aa0c922c9c65f11b75747343b4711a0bdc8dc8ac1bd38da7c3ecd01ce28c8545

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowsdesktop-runtime-6.0.21-win-x64.exe
Size

54.7MB
MD5

1a6d60add2d112dd73e83fb46dca474d
SHA1

8b374a54f508cfdb8c8176bfaef96f37edf7170b
SHA256

aa0c922c9c65f11b75747343b4711a0bdc8dc8ac1bd38da7c3ecd01ce28c8545
SHA512

49192c5141bb04dc19483e8b1adec9c6f56fa54ef8c55e2f4fa4aae73abf9119bb7b1dff3d8f9b3307c50de8989669398a5f6d8dc4323b81b6a1def5ee6c6e79
SSDEEP

786432:TrS2qTgXes/qf9pmXoOz5imhfmgnAvgOLNsLKZCTpWecUlfe4X+wxCEGe9DdoAdz:6LoraD1Oz5imhfOL3WGA7QoaW//T

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
1704	windowsdesktop-runtime-6.0.21-win-x64.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	windowsdesktop-runtime-6.0.21-win-x64.exe
1704	windowsdesktop-runtime-6.0.21-win-x64.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1704	1720	windowsdesktop-runtime-6.0.21-win-x64.exe	28
PID 1720 wrote to memory of 1704	1720	windowsdesktop-runtime-6.0.21-win-x64.exe	28
PID 1720 wrote to memory of 1704	1720	windowsdesktop-runtime-6.0.21-win-x64.exe	28
PID 1720 wrote to memory of 1704	1720	windowsdesktop-runtime-6.0.21-win-x64.exe	28
PID 1720 wrote to memory of 1704	1720	windowsdesktop-runtime-6.0.21-win-x64.exe	28
PID 1720 wrote to memory of 1704	1720	windowsdesktop-runtime-6.0.21-win-x64.exe	28
PID 1720 wrote to memory of 1704	1720	windowsdesktop-runtime-6.0.21-win-x64.exe	28

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.21-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.21-win-x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Temp\{20CBDF4E-F9B6-48EA-A4BB-96B1A1F1B4F7}\.cr\windowsdesktop-runtime-6.0.21-win-x64.exe
  "C:\Windows\Temp\{20CBDF4E-F9B6-48EA-A4BB-96B1A1F1B4F7}\.cr\windowsdesktop-runtime-6.0.21-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.21-win-x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{20CBDF4E-F9B6-48EA-A4BB-96B1A1F1B4F7}\.cr\windowsdesktop-runtime-6.0.21-win-x64.exe

Filesize
610KB

MD5
ff67a2a55ed6998ab527273d547fc00f

SHA1
852712b95ca05de8f336f07ff9ac672281b91215

SHA256
71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

SHA512
48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

Download Submit
C:\Windows\Temp\{20CBDF4E-F9B6-48EA-A4BB-96B1A1F1B4F7}\.cr\windowsdesktop-runtime-6.0.21-win-x64.exe

Filesize
610KB

MD5
ff67a2a55ed6998ab527273d547fc00f

SHA1
852712b95ca05de8f336f07ff9ac672281b91215

SHA256
71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

SHA512
48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

Download Submit
C:\Windows\Temp\{76035F85-FBFC-4C38-A65F-5C7A8FA1C551}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
\Windows\Temp\{20CBDF4E-F9B6-48EA-A4BB-96B1A1F1B4F7}\.cr\windowsdesktop-runtime-6.0.21-win-x64.exe

Filesize
610KB

MD5
ff67a2a55ed6998ab527273d547fc00f

SHA1
852712b95ca05de8f336f07ff9ac672281b91215

SHA256
71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

SHA512
48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

Download Submit
\Windows\Temp\{76035F85-FBFC-4C38-A65F-5C7A8FA1C551}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit