258c713562b0b18b8572a3d23c83d338b4c5cdb5fb421e47b78475ddd2cf7c06

Analysis

max time kernel
306s
max time network
323s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/dotnet-WindowsDesktop-x64.exe
Size

54.6MB
MD5

d6d5ec50cc606d19651cd3e69911a51f
SHA1

f45ba5596de84abef7b3ec4857a6b4e9f2f4b92b
SHA256

1002a385738783d1a4594e84b95d01fd241536ab7a1fd4f99b1ee13f49f6db9d
SHA512

8927e3bcda1f439af84af0cb41fefc38c4386297eb463ddc7dd835d98502e63e0ba06a0732b02939a981644d8afad1d77036b6ac38d348c1cd29cf691cb80da7
SSDEEP

1572864:kfIbCsGSR84vql2mQw19ECV7YyVuunDzuslEQz6flmTq:MN4vqluw15Vsy4+Dfh6f4u

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
5088	dotnet-WindowsDesktop-x64.exe

Loads dropped DLL 1 IoCs

pid	Process
5088	dotnet-WindowsDesktop-x64.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 5088	3108	dotnet-WindowsDesktop-x64.exe	90
PID 3108 wrote to memory of 5088	3108	dotnet-WindowsDesktop-x64.exe	90
PID 3108 wrote to memory of 5088	3108	dotnet-WindowsDesktop-x64.exe	90

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dotnet-WindowsDesktop-x64.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dotnet-WindowsDesktop-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\Temp\{8CF9CA6C-EAD7-4DF1-9DDA-11BBACC1117A}\.cr\dotnet-WindowsDesktop-x64.exe
  "C:\Windows\Temp\{8CF9CA6C-EAD7-4DF1-9DDA-11BBACC1117A}\.cr\dotnet-WindowsDesktop-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dotnet-WindowsDesktop-x64.exe" -burn.filehandle.attached=548 -burn.filehandle.self=544
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{8CF9CA6C-EAD7-4DF1-9DDA-11BBACC1117A}\.cr\dotnet-WindowsDesktop-x64.exe

Filesize
610KB

MD5
6c8ed77c12655d3f2b2f4df125e6c821

SHA1
cc9ef970080404cf483de035a94b2cab665081f6

SHA256
07283c73776c39ccd007064ee573ba5f35db0e6d70b8194a94ff7c0b663d6203

SHA512
ea522f076cd6f060636f2a3f04d954633b595768b229650abd3e8fdc9b59f4762793aa18cecc8fa133e3ff02e72b70e457782c58917079edc6df9ae19b401193

Download Submit
C:\Windows\Temp\{9C120A0B-913F-4E1E-B6CB-5EBE262060D1}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{9C120A0B-913F-4E1E-B6CB-5EBE262060D1}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit