cf6b1344f9195283384cc2c842ba40045e26d1850e7df18c9f574c0a07c45e08

Resubmissions

28-02-2024 21:06

240228-zx1s7aea36 8

28-02-2024 20:57

240228-zrwmaadf8v 7

Analysis

max time kernel
204s
max time network
282s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28-02-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aescripts + aeplugins desktop apps (setup).exe
Size

119.8MB
MD5

bd8782f02bcc070b0404e7d4b678a435
SHA1

7ca804148531d32cc90ed4a3b076ebbd3704a7db
SHA256

cf6b1344f9195283384cc2c842ba40045e26d1850e7df18c9f574c0a07c45e08
SHA512

ac563d3150dfc11a52ca71025a8078c46038c5cc74a384762f189ba7ced63a82cfc2f637e814d56733dd67079e9075de84aae1cb5b47770d0bc200c05aadf57d
SSDEEP

3145728:hxBMDjAGasRNge3FTkC933TdaBSECIBcEykXSFDB:hHM91FkCV5QSECqWDB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3836	aescripts + aeplugins desktop apps (setup).exe

Loads dropped DLL 1 IoCs

pid	Process
3836	aescripts + aeplugins desktop apps (setup).exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 3836	1432	aescripts + aeplugins desktop apps (setup).exe	76
PID 1432 wrote to memory of 3836	1432	aescripts + aeplugins desktop apps (setup).exe	76
PID 1432 wrote to memory of 3836	1432	aescripts + aeplugins desktop apps (setup).exe	76

C:\Users\Admin\AppData\Local\Temp\aescripts + aeplugins desktop apps (setup).exe
"C:\Users\Admin\AppData\Local\Temp\aescripts + aeplugins desktop apps (setup).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\Temp\{53086B61-97E5-4465-8408-EF85629D81CC}\.cr\aescripts + aeplugins desktop apps (setup).exe
  "C:\Windows\Temp\{53086B61-97E5-4465-8408-EF85629D81CC}\.cr\aescripts + aeplugins desktop apps (setup).exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\aescripts + aeplugins desktop apps (setup).exe" -burn.filehandle.attached=576 -burn.filehandle.self=572
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{53086B61-97E5-4465-8408-EF85629D81CC}\.cr\aescripts + aeplugins desktop apps (setup).exe

Filesize
726KB

MD5
be3411c24a6844a00c0a879dc9c18e4f

SHA1
072b70cb8e13f4ebb85f9e98e161fb4d3ffa9916

SHA256
7e75e3d8574a26e992fe368ea2bc946363361ca4e5f5ce532fb89484d075c31d

SHA512
44422af58ff7f6f44bef2db94bee59b3d8b6ee4c7696d450d3cad89a008ea9284855168fef25cef72c0b58f6b6da57cbef87aeb66c958868bf0b7693fa997282

Download Submit
C:\Windows\Temp\{5D8F8FC6-F132-4342-987A-BB3D37E8CD62}\.ba\logo.png

Filesize
10KB

MD5
5bf9c1b86daeac39abd41bc70915c0e7

SHA1
00df72ec24dc4de8ec2714779086ca89326d407b

SHA256
7ff8924db94cacb8efbcc03b32e2653b3a2bb622820ced258bab38a590d2457f

SHA512
907c389eb4fc6610e4bcd7130b4ce807666bd9355c589842886d325785b6b177d76589521f4d875e4132d423e79f044dcae5148a9686e5ecb6c9420348cbdf4b

Download Submit
C:\Windows\Temp\{5D8F8FC6-F132-4342-987A-BB3D37E8CD62}\.ba\manager.png

Filesize
12KB

MD5
5e0a6e846fff9b6a239644b5f4933290

SHA1
6feaea37689ca95ae47926fdf598e904f81a6d2c

SHA256
8a04f5e9476528b1da2bfcf4de410eda847cea4af2141c97655c44799cbb28f4

SHA512
60df60ea0480ff397a6b5bd693d4eb6dc50bb0193d09742f9875cd3d4e23c1fcbf6b9ba165e014f47729fd99497068c49ac6071e2e4c906fdef06d7c81a05373

Download Submit
C:\Windows\Temp\{5D8F8FC6-F132-4342-987A-BB3D37E8CD62}\.ba\wixstdba.dll

Filesize
184KB

MD5
fe7e0bd53f52e6630473c31299a49fdd

SHA1
f706f45768bfb95f4c96dfa0be36df57aa863898

SHA256
2bea14d70943a42d344e09b7c9de5562fa7e109946e1c615dd584da30d06cc80

SHA512
feed48286b1e182996a3664f0facdf42aae3692d3d938ea004350c85764db7a0bea996dfddf7a77149c0d4b8b776fb544e8b1ce5e9944086a5b1ed6a8a239a3c

Download Submit
C:\Windows\Temp\{5D8F8FC6-F132-4342-987A-BB3D37E8CD62}\.ba\zxpinstaller.png

Filesize
11KB

MD5
556130404bcc0a2d2dda274e4cce3ef9

SHA1
f4a4fc02b3cc5c1d27f507b37500039fc5980c46

SHA256
cc01853d04bc7eb24f8f3de516889bab3ec220d8a46cae10180a1c6673d0daa6

SHA512
803fde54dfa411cb29d82cd420438a0a42c5aa8fcd415439078d8848ed038068870d81eb2ef1c8f0a449e2a6e640e7df0f4c82ddf1fe094bc697c5c0896512ac

Download Submit