLIR_Thermal_Studio_Installer (1).exe	83

C:\Users\Admin\AppData\Local\Temp\FLIR_Thermal_Studio_Installer (1).exe
"C:\Users\Admin\AppData\Local\Temp\FLIR_Thermal_Studio_Installer (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\Temp\{4D0BA03E-C2A0-4F98-A0AA-F00D94F116E6}\.cr\FLIR_Thermal_Studio_Installer (1).exe
  "C:\Windows\Temp\{4D0BA03E-C2A0-4F98-A0AA-F00D94F116E6}\.cr\FLIR_Thermal_Studio_Installer (1).exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\FLIR_Thermal_Studio_Installer (1).exe" -burn.filehandle.attached=544 -burn.filehandle.self=556
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{4C14663B-59F4-4699-8CC9-1876D7079216}\.ba\wixstdba.dll

Filesize
184KB

MD5
fe7e0bd53f52e6630473c31299a49fdd

SHA1
f706f45768bfb95f4c96dfa0be36df57aa863898

SHA256
2bea14d70943a42d344e09b7c9de5562fa7e109946e1c615dd584da30d06cc80

SHA512
feed48286b1e182996a3664f0facdf42aae3692d3d938ea004350c85764db7a0bea996dfddf7a77149c0d4b8b776fb544e8b1ce5e9944086a5b1ed6a8a239a3c

Download Submit
C:\Windows\Temp\{4D0BA03E-C2A0-4F98-A0AA-F00D94F116E6}\.cr\FLIR_Thermal_Studio_Installer (1).exe

Filesize
590KB

MD5
e0b4a203519a8c91335d5f4bc96a1a9c

SHA1
5a06b7165ec8b40a01ae362ef385c37935224e8c

SHA256
e4e0c9f4f99033354eeb77a72bd6268c6ab57d21a05ece48b58d603542d45076

SHA512
3ef3da20296d521b3b70ac0438ebf71b623142402654cd4e0326fbb2ca4b08dcdfcb1d91e6173d6e29fac77a3f5d85b6ae30da01c49062fd7fdcc54f78fd1b56

Download Submit
C:\Windows\Temp\{4D0BA03E-C2A0-4F98-A0AA-F00D94F116E6}\.cr\FLIR_Thermal_Studio_Installer (1).exe

Filesize
590KB

MD5
e0b4a203519a8c91335d5f4bc96a1a9c

SHA1
5a06b7165ec8b40a01ae362ef385c37935224e8c

SHA256
e4e0c9f4f99033354eeb77a72bd6268c6ab57d21a05ece48b58d603542d45076

SHA512
3ef3da20296d521b3b70ac0438ebf71b623142402654cd4e0326fbb2ca4b08dcdfcb1d91e6173d6e29fac77a3f5d85b6ae30da01c49062fd7fdcc54f78fd1b56

Download Submit