903464c6b3684fe7f4b0742c6b5805400da8af6c11635d8939c2f0f1e8df772a

Analysis

max time kernel
357s
max time network
365s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.Microsoft.PowerAutomate.exe
Size

321.5MB
MD5

3077e19dea0f42b6235a157b41931452
SHA1

79bd3bb61a8ba211229cf7c33b21275d293393a4
SHA256

903464c6b3684fe7f4b0742c6b5805400da8af6c11635d8939c2f0f1e8df772a
SHA512

b77a0798189bada660da791b71f7cd7845cb629cfbe131275f3d6bc451a090f4dae3222e8aca8f3ad3452ae363312a1814bcce826473dbb67808b5fdd2514201
SSDEEP

6291456:zEyzTRig27WSQcLHxLkt9Xi8bAzDLMt+D4IyQbFQ4tpGXQgpmbIT2pOimgF:zEyzTeQcLVKu4ADNp5pGAg0bITm7D

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
2112	Setup.Microsoft.PowerAutomate.exe

Loads dropped DLL 41 IoCs

pid	Process
1032	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2112	Setup.Microsoft.PowerAutomate.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2144	2112	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2112	1032	Setup.Microsoft.PowerAutomate.exe	28
PID 1032 wrote to memory of 2112	1032	Setup.Microsoft.PowerAutomate.exe	28
PID 1032 wrote to memory of 2112	1032	Setup.Microsoft.PowerAutomate.exe	28
PID 1032 wrote to memory of 2112	1032	Setup.Microsoft.PowerAutomate.exe	28
PID 1032 wrote to memory of 2112	1032	Setup.Microsoft.PowerAutomate.exe	28
PID 1032 wrote to memory of 2112	1032	Setup.Microsoft.PowerAutomate.exe	28
PID 1032 wrote to memory of 2112	1032	Setup.Microsoft.PowerAutomate.exe	28
PID 2112 wrote to memory of 2144	2112	Setup.Microsoft.PowerAutomate.exe	29
PID 2112 wrote to memory of 2144	2112	Setup.Microsoft.PowerAutomate.exe	29
PID 2112 wrote to memory of 2144	2112	Setup.Microsoft.PowerAutomate.exe	29
PID 2112 wrote to memory of 2144	2112	Setup.Microsoft.PowerAutomate.exe	29

C:\Users\Admin\AppData\Local\Temp\Setup.Microsoft.PowerAutomate.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.Microsoft.PowerAutomate.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\Temp\{42515ED7-10B9-4B6C-985B-D75CE8662DEF}\.cr\Setup.Microsoft.PowerAutomate.exe
  "C:\Windows\Temp\{42515ED7-10B9-4B6C-985B-D75CE8662DEF}\.cr\Setup.Microsoft.PowerAutomate.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\Setup.Microsoft.PowerAutomate.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1200
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\BootstrapperCore.config

Filesize
4KB

MD5
bf71bd1a3adb957a13b48c3334a52f85

SHA1
b238c356372416c9f0d6eb6141b3b5ab6b615cbc

SHA256
8509fdc23d62aad12673792e6b2ba1f54fa3358fa1d0a635e70be3306830ec5e

SHA512
a8d7a53a7c63a5691a7d5e57f25c623563ffcea4fa5d8285cd7baa08214677eb39cff969fa1781785581449954e6d47db352bfb50192792ba9384417ea91e165

Download Submit
\Windows\Temp\{42515ED7-10B9-4B6C-985B-D75CE8662DEF}\.cr\Setup.Microsoft.PowerAutomate.exe

Filesize
28.8MB

MD5
a0950f664ad0e2a5cf5cb6ad003eb652

SHA1
58e41baaaeaefbfa35405b772857c6729fa24028

SHA256
bb4c7b80c826c0d5b0d9b09a5ae0fcc1d253f410a8e4c92383de2c947af23e8d

SHA512
23ddde26dd37025b5264dd9c3bd5f25369566ae3f3be7a2f05735b9ad76c9b9c3493b5e444fabbe65f2b0ba87affca10f259cc1dc6760618089d63d8bdd4a13d

