f2d0ab25de019b14601830f3fa5d4f1eb8b1f898280424b79f125691bd4d93db

Analysis

max time kernel
135s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsSensor-6.38.15205.exe
Size

88.0MB
MD5

3f1bb6fde5bbd57f78fd6f03e4b82250
SHA1

c35d28a1ee9845929753c4ab72e3732ac415d873
SHA256

f2d0ab25de019b14601830f3fa5d4f1eb8b1f898280424b79f125691bd4d93db
SHA512

5ee8b9cc23cd76997881d4921b87ab10912ceb002a842dbf1245bfff095f5592a52f1f2f831913a19f990b8b578bea194d9fcd3828cf9ca727e80866a301a573
SSDEEP

1572864:t3anSN91kjIF5P6nv6050p/7YBeX2kShWIGpvqrmVQ+4/j8zAsxdXsfDS1IH5pqe:t3bKsF5e59mrpvDGmh0m1IjX

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\theme.thm	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\BlackButton.png	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\warning.png	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\BootstrapperApplicationData.xml	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\redarrow.png	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{B468099F-F750-499B-B8DB-5847EC24E20C}\.cr\WindowsSensor-6.38.15205.exe	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\fgba.dll	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\theme.wxl	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\CloseButton.png	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\RedButton.png	WindowsSensor-6.38.15205.exe
File opened for modification	C:\Program Files (x86)\	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\BundleUI.dll	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\blackarrow.png	WindowsSensor-6.38.15205.exe
File created	C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\WindowBackground.png	WindowsSensor-6.38.15205.exe

Executes dropped EXE 1 IoCs

pid	Process
1268	WindowsSensor-6.38.15205.exe

Loads dropped DLL 2 IoCs

pid	Process
1268	WindowsSensor-6.38.15205.exe
1268	WindowsSensor-6.38.15205.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1268	2600	WindowsSensor-6.38.15205.exe	84
PID 2600 wrote to memory of 1268	2600	WindowsSensor-6.38.15205.exe	84
PID 2600 wrote to memory of 1268	2600	WindowsSensor-6.38.15205.exe	84

C:\Users\Admin\AppData\Local\Temp\WindowsSensor-6.38.15205.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsSensor-6.38.15205.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Program Files (x86)\CSInstallTemp{B468099F-F750-499B-B8DB-5847EC24E20C}\.cr\WindowsSensor-6.38.15205.exe
  "C:\Program Files (x86)\CSInstallTemp{B468099F-F750-499B-B8DB-5847EC24E20C}\.cr\WindowsSensor-6.38.15205.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\WindowsSensor-6.38.15205.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CSInstallTemp{B468099F-F750-499B-B8DB-5847EC24E20C}\.cr\WindowsSensor-6.38.15205.exe

Filesize
745KB

MD5
cc695177b2c8ada988ba96174b824019

SHA1
5a28b2d31f3a98f2299a8f82dcc5346f9b3379f5

SHA256
0a24ce0d578cb144d164bb012b329b77e3a1144a93f190ef05aa70898d86882e

SHA512
9a266984da64abf0d3889b979b86b20504a895a95eca16d07007d5a9767a202dc1bf151a0d8504dbf449ceb68dac9ae6b6d3a13b21fc1938034fa86b2a34276d

Download Submit
C:\Program Files (x86)\CSInstallTemp{B468099F-F750-499B-B8DB-5847EC24E20C}\.cr\WindowsSensor-6.38.15205.exe

Filesize
745KB

MD5
cc695177b2c8ada988ba96174b824019

SHA1
5a28b2d31f3a98f2299a8f82dcc5346f9b3379f5

SHA256
0a24ce0d578cb144d164bb012b329b77e3a1144a93f190ef05aa70898d86882e

SHA512
9a266984da64abf0d3889b979b86b20504a895a95eca16d07007d5a9767a202dc1bf151a0d8504dbf449ceb68dac9ae6b6d3a13b21fc1938034fa86b2a34276d

Download Submit
C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\BlackButton.png

Filesize
724B

MD5
498c8434976637d04996d84ff8e8dd0e

SHA1
080baeceea7fae59c0f596c959f5f7fa6b4084a2

SHA256
564f8e97854d8836596979df0370ccba4ab45365ff3581acfe400af63da5babc

SHA512
14285733df57b604acde43fda3fc2d1e5f00043e79c5e3f51ad77dbcb471c682b0cc4507e43e610711f964b04ab0ee233bc05d69ac7a3ca4744b680ff4c039af

Download Submit
C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\BundleUI.dll

