Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2023, 13:24

General

  • Target

    XMetersSetup.exe

  • Size

    30.4MB

  • MD5

    1f8df5e448954a5348a0af043bedb4d7

  • SHA1

    d19753ad31cbc1f3257f11253d1bdfde8fafa57a

  • SHA256

    7e88ac356dbcf8b33a17d52ab0178ea516471e7bc4d7d1c9814104fd74d584b3

  • SHA512

    bacba9fb1e65dd64fb37225bd53b2aa51513cd4b6571ec042a06dcc9f8217ce5f37f5f4ba3ecd4c007e911aff55cfd8fcc8ba18286ee04994f93bbc367340222

  • SSDEEP

    786432:u/OCJpE1xT4BYWL/B7wln24rfhzG2qEIvm1+XyUcAb3IA3/huAnKbjLQi:oO6pE1xT4BbLJ7wln1zhxL1+XyUcA8AA

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XMetersSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\XMetersSetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Windows\Temp\{5E2BE327-5B72-4AC0-B022-4B83EE004312}\.cr\XMetersSetup.exe
      "C:\Windows\Temp\{5E2BE327-5B72-4AC0-B022-4B83EE004312}\.cr\XMetersSetup.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\XMetersSetup.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:384

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\{5E2BE327-5B72-4AC0-B022-4B83EE004312}\.cr\XMetersSetup.exe

    Filesize

    913KB

    MD5

    530c693c4c9cfc4d155d25686c77f841

    SHA1

    c28ec089d9ad63d70e3403b217ec5c5aeed3004e

    SHA256

    bc985175146a3bb901d7ba8b72a1e5febb6969a0fd0420cace745f2cce0d8e09

    SHA512

    c0d5e2b63e31b9242d12e3285e6d08692fae4c72f4366eccdd31c192e5c0abedd417ca7994e9475e16e9c2956efd7dae71c48c8ea0ee99191b3104d090b064e4

  • C:\Windows\Temp\{5E2BE327-5B72-4AC0-B022-4B83EE004312}\.cr\XMetersSetup.exe

    Filesize

    913KB

    MD5

    530c693c4c9cfc4d155d25686c77f841

    SHA1

    c28ec089d9ad63d70e3403b217ec5c5aeed3004e

    SHA256

    bc985175146a3bb901d7ba8b72a1e5febb6969a0fd0420cace745f2cce0d8e09

    SHA512

    c0d5e2b63e31b9242d12e3285e6d08692fae4c72f4366eccdd31c192e5c0abedd417ca7994e9475e16e9c2956efd7dae71c48c8ea0ee99191b3104d090b064e4

  • C:\Windows\Temp\{BCEF3DC4-AE83-4FCE-9B5C-476BE1DD1866}\.ba\logo.png

    Filesize

    1KB

    MD5

    8cbd0496f2f0baf2c3026f7f8d147ece

    SHA1

    dcd79b325f101d6e338578d7d90e84826bb1c096

    SHA256

    2863445f18b5767dd458a211804a52f33167133d535305ada84104609cf44fb4

    SHA512

    e8182de65333289373e9a39686325f548979271342f22c520795e9720dde09f1ccae3da5e610ff66bed41646fe6289ffb6535d5eed92576d74a47cd56ac44b70

  • C:\Windows\Temp\{BCEF3DC4-AE83-4FCE-9B5C-476BE1DD1866}\.ba\wixstdba.dll

    Filesize

    175KB

    MD5

    8ca04519005ad03b4d9e062b97d7f79d

    SHA1

    df53ed9440d027401d502f3297668009030350a7

    SHA256

    7b9f919a3d1974fd8fa35ad189edc8bf287f476bd377e713e616b26864a4b0d3

    SHA512

    1a29e9e9bd798c892a7cd3cd4ff259195e4a92e26f53e8f1a86c75c5eb8fdda58ceba312cd791651fad5ce04529696195815a4ba5c143ad52a5ea0d7c539bb77