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\BootstrapperCore.dll

Filesize
80KB

MD5
c4f7146ddc56763ccdb1cb3c09478708

SHA1
bca088ab33cfb69adeae11a272e9c8a83f39a8c9

SHA256
886cb2a994461f091752fc7b21e3143c212efd8841c757909e74ac32761880da

SHA512
df2ca029e95f80fc5870e541db8b1d5a03266307bb5f7680ad630868a9a3c584b3a702fbec09c26fef7287c99f5d9d1f59cd59b74dcf740c9a8e7508e07d18b5

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.ApplicationInsights.dll

Filesize
374KB

MD5
2c49fc09f76917193fbce9eff7024195

SHA1
c93e2888155c2dd06b4c325f44b27159295e2e8c

SHA256
bdc36f3e7c5a92c21e1d6ffd5b29cdfd453f10172c537bf7fe68e84545f6a8cf

SHA512
ff6c05d19c0c3b27dc2650a59f5ba67c2fc9a8d1b599ee46ae9577d022667720ccbaa29ef1220fbcc9ef44c4d31125fd512f0acb32b1ba40a8d50a7b30f7a6b6

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.Flow.RPA.CommonConstants.dll

Filesize
32KB

MD5
c03f5d2826dcdf44f6fae4938a9f0a96

SHA1
3bf1aa08b5297c7e0c829387944647f2e4fb446a

SHA256
2b03122c43553fecf7b63ed4a7c0fbe59c6bef82e3f28bfd96bbf9e620ab00fc

SHA512
9af29c86852586d473ba2d03945574e3ea68be50f17f7b2ad5b1bf8cb344dc24217c65f06d6e75fb0eb89b3bf84b082c07162a82c725c3c20b95e63cd1d8cb94

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.Flow.RPA.Desktop.Common.Structures.dll

Filesize
29KB

MD5
f4fefcc892159159022b312bb14f14eb

SHA1
3ca111cb20aec6af38587f140681ec9a21a48c69

SHA256
0723c256d11842cb8be1f9adfd8a54a2aa7962353f98a2a6dc4c3444b5f1493b

SHA512
be83c79006bf49e1457f37c6caaa66bf38fd1112361d18f9b7cce483bd6968ef4293e85ea239abf5c1d061c846ab2521beaa62422c18a7a4d9f3497a38f136e2

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.Flow.RPA.Desktop.Shared.Telemetry.Instrumentation.dll

Filesize
154KB

MD5
7130338fdd69165ad219af5ca67a8e56

SHA1
c0a970ee5a0bcca3596d57c585e8b6288332be03

SHA256
eda4de0c10e124afbc6719bb02f4d32d53905ec1ca65abcf8643d0f633f7c857

SHA512
e547e69b5d443c51ffbff342c7c73491462554ba708f7b7347313598541270f4d5cd45590658c9209006b65ae24830b6645f50357b561f992b40fc901679d110

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.Flow.RPA.Desktop.Shared.Telemetry.OneDS.dll

Filesize
44KB

MD5
b87678274e9a58f29eaaa01d83324b44

SHA1
2c4fd2f60df99e71833a9c5d9ce230ed2a0df989

SHA256
ed1d62b2adf4f75e781627190cc666ea69d71edc770037fa6ce94049fbdded9f

SHA512
cd81006d97e4e82bd0d09e1cb009fe777ac04e03712bfdc1fd1edd834bfa98aaedffdbcbdf198bb37d22572bd8a6a3566da8e48a46f14159dbdade2913706975

