dac82d7316c0bf7503c5e364db4099f8b9ad45dfa6a7ae658a291869aefb2b97

Analysis

max time kernel
137s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09/02/2023, 06:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dotnet-sdk-7.0.102-win-x64.exe
Size

200.2MB
MD5

055697b51108abfb441f657ccf7eb9a3
SHA1

9c750923ef2862b8c9e7f0f038932f3eec566900
SHA256

dac82d7316c0bf7503c5e364db4099f8b9ad45dfa6a7ae658a291869aefb2b97
SHA512

1fbfce7951fb95b0219f56c409740767f3fde397b9ec77a1c7aff2b9184e4b93a009a605ca301b3030398d47ae018918555c49613015b2397de8b8690f7fd99a
SSDEEP

6291456:WmuDzQoOnlWXD88VKJ6uohhp0RcK6x90R/NkJrD5Y:W/zenlWXD85kxhhp05/uo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4916	dotnet-sdk-7.0.102-win-x64.exe

Loads dropped DLL 1 IoCs

pid	Process
4916	dotnet-sdk-7.0.102-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 4916	1892	dotnet-sdk-7.0.102-win-x64.exe	80
PID 1892 wrote to memory of 4916	1892	dotnet-sdk-7.0.102-win-x64.exe	80
PID 1892 wrote to memory of 4916	1892	dotnet-sdk-7.0.102-win-x64.exe	80

C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-7.0.102-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-7.0.102-win-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\Temp\{8A8E1EEF-81E3-4E73-9A51-64D97B530B57}\.cr\dotnet-sdk-7.0.102-win-x64.exe
  "C:\Windows\Temp\{8A8E1EEF-81E3-4E73-9A51-64D97B530B57}\.cr\dotnet-sdk-7.0.102-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-7.0.102-win-x64.exe" -burn.filehandle.attached=696 -burn.filehandle.self=700
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{8A8E1EEF-81E3-4E73-9A51-64D97B530B57}\.cr\dotnet-sdk-7.0.102-win-x64.exe

Filesize
611KB

MD5
a2db17faa151dffed3c64268b478d853

SHA1
ef9f7def352b2c7606e7c86fbf6c26a1eb38ef3a

SHA256
a812153ee827fd9884a84c2effa78db8e97f4a5a3bd19e5de8f086d4a0cbc805

SHA512
6fa6f71c120a695625bd0db80145c8bedc491c66c75d3af93c2a494eef2bc5b485d6b30ace2f3d31501728eae2cb1951a23deb7643ea1517ae2e6fe230b1ab51

Download Submit
C:\Windows\Temp\{8A8E1EEF-81E3-4E73-9A51-64D97B530B57}\.cr\dotnet-sdk-7.0.102-win-x64.exe

Filesize
611KB

MD5
a2db17faa151dffed3c64268b478d853

SHA1
ef9f7def352b2c7606e7c86fbf6c26a1eb38ef3a

SHA256
a812153ee827fd9884a84c2effa78db8e97f4a5a3bd19e5de8f086d4a0cbc805

SHA512
6fa6f71c120a695625bd0db80145c8bedc491c66c75d3af93c2a494eef2bc5b485d6b30ace2f3d31501728eae2cb1951a23deb7643ea1517ae2e6fe230b1ab51

Download Submit
C:\Windows\Temp\{EF0249D7-44CF-4557-A772-31A2360B287E}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit