e9acc07552dbe74d9c5cff9975f00ae94a1f0ccb10ec2639e9b7cf43445eee50

Analysis

max time kernel
93s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a41ebdd51f5ee483a785aa317e31c5d2.exe
Size

3.6MB
MD5

a41ebdd51f5ee483a785aa317e31c5d2
SHA1

7b921ee091ea6a74588f7fdde8847ab6d655993b
SHA256

e9acc07552dbe74d9c5cff9975f00ae94a1f0ccb10ec2639e9b7cf43445eee50
SHA512

a544b85097fc440289a9e1e38f4f094088237216ab747e5ac3ce82e7b6327fd398a014dc4d861ca0244590c8b866c74d64d6df289daaf49e226bbc40d2c5e924
SSDEEP

98304:++f+l4qYXObTpGid7WxtS0qhBepyq3njgiJxV0ko1p1B6G6Houx:8tYXaTAidixlqmp5Ei2kUpqH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4328	cheryl-burke-screensaver.exe_tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Cheryl Burke Sexy Screensaver Uninstaller.exe	a41ebdd51f5ee483a785aa317e31c5d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 4328	648	a41ebdd51f5ee483a785aa317e31c5d2.exe	88
PID 648 wrote to memory of 4328	648	a41ebdd51f5ee483a785aa317e31c5d2.exe	88
PID 648 wrote to memory of 4328	648	a41ebdd51f5ee483a785aa317e31c5d2.exe	88

C:\Users\Admin\AppData\Local\Temp\a41ebdd51f5ee483a785aa317e31c5d2.exe
"C:\Users\Admin\AppData\Local\Temp\a41ebdd51f5ee483a785aa317e31c5d2.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\inst240595890\installer\cheryl-burke-screensaver.exe_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\inst240595890\installer\cheryl-burke-screensaver.exe_tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\inst240595890\installer\cheryl-burke-screensaver.exe_tmp.exe

Filesize
2.9MB

MD5
dff8fb3f9ee04d442855880b86ee8ffe

SHA1
3d75245e8eca8171c5da42d097db142d88546489

SHA256
b753df554e19e1ffb24e1de56f4e036ef4b16069a599fe0df1beaa9e56781fb0

SHA512
f654e930707c56e121f08cdbc836aefb3d09bf0b6a5defab9c85be94674479e4f0a4bf441cbb9dea06684089df7dca152d432b68d336e657a9b603914b93dae0

Download Submit