126da8120849613fd9c88b37256486b37fd100158846bc05e651dd053634ecfe

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20231215-es
resource tags

arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows
submitted
28-01-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowsdesktop-runtime-7.0.0-win-x64.exe
Size

55.1MB
MD5

8b02b04923c939303fce12a432e3aaa4
SHA1

db56882d3263c9e533ea7003d018cb7d65f11c10
SHA256

126da8120849613fd9c88b37256486b37fd100158846bc05e651dd053634ecfe
SHA512

e6281f475a58c8dc7b103d0cfd895e0f27235e25731b473514c82b77d8e555ea294f66ab3e119c5fd38c5a8f18b4a4d8508938d7cff70ab2186b47417349ea1e
SSDEEP

1572864:76lpywV27GnD1F2Yy4n9kWBrmRsnTUsQUyR0j0g/E:Wz273YNCWBGsAsTyR0gf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2052	windowsdesktop-runtime-7.0.0-win-x64.exe

Loads dropped DLL 2 IoCs

pid	Process
2464	windowsdesktop-runtime-7.0.0-win-x64.exe
2052	windowsdesktop-runtime-7.0.0-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2052	2464	windowsdesktop-runtime-7.0.0-win-x64.exe	28
PID 2464 wrote to memory of 2052	2464	windowsdesktop-runtime-7.0.0-win-x64.exe	28
PID 2464 wrote to memory of 2052	2464	windowsdesktop-runtime-7.0.0-win-x64.exe	28
PID 2464 wrote to memory of 2052	2464	windowsdesktop-runtime-7.0.0-win-x64.exe	28
PID 2464 wrote to memory of 2052	2464	windowsdesktop-runtime-7.0.0-win-x64.exe	28
PID 2464 wrote to memory of 2052	2464	windowsdesktop-runtime-7.0.0-win-x64.exe	28
PID 2464 wrote to memory of 2052	2464	windowsdesktop-runtime-7.0.0-win-x64.exe	28

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\Temp\{056D8532-0678-475B-B620-798AA43FA9E2}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe
  "C:\Windows\Temp\{056D8532-0678-475B-B620-798AA43FA9E2}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{0BE6704E-434E-476D-8F68-F394B3F1480D}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
\Windows\Temp\{056D8532-0678-475B-B620-798AA43FA9E2}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe

Filesize
610KB

MD5
2f3c0c475e5482f29856b4581cc0aec0

SHA1
0993859b58412d869d3698fe5d71efb401466901

SHA256
21629bb67fc580f38b2a139489e347ba53674b08cf6d16052a832396ed1a1ca4

SHA512
2d6bbbbf7322a04f729edcfc2831e5b78a5f3b89590476f4a439ee5f4e47ff0efeaaaf02a678b0c78824c218d12ed4f83c5f7ba43b61bb6a5395dbba8b31aee9

Download Submit
\Windows\Temp\{0BE6704E-434E-476D-8F68-F394B3F1480D}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit