120b1cefc94d76ec593a61d717bbb2e12af195d19e04c811f519d3f9b9b3b5c0

Resubmissions

28/02/2024, 03:17

240228-ds1rqshh8s 10

28/02/2024, 03:01

240228-dh1nzshf9x 4

28/02/2024, 02:39

240228-c5sq8ahd97 6

Analysis

max time kernel
31s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PowerToysUserSetup-0.78.0-x64.exe
Size

249.8MB
MD5

aa98e52c780c510c6d7a7eef1859cb4e
SHA1

da888750065c08be20312e643782a9b1255e7eb4
SHA256

120b1cefc94d76ec593a61d717bbb2e12af195d19e04c811f519d3f9b9b3b5c0
SHA512

1adee598c5c6ef32acfef1343e404dfe0f82fe7f02bde851236006748d9116e8e848e8ce120de811bf2085029635ffd8a70c923574666791f3ef6dc8010e85e3
SSDEEP

6291456:Yan+LwMs9L55ZETFxAVHpn0XXTC2XNBgRAEnY2pnHFQ8/C5kX3hXMXuMWA:Yls53uIVJn0XG28bYmn2ookXyoA

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
1656	PowerToysUserSetup-0.78.0-x64.exe

Loads dropped DLL 1 IoCs

pid	Process
1656	PowerToysUserSetup-0.78.0-x64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1656	PowerToysUserSetup-0.78.0-x64.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 1656	4768	PowerToysUserSetup-0.78.0-x64.exe	92
PID 4768 wrote to memory of 1656	4768	PowerToysUserSetup-0.78.0-x64.exe	92
PID 4768 wrote to memory of 1656	4768	PowerToysUserSetup-0.78.0-x64.exe	92

C:\Users\Admin\AppData\Local\Temp\PowerToysUserSetup-0.78.0-x64.exe
"C:\Users\Admin\AppData\Local\Temp\PowerToysUserSetup-0.78.0-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\Temp\{C1FB1650-782A-4496-8DBE-7D8F00DFF796}\.cr\PowerToysUserSetup-0.78.0-x64.exe
  "C:\Windows\Temp\{C1FB1650-782A-4496-8DBE-7D8F00DFF796}\.cr\PowerToysUserSetup-0.78.0-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\PowerToysUserSetup-0.78.0-x64.exe" -burn.filehandle.attached=536 -burn.filehandle.self=544
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{8667B7A0-CFD0-4FF0-A567-EB113734EA81}\.ba\logo.png

Filesize
1KB

MD5
807f899993da55765b3615a73a708862

SHA1
aaba81806befe73710116a477fd58634755d0f57

SHA256
d0f67d8dc4405840bbdef2ef78eed38db08739a773112f16d9edc2cec5f2daca

SHA512
394aa7e4d929fac4264a8d9e3fb2066e879a8d58d1709b838b8c00ac044265f8f6a1c2647f15e3e10e031b03af7581e89150527c95cf5376be1b193ad17a0525

Download Submit
C:\Windows\Temp\{8667B7A0-CFD0-4FF0-A567-EB113734EA81}\.ba\wixstdba.dll

Filesize
203KB

MD5
0ba387d66175c20452de372f8dbb79fe

SHA1
5411d41a7d88291b97fb9573eb6448c72e773b70

SHA256
7b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33

SHA512
13ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd

Download Submit
C:\Windows\Temp\{C1FB1650-782A-4496-8DBE-7D8F00DFF796}\.cr\PowerToysUserSetup-0.78.0-x64.exe

Filesize
646KB

MD5
d24fe4694e138b86d57ec179e2dfcd9c

SHA1
ce0572380ae3ab9332f238b00d2087e9c13ffa5c

SHA256
0c56f5d7fa7ef810567cfbe69b1368ffbad4dea15adff27244799264a0be3f6c

SHA512
402ff5e07cbeb4d6650a9c445991421cedb173f9049c79c3649de19f18dd6b7a80bf8bdce1182da895ac556381d9eaec149b77712f0fdc83f4a60a248afe7475

Download Submit