Filesize
281KB

MD5
3177697f46008d419c28fcd3d4e8b85f

SHA1
bf32f9bbcf62791fd029306a6859c7fad60c4bd4

SHA256
ae8e1ad4c10084043da74f2569ddfd4b684b45ed80b334ed26e46bfc82d88344

SHA512
b5715e3ee0c13660e13ac999f5d47fe3a4e5abe5cbc19ef9709dfce1efd537dbfa3eca3c30126545a6bc01e7e4c6d37ef1e37bbfc3d77ce67fede31503c455cc

Download Submit
C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\CloseButton.png

Filesize
562B

MD5
bae0ac7f7c9eba1a5c3fc9ce8b64ed7c

SHA1
f00ee843dde2d31c48602e6a6c552983c45cd460

SHA256
f94c9b27c1b4f3dcfbe9e1c0a0d19889e44494e85e7ee378eb3f255290314567

SHA512
0bbeb001da8a6227acfdef8f890275c179fe17698de3c8d47972cc415a5fc94f2a41f10cddea44117ea73002a4d283f5024674f01e84e3b9e54f869fba36468d

Download Submit
C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\RedButton.png

Filesize
714B

MD5
279284444e0603fe06559aeab7c1a27f

SHA1
d067844ba644b4688164b83ad7a3f241455487e1

SHA256
cc533618d83e492062b6b38184c41f3fbd66ee054dc71feff6711c7481b089bd

SHA512
4328a9d85080f1fac2762e65d2f66c733527b590063c277f412afc2648e4e91db9e554fae440754491733545443c5b5e53eae1ea1cb0e5679945cb2ac47c6401

Download Submit
C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\WindowBackground.png

Filesize
24KB

MD5
b7b635eca45472657b52d3d997cf7a0e

SHA1
c00e5301e94fbc38bf3ae8ce304e9d969014654c

SHA256
6eebea354f57c74cd10f78880d60a8572e7a30312b6730bc57be528aba1f3f00

SHA512
c009ca2931537959d55a2091b686ddd1b6a3f416eb1f72a69cc4bcf025c21659b08ca06ee19d97d659e5372c84be38f09c762c3b4806507fc5f2239b4e5bff87

Download Submit
C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\blackarrow.png

Filesize
1KB

MD5
2e542b941531f17104a0089c579f58c3

SHA1
1b1c1661d6427134d61e8cbd609965fa71c30d7c

SHA256
e537353c8d8b4a42b9963a51239390a482e287c463e9759d5963781f85adad04

SHA512
eff182835d709313dfc49c5825c13361b22dff2a05774acf31028c5f43403368f00522310574f01dbed47e0f27a0c3001129b282a3a137153964e830c843fddd

Download Submit
C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\fgba.dll

Filesize
163KB

MD5
561089af5272e0bb52cc7b71109b1238

SHA1
578384afa4ac7597c4b06393a2aa8942fe2714c4

SHA256
f972a72922deabb12c383c5a282a4caf6c9a8f10984aac0f6ba1350794d01474

SHA512
d26debbd2c522f8f4ab829d24e64dfa1f9fabab4600b5a65ff8015d32d0a018fa45e5b6a9ec0d6ec98fdb33ca94e31b8d9659c4ca5347cb0c63c05bfa0a98f35

Download Submit
C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\redarrow.png

Filesize
1KB

MD5
ff69cb625852448dc51234a4e7640ee3

SHA1
4e428258e0d874b56fa9e7a766e880a31873d03b

SHA256
1eaf5e72f988cf2b3dc0e630e9bfc05b901f0d3ad9cf6dc3d223823c31ca628e

SHA512
168215128a676981f9263e1046bf897a3e54d9c9a4dfa96bb5509a12c9188e0f1c47d8e62728a86efd4e1ee24f9a78fcdb304665a1f075d4e1e1de5372d064ea

Download Submit
C:\Program Files (x86)\CSInstallTemp{F156DCEC-F693-40E0-8104-35BA742E9746}\.ba\warning.png

Filesize
1KB

MD5
1afac15833d6a205d4f44f53d687d325

SHA1
ff34f94dacb82a4612645dc85d4953d9e767cf6b

SHA256
f8c0c6c537dc0fa99776a042ae05f0448093a72b052f98ef56100613d20d84d3

SHA512
b46746564d272feb83f498489cf2b47a75d91749427deaaf76ef84ee6fcf09cc3a5985094dc295e3c8687f8e0364dcbf24369b013d15579851930158727cc180

Download Submit