eed3682106a52740f17f27bfb177acb0ee88888096f93af0c14a2d5ae52e9e1d

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UEPrereqSetup_x64.exe
Size

48.0MB
MD5

0770b62d856e784f932d2938cd4bb902
SHA1

b2c028220476431228e5b8e223ef2c3f72746bcb
SHA256

48f5444f4bac99500b996cf7138bd14c11e34a049f61bec801e72445fe8b44ec
SHA512

dc55cce33f3f8ecac2870b4699c2cb090f59fc782d46aef12e0cd5fcbda6d46b812bd14ccd0162013eef5c4444deab33e3bbbc34e81b5cdbe6eb223fc1296721
SSDEEP

786432:D/bdC1Q6cdW2xTDUANjtdoTtwe/UUjwirV6po5O5wnbKJO56XN4yfQSyABGO1:L5xTLNjtdoTtd/djwiB6po5UwnbSOMeY

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Loads dropped DLL 1 IoCs

pid	Process
2720	UEPrereqSetup_x64.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2720	1280	UEPrereqSetup_x64.exe	28
PID 1280 wrote to memory of 2720	1280	UEPrereqSetup_x64.exe	28
PID 1280 wrote to memory of 2720	1280	UEPrereqSetup_x64.exe	28
PID 1280 wrote to memory of 2720	1280	UEPrereqSetup_x64.exe	28
PID 1280 wrote to memory of 2720	1280	UEPrereqSetup_x64.exe	28
PID 1280 wrote to memory of 2720	1280	UEPrereqSetup_x64.exe	28
PID 1280 wrote to memory of 2720	1280	UEPrereqSetup_x64.exe	28

C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe
"C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe" -burn.unelevated BurnPipe.{B8FF433B-9788-4053-8F7B-D7120DFB7D0C} {3E2501B2-9FAC-4909-81E7-96CBDBD3A433} 1280
  2⤵
  - Loads dropped DLL
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{aad8a4b2-74da-409d-abb6-79a299008692}\.ba1\Banner.bmp

Filesize
123KB

MD5
87300b4c1b1d79f75e3c406043d73acb

SHA1
de7ed5119f1caf8d11d30810c28031b37d1485aa

SHA256
b76bbf9f7b8da4ca886f3b97d7db00ab1d38a9bb3b9567f4e1c3e30203098add

SHA512
1d482404dcbcb3326e0efa4cdf46253be374f83d5c0f1051c15d4b1625b4e1e61adf017d037f8f4cc643e205be657cf5cc4edeb566f7eb44a89729ee050280da

Download Submit
C:\Users\Admin\AppData\Local\Temp\{aad8a4b2-74da-409d-abb6-79a299008692}\.ba1\LogoSide.png

Filesize
6KB

MD5
702684ff196740ebaedb34beca30346f

SHA1
1f3af4bdac42b973b05dc121fc00c804aa3c28ec

SHA256
988c657d1cc77aceb4804c5217bf756eaa2b4defcb4d03f47aea83ccda3d3672

SHA512
ff4eec96f733ed32280123f5a6bff4a488eab4586a9740416125ceef1b4e1ce85dddb4524589111d1c6c57fb9d561a3586b637f8b17e8ff8dd2bf736b484b676

Download Submit
\Users\Admin\AppData\Local\Temp\{aad8a4b2-74da-409d-abb6-79a299008692}\.ba1\wixstdba.dll

Filesize
135KB

MD5
36b53c5299a3b39e5c9cdbbd28a09506

SHA1
9f4c767ef7ea887a88a698bcd66e4ba691e1c17a

SHA256
97f1901e7c928b9231e503cd3a1315f0d8449356b9f25e7eb4c2cebeee72012a

SHA512
af4c7cea8bebe0f125b59eed11fa0053178dd546784f68ad7a642eb128ed0d05dd6ccfe685b912381b61becf9c336dcbbc8c4ce56884a511f3f0a69826d8de83

Download Submit