7fda06292c7c2e6da5aef88d8e9d3de89d331e9e356a232289f9b37ce4503894

Analysis

max time kernel
124s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PowerToysSetup-0.73.0-x64.exe
Size

230.8MB
MD5

52249e4615cbbb4a5da7cb4e6a424813
SHA1

58f2f77c99f12b1466687878b0068efa3a9b1f36
SHA256

7fda06292c7c2e6da5aef88d8e9d3de89d331e9e356a232289f9b37ce4503894
SHA512

9d6d4486b980ffe0eaa5e0965d5654ae2d7b8543a57af8e7551057f5196d466910d67d28fcc6ad58c0f0be7b287a9d8778dc8b806e5c7d2cdb65639ca2f6059a
SSDEEP

6291456:DX2n2dcwAeqTIR74ymiU97EOpR1gSDzCE1S3yFF1tpUQ2zc1:iacw6srmiU9YCxz1yy/+c1

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
2236	PowerToysSetup-0.73.0-x64.exe

Loads dropped DLL 1 IoCs

pid	Process
2236	PowerToysSetup-0.73.0-x64.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2236	1104	PowerToysSetup-0.73.0-x64.exe	89
PID 1104 wrote to memory of 2236	1104	PowerToysSetup-0.73.0-x64.exe	89
PID 1104 wrote to memory of 2236	1104	PowerToysSetup-0.73.0-x64.exe	89

C:\Users\Admin\AppData\Local\Temp\PowerToysSetup-0.73.0-x64.exe
"C:\Users\Admin\AppData\Local\Temp\PowerToysSetup-0.73.0-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\Temp\{C2CCCC9A-AA41-4A0D-B7F0-F1F5F86CC052}\.cr\PowerToysSetup-0.73.0-x64.exe
  "C:\Windows\Temp\{C2CCCC9A-AA41-4A0D-B7F0-F1F5F86CC052}\.cr\PowerToysSetup-0.73.0-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\PowerToysSetup-0.73.0-x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{C2CCCC9A-AA41-4A0D-B7F0-F1F5F86CC052}\.cr\PowerToysSetup-0.73.0-x64.exe

Filesize
646KB

MD5
951fef3a83cbb916d5f52cae3039ec14

SHA1
551499324100792e63237e99c89bcd43386175d0

SHA256
ec8994cff865e3f686131657e6b41bc644a3a1d01929cbbc819a81ade3355b73

SHA512
0c457044a26bebc3d0ca0defe7f0ed0e94b66ff35a1c1eb3abc2c1aed634ecce919b601be112cde1fcb7b58e4e380c52a41c2b6387d8411365c9232ac0c5d587

Download Submit
C:\Windows\Temp\{C2CCCC9A-AA41-4A0D-B7F0-F1F5F86CC052}\.cr\PowerToysSetup-0.73.0-x64.exe

Filesize
646KB

MD5
951fef3a83cbb916d5f52cae3039ec14

SHA1
551499324100792e63237e99c89bcd43386175d0

SHA256
ec8994cff865e3f686131657e6b41bc644a3a1d01929cbbc819a81ade3355b73

SHA512
0c457044a26bebc3d0ca0defe7f0ed0e94b66ff35a1c1eb3abc2c1aed634ecce919b601be112cde1fcb7b58e4e380c52a41c2b6387d8411365c9232ac0c5d587

Download Submit
C:\Windows\Temp\{ECF2AFEB-560A-429B-874D-AFBE4BCCF952}\.ba\logo.png

Filesize
1KB

MD5
807f899993da55765b3615a73a708862

SHA1
aaba81806befe73710116a477fd58634755d0f57

SHA256
d0f67d8dc4405840bbdef2ef78eed38db08739a773112f16d9edc2cec5f2daca

SHA512
394aa7e4d929fac4264a8d9e3fb2066e879a8d58d1709b838b8c00ac044265f8f6a1c2647f15e3e10e031b03af7581e89150527c95cf5376be1b193ad17a0525

Download Submit
C:\Windows\Temp\{ECF2AFEB-560A-429B-874D-AFBE4BCCF952}\.ba\wixstdba.dll

Filesize
203KB

MD5
0ba387d66175c20452de372f8dbb79fe

SHA1
5411d41a7d88291b97fb9573eb6448c72e773b70

SHA256
7b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33

SHA512
13ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd

Download Submit