765436d4aa3de87af8b390d1cd16fce94c5f72dd04173adbb49c940b98b47704

Analysis

max time kernel
79s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2023 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowsdesktop-runtime-3.1.32-win-x86.exe
Size

46.8MB
MD5

64820bb359e69b81ea680eeb24ca4c22
SHA1

8f0c04ecf97aae2d68354bddf4d1599a6dbc97e9
SHA256

765436d4aa3de87af8b390d1cd16fce94c5f72dd04173adbb49c940b98b47704
SHA512

6b96d2db0d42d06683b6fc2e991193686167d40c85912737705db23dbe8dc7d6b80689ab25201fc0a397c70c463c3fdd40d294e9c47d48b375ff8b7a0a699cf7
SSDEEP

786432:C+ajAAOzYCmKU8agc0eCQHP06ymAPMwNYnp8zHITMp0s5IcmWTNK5TxlOsDsCpxf:IjTOFVU8agcjZHBxAPQp+H2Mp2cmq4XP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

windowsdesktop-runtime-3.1.32-win-x86.exe

pid process

3396 windowsdesktop-runtime-3.1.32-win-x86.exe
Loads dropped DLL 1 IoCs

Processes:

windowsdesktop-runtime-3.1.32-win-x86.exe

pid process

3396 windowsdesktop-runtime-3.1.32-win-x86.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3396	windowsdesktop-runtime-3.1.32-win-x86.exe

pid	process
3396	windowsdesktop-runtime-3.1.32-win-x86.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

windowsdesktop-runtime-3.1.32-win-x86.exe

description	pid	process	target process
PID 4348 wrote to memory of 3396	4348	windowsdesktop-runtime-3.1.32-win-x86.exe	windowsdesktop-runtime-3.1.32-win-x86.exe
PID 4348 wrote to memory of 3396	4348	windowsdesktop-runtime-3.1.32-win-x86.exe	windowsdesktop-runtime-3.1.32-win-x86.exe
PID 4348 wrote to memory of 3396	4348	windowsdesktop-runtime-3.1.32-win-x86.exe	windowsdesktop-runtime-3.1.32-win-x86.exe

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-3.1.32-win-x86.exe
"C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-3.1.32-win-x86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\Temp\{6245A021-688B-4DDA-8D38-C85C25DF65F0}\.cr\windowsdesktop-runtime-3.1.32-win-x86.exe
"C:\Windows\Temp\{6245A021-688B-4DDA-8D38-C85C25DF65F0}\.cr\windowsdesktop-runtime-3.1.32-win-x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-3.1.32-win-x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{6245A021-688B-4DDA-8D38-C85C25DF65F0}\.cr\windowsdesktop-runtime-3.1.32-win-x86.exe
Filesize
607KB

MD5
573c9d0095bdf8d8ce3d4fcf6ff8235a

SHA1
95183b4795681d06f487f8d4e458537383c7392f

SHA256
1d52b200bf32d43fdeeee00e0eaa5710dfc706f5c45a6b880f029369dcbae54b

SHA512
ab6924c16806d21be2ede17f144c05d7b4e608659fd0b509db3ff0e4a512c126683de9e4860ecfed8df011c1febea0bd922520b2e22aead723bb18d5a9720688

Download Submit
C:\Windows\Temp\{6245A021-688B-4DDA-8D38-C85C25DF65F0}\.cr\windowsdesktop-runtime-3.1.32-win-x86.exe
Filesize
607KB

MD5
573c9d0095bdf8d8ce3d4fcf6ff8235a

SHA1
95183b4795681d06f487f8d4e458537383c7392f

SHA256
1d52b200bf32d43fdeeee00e0eaa5710dfc706f5c45a6b880f029369dcbae54b

SHA512
ab6924c16806d21be2ede17f144c05d7b4e608659fd0b509db3ff0e4a512c126683de9e4860ecfed8df011c1febea0bd922520b2e22aead723bb18d5a9720688

Download Submit
C:\Windows\Temp\{CF605B6A-D3B1-4403-9076-4B0D41944A5B}\.ba\bg.png
Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{CF605B6A-D3B1-4403-9076-4B0D41944A5B}\.ba\wixstdba.dll
Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit