Analysis

  • max time kernel
    121s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 01:16

General

  • Target

    2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe

  • Size

    716KB

  • MD5

    fa790327ca1413ab85708fb09b72c1d7

  • SHA1

    9d9cdc23d5ad96598d30827aa58ae91303be29a6

  • SHA256

    2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358

  • SHA512

    de39baf903be92d18afb7fcb4774afcbf9d6a08b504244780233d93db3d9e6e8016946ccb558a6e579a2f5c27ce9786522dd556727713fb777cc31bf86d07749

  • SSDEEP

    12288:dmJWW3Jyn42NxWXD+VBK/DEFPlgVH+XcbBDT1YQrk3UfbzM8LaB4Henbr:oJWW2WXD+VBcDEFPyH+MbBDT1YQGWb3g

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 17 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe
    "C:\Users\Admin\AppData\Local\Temp\2e148bf19d0d30ceec10222dd69857bbaebf04d96040e3c8c043ffaa4a3bb358.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Local\Temp\dotnet-installer.exe
      "C:\Users\Admin\AppData\Local\Temp\dotnet-installer.exe" /quiet /install /norestart
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\Temp\{D13296E9-748F-493C-9E93-0E6C0C496B0F}\.cr\dotnet-installer.exe
        "C:\Windows\Temp\{D13296E9-748F-493C-9E93-0E6C0C496B0F}\.cr\dotnet-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\dotnet-installer.exe" -burn.filehandle.attached=388 -burn.filehandle.self=392 /quiet /install /norestart
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\Temp\{8CA52EEE-1748-4170-A961-49B44593F46B}\.be\windowsdesktop-runtime-7.0.19-win-x64.exe
          "C:\Windows\Temp\{8CA52EEE-1748-4170-A961-49B44593F46B}\.be\windowsdesktop-runtime-7.0.19-win-x64.exe" -q -burn.elevated BurnPipe.{F98130B5-0613-4745-BFA9-2DB9E74B9E78} {FCAD0112-982F-4EA7-BD1F-E1A82311615E} 2756
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          PID:2092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 488
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:348

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Temp\{8CA52EEE-1748-4170-A961-49B44593F46B}\.ba\bg.png

          Filesize

          4KB

          MD5

          9eb0320dfbf2bd541e6a55c01ddc9f20

          SHA1

          eb282a66d29594346531b1ff886d455e1dcd6d99

          SHA256

          9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

          SHA512

          9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

        • C:\Windows\Temp\{D13296E9-748F-493C-9E93-0E6C0C496B0F}\.cr\dotnet-installer.exe

          Filesize

          629KB

          MD5

          10c900a36259308da255d4f4c5541851

          SHA1

          a981c65b02cbd9ba78789ac12ae8e5960c105972

          SHA256

          c21f203974dc618614214ff90f87a2ad08e1235ade5042b4ab17744c4aa78c5f

          SHA512

          47cfe61b75506dbb4c34453a1cf64f4f11b41cbb01752ea53d76b156a33b6a8f2d40ccb77e05dc4318e77b7bce2b78c797cb049f5a86e3fe9cce9ced572023e4

        • \Windows\Temp\{8CA52EEE-1748-4170-A961-49B44593F46B}\.ba\wixstdba.dll

          Filesize

          205KB

          MD5

          87c8a7ea44e8ee0d9358e25b7dcd397d

          SHA1

          0e2021be823fee499175d2c0d68346d15c02a376

          SHA256

          b7de0a0ca3a94738747abd708e30ba1f9638a8c8b7d8173c76d4f39fae3d9346

          SHA512

          98b5bbe5bb3ec331a0025e3da209296050b2f695be5a4b90b5c939f8fbbaada6dd93483eba779c10151546c2798aab5282fa619a55ec0cf04f56a03795a0a3f5

        • memory/2452-0-0x0000000000B10000-0x0000000000BCA000-memory.dmp

          Filesize

          744KB