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.Flow.RPA.InstallerUI.dll

Filesize
837KB

MD5
5b04a9619bd958dd27a9d23b9070a745

SHA1
bfbd09f19c1d420df7bc83cc2c54e0cfa4097510

SHA256
b17437024c8669da5be6d80a37a4c8940459948e2fc084ed581e00e784f5a0eb

SHA512
8af39de9f20daba586309ab5779fd88a984263f7c3c0c47917ad71fdc864b3dd324b8639a16b702dbe5573334273e833bcb8ba169e4e4bcc40b2d107f3f5d2e3

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.Flow.RPA.Shared.Application.dll

Filesize
16KB

MD5
656b42dc7e53694dce349a6f9e08a79b

SHA1
978438b4239dd9566fb2ba3ed434e16bedb32c1f

SHA256
0af2a088be70b1b7f6bf1cb3063092ff1d087c120108eac70a3a9c89529c873c

SHA512
5272969af2ab97d79f078a643d40977bedc887ec7dd055660854a33ec23b4a3f66c3f0db845c3ee84377a368ba50cf3b230c79d07b9f40d58705d837f5b66027

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.Flow.RPA.Shared.Data.dll

Filesize
120KB

MD5
87b25cecaa3109a0e750e162ee06511c

SHA1
c8b894ad702bbb0f5dac278cc6af25275d5ddbbc

SHA256
19c44bf9cd9905963caaa672a10a8703d94e86d40a5ed2cc2bc09ade934e8b03

SHA512
afb2feab64d5ffa6f6c0f8299d93d8973215651d7b1e5b621eb748f92e89ecb2a0b80ba988816603b41552f8e67252da9f435f82da311455df6a1b953d49cb37

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.Flow.RPA.Shared.RemoteTelemetry.dll

Filesize
56KB

MD5
0a1bf5da9329d0427d5c64df05a8d774

SHA1
33656453a2b557a5d08f8a4a944e86da813310d7

SHA256
facee05d9e407334f65cebde1761f55e9ce331944c72cd9de5394e2a2b5c1622

SHA512
2f6caaae9509f676fc65ca18a4843d1719efe1ceddc70a6101778e48ffca31725f2e4b92ddacbf41fca272b4c2d31f77715df1e39ea3964c886a8e4d72aeee80

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.Flow.RPA.Shared.System.dll

Filesize
43KB

MD5
f66d4020ef89821753071c1da50ea76d

SHA1
7690fac2c33f44aa4bd1ae9d9c9a51c82a9209d3

SHA256
4533458fa8aade059516508d8bfe5fcf29a4e5e285b7762defa01191afe19647

SHA512
55a7a51508f9c7b86fc88744db3b0d35489c486e768162440690b003b6f2a5a3b2e5b4bf10b921fc6a4a4e5498893882e3b3e1aac29abf7107cf3a1e01644ca3

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.Flow.RPA.Shared.Telemetry.dll

Filesize
147KB

MD5
8b8c77620a2030b4016d2f42cbb8d19b

SHA1
074e91b8fa8e8e31fcbd96533803ebb2c957f2b0

SHA256
a0f1a0d5e54a24f413ca9c79311b92ccded84f360d280313546f61efe24c0068

SHA512
44e221a51370f8d3c94c365231f6ca7ab036561d8984299e9edaac21bd3f319ae41abb8b45dfbfab1fd5d54618e03dabbc6a6ec1c7eb37dbcd473bc0563e13be

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Microsoft.Flow.RPAPAD.Shared.Diagnostics.dll

Filesize
44KB

MD5
a49ef6d23402f5f41e838f71672bb875

SHA1
7441e1535f3ac6fd27028ab451ea98db4d21fd88

SHA256
332e0bee7bdf726f8ad646d30b60b5ec41aadafbde393a9456e4669504e7c84a

SHA512
9948b3bfa2c308cbc83a3ab759f01ce4ff66cfb858dad48bd7b507364beebeaa2b459528e92cf5abefe937b8b8b646eebda1fe9d7fe33a26c02aebb3ecc78f0a

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\Newtonsoft.Json.dll

Filesize
705KB

MD5
111cb546659e990e473b285a213e6586

SHA1
befcfde568829a2e7c8f72a80e189d12b503845f

SHA256
f17768d54c5eb93fa2b49aeca5ddf545f59b37138bfb1a9c1c93a4ae41cbd90b

SHA512
32e69786cba028a20c113713b57ba1bc6cfb9becd9e93195abfd093b28e7cdd77321e5cf567f5bd87a6a8c9464445239c306c25cd8f50fe8f9f09bf79cd799ab

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\System.Diagnostics.DiagnosticSource.dll

Filesize
169KB

MD5
ac324378cdfa7a39346f9005066770ea

SHA1
c008a256c38605b4c6b17dc0902875619b1d9efb

SHA256
7382a455ddbaa57e6471d1fcd37c4d7f495d9f009618327ec5c477f9497c431b

SHA512
e78b54e58fce17c9d63bf7b4006a5d4fdb539020e87cd6efa577e916a41b58087ecf68386ce3e08c60c25c46a8b0f58cd532acf5e8fd799591d27c69348179b5

Download Submit
\Windows\Temp\{FD02EA72-320C-45A6-83A7-3DC24DA5325C}\.ba\mbahost.dll

Filesize
111KB

MD5
d7c697ceb6f40ce91dabfcbe8df08e22

SHA1
49cd0213a1655dcdb493668083ab2d7f55135381

SHA256
b925d9d3e1e2c49bf05a1b0713e2750ee6e0c43c7adc9d3c3a1b9fb8c557c3df

SHA512
22ca87979ca68f10b5fda64c27913d0f2a12c359b04e4a6caa3645303fbd47cd598c805fd9a43c8f3e0934e9d2db85f7a4e1eff26cb33d233efc05ee2613cfc1

Download Submit
memory/2112-190-0x0000000002260000-0x0000000002282000-memory.dmp

Filesize
136KB

Download
memory/2112-231-0x0000000005FE0000-0x0000000006092000-memory.dmp

Filesize
712KB

Download
memory/2112-202-0x0000000002290000-0x000000000229E000-memory.dmp

Filesize
56KB

Download
memory/2112-210-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2112-198-0x0000000002210000-0x000000000221E000-memory.dmp

Filesize
56KB

Download
memory/2112-214-0x00000000024A0000-0x00000000024AC000-memory.dmp

Filesize
48KB

Download
memory/2112-194-0x00000000022E0000-0x0000000002308000-memory.dmp

Filesize
160KB

Download
memory/2112-218-0x00000000024B0000-0x00000000024BE000-memory.dmp

Filesize
56KB

Download
memory/2112-219-0x0000000002520000-0x000000000253A000-memory.dmp

Filesize
104KB

Download
memory/2112-186-0x0000000006370000-0x0000000006446000-memory.dmp

Filesize
856KB

Download
memory/2112-223-0x0000000002560000-0x000000000258A000-memory.dmp

Filesize
168KB

Download
memory/2112-180-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-227-0x0000000002850000-0x00000000028B2000-memory.dmp

Filesize
392KB

Download
memory/2112-206-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/2112-178-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-236-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-240-0x0000000002700000-0x000000000270C000-memory.dmp

Filesize
48KB

Download
memory/2112-177-0x00000000006A0000-0x00000000006B8000-memory.dmp

Filesize
96KB

Download
memory/2112-172-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/2112-244-0x00000000028C0000-0x00000000028EE000-memory.dmp

Filesize
184KB

Download
memory/2112-250-0x00000000028D0000-0x00000000028DA000-memory.dmp

Filesize
40KB

Download
memory/2112-251-0x00000000028D0000-0x00000000028DA000-memory.dmp

Filesize
40KB

Download
memory/2112-258-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/2112-259-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-261-0x00000000028D0000-0x00000000028DA000-memory.dmp

Filesize
40KB

Download
memory/2112-260-0x00000000028D0000-0x00000000028DA000-memory.dmp

Filesize
40KB

Download