7e88ac356dbcf8b33a17d52ab0178ea516471e7bc4d7d1c9814104fd74d584b3

Analysis

max time kernel
118s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XMetersSetup.exe
Size

30.4MB
MD5

1f8df5e448954a5348a0af043bedb4d7
SHA1

d19753ad31cbc1f3257f11253d1bdfde8fafa57a
SHA256

7e88ac356dbcf8b33a17d52ab0178ea516471e7bc4d7d1c9814104fd74d584b3
SHA512

bacba9fb1e65dd64fb37225bd53b2aa51513cd4b6571ec042a06dcc9f8217ce5f37f5f4ba3ecd4c007e911aff55cfd8fcc8ba18286ee04994f93bbc367340222
SSDEEP

786432:u/OCJpE1xT4BYWL/B7wln24rfhzG2qEIvm1+XyUcAb3IA3/huAnKbjLQi:oO6pE1xT4BbLJ7wln1zhxL1+XyUcA8AA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
384	XMetersSetup.exe

Loads dropped DLL 1 IoCs

pid	Process
384	XMetersSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 384	1248	XMetersSetup.exe	84
PID 1248 wrote to memory of 384	1248	XMetersSetup.exe	84
PID 1248 wrote to memory of 384	1248	XMetersSetup.exe	84

C:\Users\Admin\AppData\Local\Temp\XMetersSetup.exe
"C:\Users\Admin\AppData\Local\Temp\XMetersSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\Temp\{5E2BE327-5B72-4AC0-B022-4B83EE004312}\.cr\XMetersSetup.exe
  "C:\Windows\Temp\{5E2BE327-5B72-4AC0-B022-4B83EE004312}\.cr\XMetersSetup.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\XMetersSetup.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{5E2BE327-5B72-4AC0-B022-4B83EE004312}\.cr\XMetersSetup.exe

Filesize
913KB

MD5
530c693c4c9cfc4d155d25686c77f841

SHA1
c28ec089d9ad63d70e3403b217ec5c5aeed3004e

SHA256
bc985175146a3bb901d7ba8b72a1e5febb6969a0fd0420cace745f2cce0d8e09

SHA512
c0d5e2b63e31b9242d12e3285e6d08692fae4c72f4366eccdd31c192e5c0abedd417ca7994e9475e16e9c2956efd7dae71c48c8ea0ee99191b3104d090b064e4

Download Submit
C:\Windows\Temp\{5E2BE327-5B72-4AC0-B022-4B83EE004312}\.cr\XMetersSetup.exe

Filesize
913KB

MD5
530c693c4c9cfc4d155d25686c77f841

SHA1
c28ec089d9ad63d70e3403b217ec5c5aeed3004e

SHA256
bc985175146a3bb901d7ba8b72a1e5febb6969a0fd0420cace745f2cce0d8e09

SHA512
c0d5e2b63e31b9242d12e3285e6d08692fae4c72f4366eccdd31c192e5c0abedd417ca7994e9475e16e9c2956efd7dae71c48c8ea0ee99191b3104d090b064e4

Download Submit
C:\Windows\Temp\{BCEF3DC4-AE83-4FCE-9B5C-476BE1DD1866}\.ba\logo.png

Filesize
1KB

MD5
8cbd0496f2f0baf2c3026f7f8d147ece

SHA1
dcd79b325f101d6e338578d7d90e84826bb1c096

SHA256
2863445f18b5767dd458a211804a52f33167133d535305ada84104609cf44fb4

SHA512
e8182de65333289373e9a39686325f548979271342f22c520795e9720dde09f1ccae3da5e610ff66bed41646fe6289ffb6535d5eed92576d74a47cd56ac44b70

Download Submit
C:\Windows\Temp\{BCEF3DC4-AE83-4FCE-9B5C-476BE1DD1866}\.ba\wixstdba.dll

Filesize
175KB

MD5
8ca04519005ad03b4d9e062b97d7f79d

SHA1
df53ed9440d027401d502f3297668009030350a7

SHA256
7b9f919a3d1974fd8fa35ad189edc8bf287f476bd377e713e616b26864a4b0d3

SHA512
1a29e9e9bd798c892a7cd3cd4ff259195e4a92e26f53e8f1a86c75c5eb8fdda58ceba312cd791651fad5ce04529696195815a4ba5c143ad52a5ea0d7c539bb77

Download Submit