fdd2551696ea2f0d3ee85b0087e43056cc976055be13977c9ece574a11704cfe

Analysis

max time kernel
77s
max time network
98s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
08-06-2024 17:19

Target

install_all/dotnet-sdk-6.0.422-win-x86.exe
Size

180.4MB
MD5

68ba679487efcb78d37ed2e7c52af792
SHA1

a00fc102f990160127a85ffd765377b3a224e92b
SHA256

16f9285f7e75b034c50be458f6125f7c7d31ff53cedcaf992ff17daf6176b3ca
SHA512

fe6071783482f49ab544d988faa2264603e2d70ab24430fb7ce1a73ded222caed6e869826ae23da5f2b3bf2df12791399236961aad7ca1be2ec07d9ca610102a
SSDEEP

3145728:7QVpHVmRJBTYl1f2OLWUkit1onlRTSQjfgGz3vNJpWgfTjCRj5D1xKg:7q9VAH61f2OqUkciRTT75haRj5D1sg

Score

4^/10

discovery

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Executes dropped EXE 1 IoCs

Processes:

dotnet-sdk-6.0.422-win-x86.exe

pid process

2232 dotnet-sdk-6.0.422-win-x86.exe
Loads dropped DLL 1 IoCs

Processes:

dotnet-sdk-6.0.422-win-x86.exe

pid process

2232 dotnet-sdk-6.0.422-win-x86.exe

pid	process
2232	dotnet-sdk-6.0.422-win-x86.exe

pid	process
2232	dotnet-sdk-6.0.422-win-x86.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dotnet-sdk-6.0.422-win-x86.exe

description	pid	process	target process
PID 236 wrote to memory of 2232	236	dotnet-sdk-6.0.422-win-x86.exe	dotnet-sdk-6.0.422-win-x86.exe
PID 236 wrote to memory of 2232	236	dotnet-sdk-6.0.422-win-x86.exe	dotnet-sdk-6.0.422-win-x86.exe
PID 236 wrote to memory of 2232	236	dotnet-sdk-6.0.422-win-x86.exe	dotnet-sdk-6.0.422-win-x86.exe

C:\Users\Admin\AppData\Local\Temp\install_all\dotnet-sdk-6.0.422-win-x86.exe
"C:\Users\Admin\AppData\Local\Temp\install_all\dotnet-sdk-6.0.422-win-x86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:236

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\Temp\{17B95D9F-C41B-4527-A568-839989F5C867}\.cr\dotnet-sdk-6.0.422-win-x86.exe

Filesize
610KB

MD5
c5d9144feca71e67cd5701da013e5f82

SHA1
67167ed0c224e1a794b2aa287c34dbda22ba52cd

SHA256
077f1a0faa09f09ea55cfea013ef29d5e59e0b90a8d591102f9cd96e5cbe4ebe

SHA512
f8bd1d638b4eaf9c45206bfa46e89f7a43a64ccaae44829d63e1e56a2023ab530f3c7777eb2fd896f599912f43111132641ba1ab45adf12ac3c19f691e2465c1

Download Submit
C:\Windows\Temp\{C41F3E64-FA88-4847-A076-A807D4AD8ED7}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{C41F3E64-FA88-4847-A076-A807D4AD8ED7}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit