0be75f316589ca0e3daa2ef6586efb7aa7f585126e72edde6d114cb8082c3ca0

Analysis

max time kernel
111s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2023 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowsdesktop-runtime-7.0.5-win-x64.exe
Size

54.9MB
MD5

c24781fc67a4702b7bbdac87082437ac
SHA1

5b4232eed009e6b66c64a6096b1277995de63f57
SHA256

0be75f316589ca0e3daa2ef6586efb7aa7f585126e72edde6d114cb8082c3ca0
SHA512

8907aa0e934a31c63f0a840bf9e734c2f5ba109b766c1a775f8adbb169049753664790c0a15b216f02a942392819a3500e4a33918df10fb967341dc167f82d11
SSDEEP

1572864:AD4lW6SbBOrV2TcyKG0DP13xXuMJ5w7CePuT:y4nSc8TcyKhDP1Rf5fePuT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2228	windowsdesktop-runtime-7.0.5-win-x64.exe

Loads dropped DLL 1 IoCs

pid	Process
2228	windowsdesktop-runtime-7.0.5-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2228	2916	windowsdesktop-runtime-7.0.5-win-x64.exe	87
PID 2916 wrote to memory of 2228	2916	windowsdesktop-runtime-7.0.5-win-x64.exe	87
PID 2916 wrote to memory of 2228	2916	windowsdesktop-runtime-7.0.5-win-x64.exe	87

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.5-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.5-win-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\Temp\{038FDFED-4E0D-4C7C-A496-480E02F0A28B}\.cr\windowsdesktop-runtime-7.0.5-win-x64.exe
  "C:\Windows\Temp\{038FDFED-4E0D-4C7C-A496-480E02F0A28B}\.cr\windowsdesktop-runtime-7.0.5-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.5-win-x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=648
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{038FDFED-4E0D-4C7C-A496-480E02F0A28B}\.cr\windowsdesktop-runtime-7.0.5-win-x64.exe

Filesize
610KB

MD5
b730242006df05dd8ff1f3ed6963e7ac

SHA1
34b9d71b69216c5f0baa647f58b08a3bd008bba2

SHA256
83a01378f6dca8ba5700bd5601cf5c6aeadfc8e14b8b12b5825740c49b1dccdd

SHA512
f26e9f0ca4df46c82298c06722abad976474d0150320ae7201b44149d1f9b89309922f77bc545d73c7156178fae458a735f77d6acaf4a739c16175fa428a6c0f

Download Submit
C:\Windows\Temp\{038FDFED-4E0D-4C7C-A496-480E02F0A28B}\.cr\windowsdesktop-runtime-7.0.5-win-x64.exe

Filesize
610KB

MD5
b730242006df05dd8ff1f3ed6963e7ac

SHA1
34b9d71b69216c5f0baa647f58b08a3bd008bba2

SHA256
83a01378f6dca8ba5700bd5601cf5c6aeadfc8e14b8b12b5825740c49b1dccdd

SHA512
f26e9f0ca4df46c82298c06722abad976474d0150320ae7201b44149d1f9b89309922f77bc545d73c7156178fae458a735f77d6acaf4a739c16175fa428a6c0f

Download Submit
C:\Windows\Temp\{5C25B281-40CD-431E-A886-E896D7B169FC}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{5C25B281-40CD-431E-A886-E896D7B169FC}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit