4acada737f2328fb1f3a3fc1d693e089abf9120b898c40a1a97ddbc46ebb085c

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 01:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

31fff19c17889fb9e429ccdcb08a5f5e.exe
Size

26.0MB
MD5

31fff19c17889fb9e429ccdcb08a5f5e
SHA1

725e51f848b4cff487a13c3f372cdfa97870dada
SHA256

4acada737f2328fb1f3a3fc1d693e089abf9120b898c40a1a97ddbc46ebb085c
SHA512

dc3f6eef0037027f3508c6cba7d0293eddc7c31760e24b5be26c729504d3d37dfef8ad9d693147cb53dd5dbe8c13394da63082fd9a7107d6ecee61823293db79
SSDEEP

786432:O9Qaa3QROmEpabUgTcnvm4pWyk5yH76k060Lut+QIYPmWhU2:i4QROm0abUGcnvm4Ay56k06D+QvmQN

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
828	31fff19c17889fb9e429ccdcb08a5f5e.exe

Loads dropped DLL 3 IoCs

pid	Process
1236	31fff19c17889fb9e429ccdcb08a5f5e.exe
828	31fff19c17889fb9e429ccdcb08a5f5e.exe
828	31fff19c17889fb9e429ccdcb08a5f5e.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 828	1236	31fff19c17889fb9e429ccdcb08a5f5e.exe	28
PID 1236 wrote to memory of 828	1236	31fff19c17889fb9e429ccdcb08a5f5e.exe	28
PID 1236 wrote to memory of 828	1236	31fff19c17889fb9e429ccdcb08a5f5e.exe	28
PID 1236 wrote to memory of 828	1236	31fff19c17889fb9e429ccdcb08a5f5e.exe	28
PID 1236 wrote to memory of 828	1236	31fff19c17889fb9e429ccdcb08a5f5e.exe	28
PID 1236 wrote to memory of 828	1236	31fff19c17889fb9e429ccdcb08a5f5e.exe	28
PID 1236 wrote to memory of 828	1236	31fff19c17889fb9e429ccdcb08a5f5e.exe	28

C:\Users\Admin\AppData\Local\Temp\31fff19c17889fb9e429ccdcb08a5f5e.exe
"C:\Users\Admin\AppData\Local\Temp\31fff19c17889fb9e429ccdcb08a5f5e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\Temp\{87A541A2-E7A7-4C05-A08C-01239F375A58}\.cr\31fff19c17889fb9e429ccdcb08a5f5e.exe
  "C:\Windows\Temp\{87A541A2-E7A7-4C05-A08C-01239F375A58}\.cr\31fff19c17889fb9e429ccdcb08a5f5e.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\31fff19c17889fb9e429ccdcb08a5f5e.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{87A541A2-E7A7-4C05-A08C-01239F375A58}\.cr\31fff19c17889fb9e429ccdcb08a5f5e.exe

Filesize
1.9MB

MD5
2a0122104e193c571d0e764d82adb4f2

SHA1
eb29fca65a2c3f769be409da55b5a9be89ed68a7

SHA256
66c9e0caf141e9f1324f4b0a93930510aaaa0b3c2a8026353909f066ce043e8b

SHA512
c6febf0fae9886b78d3e330a244879d50c258b5e7cd143645d2e1b83368c46765d9e9fb74f1b0485aa9b6d37e9120112031844583ae4d4946b4dbbeb7cc4d497

Download Submit
C:\Windows\Temp\{87A541A2-E7A7-4C05-A08C-01239F375A58}\.cr\31fff19c17889fb9e429ccdcb08a5f5e.exe

Filesize
1.9MB

MD5
2a0122104e193c571d0e764d82adb4f2

SHA1
eb29fca65a2c3f769be409da55b5a9be89ed68a7

SHA256
66c9e0caf141e9f1324f4b0a93930510aaaa0b3c2a8026353909f066ce043e8b

SHA512
c6febf0fae9886b78d3e330a244879d50c258b5e7cd143645d2e1b83368c46765d9e9fb74f1b0485aa9b6d37e9120112031844583ae4d4946b4dbbeb7cc4d497

Download Submit
C:\Windows\Temp\{98137B0B-BE89-414F-9137-A61994FDDF2E}\.ba\mbapreq.png

Filesize
797B

MD5
a356956fd269567b8f4612a33802637b

SHA1
75ae41181581fd6376ca9ca88147011e48bf9a30

SHA256
a401a225addaf89110b4b0f6e8cf94779e7c0640bcdd2d670ffcf05aab0dad03

SHA512
a0f7836aefa1747f481c116f6b085f503b5c09b3a1dd97cd2189f7ce4e6e7ea98f1f66503cba2e6a83e873248cc7507328710dfa670aa5763df8aedcc560285e

Download Submit
\Windows\Temp\{87A541A2-E7A7-4C05-A08C-01239F375A58}\.cr\31fff19c17889fb9e429ccdcb08a5f5e.exe

Filesize
1.9MB

MD5
2a0122104e193c571d0e764d82adb4f2

SHA1
eb29fca65a2c3f769be409da55b5a9be89ed68a7

SHA256
66c9e0caf141e9f1324f4b0a93930510aaaa0b3c2a8026353909f066ce043e8b

SHA512
c6febf0fae9886b78d3e330a244879d50c258b5e7cd143645d2e1b83368c46765d9e9fb74f1b0485aa9b6d37e9120112031844583ae4d4946b4dbbeb7cc4d497

Download Submit
\Windows\Temp\{98137B0B-BE89-414F-9137-A61994FDDF2E}\.ba\mbahost.dll

Filesize
119KB

MD5
c59832217903ce88793a6c40888e3cae

SHA1
6d9facabf41dcf53281897764d467696780623b8

SHA256
9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db

SHA512
1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

Download Submit
\Windows\Temp\{98137B0B-BE89-414F-9137-A61994FDDF2E}\.ba\mbapreq.dll

Filesize
184KB

MD5
fe7e0bd53f52e6630473c31299a49fdd

SHA1
f706f45768bfb95f4c96dfa0be36df57aa863898

SHA256
2bea14d70943a42d344e09b7c9de5562fa7e109946e1c615dd584da30d06cc80

SHA512
feed48286b1e182996a3664f0facdf42aae3692d3d938ea004350c85764db7a0bea996dfddf7a77149c0d4b8b776fb544e8b1ce5e9944086a5b1ed6a8a239a3c

Download Submit