Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 01:16
Static task
static1
Behavioral task
behavioral1
Sample
2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe
Resource
win10v2004-20240508-en
General
-
Target
2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe
-
Size
716KB
-
MD5
fa790327ca1413ab85708fb09b72c1d7
-
SHA1
9d9cdc23d5ad96598d30827aa58ae91303be29a6
-
SHA256
2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358
-
SHA512
de39baf903be92d18afb7fcb4774afcbf9d6a08b504244780233d93db3d9e6e8016946ccb558a6e579a2f5c27ce9786522dd556727713fb777cc31bf86d07749
-
SSDEEP
12288:dmJWW3Jyn42NxWXD+VBK/DEFPlgVH+XcbBDT1YQrk3UfbzM8LaB4Henbr:oJWW2WXD+VBcDEFPyH+MbBDT1YQGWb3g
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 2632 dotnet-installer.exe 2756 dotnet-installer.exe 2092 windowsdesktop-runtime-7.0.19-win-x64.exe -
Loads dropped DLL 17 IoCs
pid Process 2452 2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe 2632 dotnet-installer.exe 2632 dotnet-installer.exe 2632 dotnet-installer.exe 2756 dotnet-installer.exe 2756 dotnet-installer.exe 2756 dotnet-installer.exe 2756 dotnet-installer.exe 2092 windowsdesktop-runtime-7.0.19-win-x64.exe 2092 windowsdesktop-runtime-7.0.19-win-x64.exe 348 WerFault.exe 348 WerFault.exe 348 WerFault.exe 348 WerFault.exe 348 WerFault.exe 348 WerFault.exe 348 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4c11c0c6-3e72-4029-8002-bdf76a0237ee} = "\"C:\\ProgramData\\Package Cache\\{4c11c0c6-3e72-4029-8002-bdf76a0237ee}\\windowsdesktop-runtime-7.0.19-win-x64.exe\" /burn.runonce" windowsdesktop-runtime-7.0.19-win-x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.19 (x64).swidtag windowsdesktop-runtime-7.0.19-win-x64.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log windowsdesktop-runtime-7.0.19-win-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 348 2756 WerFault.exe 30 -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{4c11c0c6-3e72-4029-8002-bdf76a0237ee}\ = "{4c11c0c6-3e72-4029-8002-bdf76a0237ee}" windowsdesktop-runtime-7.0.19-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{4c11c0c6-3e72-4029-8002-bdf76a0237ee}\Version = "7.0.19.33616" windowsdesktop-runtime-7.0.19-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{4c11c0c6-3e72-4029-8002-bdf76a0237ee}\DisplayName = "Microsoft Windows Desktop Runtime - 7.0.19 (x64)" windowsdesktop-runtime-7.0.19-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{4c11c0c6-3e72-4029-8002-bdf76a0237ee}\Dependents\{4c11c0c6-3e72-4029-8002-bdf76a0237ee} windowsdesktop-runtime-7.0.19-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{4c11c0c6-3e72-4029-8002-bdf76a0237ee}\Dependents windowsdesktop-runtime-7.0.19-win-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{4c11c0c6-3e72-4029-8002-bdf76a0237ee} windowsdesktop-runtime-7.0.19-win-x64.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2452 2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2452 wrote to memory of 2632 2452 2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe 29 PID 2452 wrote to memory of 2632 2452 2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe 29 PID 2452 wrote to memory of 2632 2452 2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe 29 PID 2452 wrote to memory of 2632 2452 2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe 29 PID 2452 wrote to memory of 2632 2452 2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe 29 PID 2452 wrote to memory of 2632 2452 2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe 29 PID 2452 wrote to memory of 2632 2452 2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe 29 PID 2632 wrote to memory of 2756 2632 dotnet-installer.exe 30 PID 2632 wrote to memory of 2756 2632 dotnet-installer.exe 30 PID 2632 wrote to memory of 2756 2632 dotnet-installer.exe 30 PID 2632 wrote to memory of 2756 2632 dotnet-installer.exe 30 PID 2632 wrote to memory of 2756 2632 dotnet-installer.exe 30 PID 2632 wrote to memory of 2756 2632 dotnet-installer.exe 30 PID 2632 wrote to memory of 2756 2632 dotnet-installer.exe 30 PID 2756 wrote to memory of 2092 2756 dotnet-installer.exe 31 PID 2756 wrote to memory of 2092 2756 dotnet-installer.exe 31 PID 2756 wrote to memory of 2092 2756 dotnet-installer.exe 31 PID 2756 wrote to memory of 2092 2756 dotnet-installer.exe 31 PID 2756 wrote to memory of 2092 2756 dotnet-installer.exe 31 PID 2756 wrote to memory of 2092 2756 dotnet-installer.exe 31 PID 2756 wrote to memory of 2092 2756 dotnet-installer.exe 31 PID 2756 wrote to memory of 348 2756 dotnet-installer.exe 32 PID 2756 wrote to memory of 348 2756 dotnet-installer.exe 32 PID 2756 wrote to memory of 348 2756 dotnet-installer.exe 32 PID 2756 wrote to memory of 348 2756 dotnet-installer.exe 32 PID 2756 wrote to memory of 348 2756 dotnet-installer.exe 32 PID 2756 wrote to memory of 348 2756 dotnet-installer.exe 32 PID 2756 wrote to memory of 348 2756 dotnet-installer.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe"C:\Users\Admin\AppData\Local\Temp\2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\dotnet-installer.exe"C:\Users\Admin\AppData\Local\Temp\dotnet-installer.exe" /quiet /install /norestart2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\Temp\{D13296E9-748F-493C-9E93-0E6C0C496B0F}\.cr\dotnet-installer.exe"C:\Windows\Temp\{D13296E9-748F-493C-9E93-0E6C0C496B0F}\.cr\dotnet-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\dotnet-installer.exe" -burn.filehandle.attached=388 -burn.filehandle.self=392 /quiet /install /norestart3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\Temp\{8CA52EEE-1748-4170-A961-49B44593F46B}\.be\windowsdesktop-runtime-7.0.19-win-x64.exe"C:\Windows\Temp\{8CA52EEE-1748-4170-A961-49B44593F46B}\.be\windowsdesktop-runtime-7.0.19-win-x64.exe" -q -burn.elevated BurnPipe.{F98130B5-0613-4745-BFA9-2DB9E74B9E78} {FCAD0112-982F-4EA7-BD1F-E1A82311615E} 27564⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 4884⤵
- Loads dropped DLL
- Program crash
PID:348
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
629KB
MD510c900a36259308da255d4f4c5541851
SHA1a981c65b02cbd9ba78789ac12ae8e5960c105972
SHA256c21f203974dc618614214ff90f87a2ad08e1235ade5042b4ab17744c4aa78c5f
SHA51247cfe61b75506dbb4c34453a1cf64f4f11b41cbb01752ea53d76b156a33b6a8f2d40ccb77e05dc4318e77b7bce2b78c797cb049f5a86e3fe9cce9ced572023e4
-
Filesize
205KB
MD587c8a7ea44e8ee0d9358e25b7dcd397d
SHA10e2021be823fee499175d2c0d68346d15c02a376
SHA256b7de0a0ca3a94738747abd708e30ba1f9638a8c8b7d8173c76d4f39fae3d9346
SHA51298b5bbe5bb3ec331a0025e3da209296050b2f695be5a4b90b5c939f8fbbaada6dd93483eba779c10151546c2798aab5282fa619a55ec0cf04f56a03795a0a3f5