Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 23:17
Static task
static1
Behavioral task
behavioral1
Sample
ImageGrabber.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
ImageGrabber.exe
Resource
win10-en-20210920
General
-
Target
ImageGrabber.exe
-
Size
6.3MB
-
MD5
fb70cec4b4450ef2ab595994eb5e2cb8
-
SHA1
4ec80034f42c077be82a0bf31bfe5b73f6ce281c
-
SHA256
eb79eca8cfe119f44e673c28f731ea3e31c196b872c4755e643d6ed67d157ec0
-
SHA512
54daccdcdef510a6ce4e53ce32cf6ef9688593bf6f6514160e320a5337ee8b09baee45d1634424b7888b64194a7a6d73c3b23469fa7c1a080e165188e1502c0a
Malware Config
Signatures
-
Loads dropped DLL 11 IoCs
Processes:
ImageGrabber.exepid process 556 ImageGrabber.exe 556 ImageGrabber.exe 556 ImageGrabber.exe 556 ImageGrabber.exe 556 ImageGrabber.exe 556 ImageGrabber.exe 556 ImageGrabber.exe 556 ImageGrabber.exe 556 ImageGrabber.exe 556 ImageGrabber.exe 556 ImageGrabber.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
ImageGrabber.exepid process 556 ImageGrabber.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ImageGrabber.exedescription pid process Token: 35 556 ImageGrabber.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ImageGrabber.exeImageGrabber.execmd.exedescription pid process target process PID 760 wrote to memory of 556 760 ImageGrabber.exe ImageGrabber.exe PID 760 wrote to memory of 556 760 ImageGrabber.exe ImageGrabber.exe PID 760 wrote to memory of 556 760 ImageGrabber.exe ImageGrabber.exe PID 556 wrote to memory of 1668 556 ImageGrabber.exe cmd.exe PID 556 wrote to memory of 1668 556 ImageGrabber.exe cmd.exe PID 556 wrote to memory of 1668 556 ImageGrabber.exe cmd.exe PID 1668 wrote to memory of 1108 1668 cmd.exe mode.com PID 1668 wrote to memory of 1108 1668 cmd.exe mode.com PID 1668 wrote to memory of 1108 1668 cmd.exe mode.com PID 556 wrote to memory of 816 556 ImageGrabber.exe cmd.exe PID 556 wrote to memory of 816 556 ImageGrabber.exe cmd.exe PID 556 wrote to memory of 816 556 ImageGrabber.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ImageGrabber.exe"C:\Users\Admin\AppData\Local\Temp\ImageGrabber.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ImageGrabber.exe"C:\Users\Admin\AppData\Local\Temp\ImageGrabber.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls & title [ImageGrabber] Loading... & mode 80,253⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode 80,254⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\VCRUNTIME140.dllMD5
89a24c66e7a522f1e0016b1d0b4316dc
SHA15340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA2563096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\_bz2.pydMD5
ec1a47eed2618fcd9a85f2e722507210
SHA191343c6bea0bbb572e23ba0874ca070c74d505d8
SHA256edcf82e987cc8d4c8803308edc559957e44387eacdd48c0a3c50c5f1b33678aa
SHA5124d3ef0882e4f858936d0f6f329724e30f0e0005558e4a015392c6d1465565519038f749fb7c5e153a6f3d0e900afbf57776c3c8ff81cf18fe8ba1cd5658ff250
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\_ctypes.pydMD5
bdbacc15ba660f400571f592541b941b
SHA143b78396270a1cd1671cf1f6221db368402dea68
SHA256e88aaa4594713cc8bfce92e35f9a9a32af506b84f56b3bdf2306f23f83cfb718
SHA51260d72fbf0d64695cfb8693d049c900b0989138009505d0ca5401c94289e5a572e030d50d065940446f2a47464920af7b1df69743658982b27319c10119ab9834
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\_hashlib.pydMD5
d2f515f68d76c629196ce80ac9cb0e42
SHA1948f0507a8187333df38373ddafd592a15dfd681
SHA256b66d89cd960c7033b2ff29a5cb80a18f688292fa94948bf39010baff995a1402
SHA51224ed28e853906939ad43d6cb3cff36e58b76c2ea90659bbb98eb4b6bd08b7500b055a22c542679924d4ce0d836393c6797c4e1faff34dc66791be60e4da0f95d
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\_lzma.pydMD5
5e8590aefa6cf35bab4c41f05ac787f6
SHA1a28309c5030092c9fff1c02a828ee37d26899fd2
SHA256be07b45abf5ea4023c29591a58b6a2090143bb1632e1427f1831558f4452df13
SHA512cee3efd4277091d81b3e59a16f5b12bc943f73ac687ee1dc1f178654b03dcb80b4b6aab4a51787b21c7c7c38c51880c5ded96d13d2200afa3feaac7c2ca30cab
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\_pytransform.dllMD5
55b0d09265e0418eb2c218ae1f2b568b
SHA165ce1156fd219e17b0c45e7eaad48dcdbdf604b0
SHA2566d16bde9befdab5c411d221c759b662fac8c3325cf28c052cce2133e4f44c12c
SHA51285d6472a2f2777b6d9785faae48b1803110226817c2016a37a5b607e4ca5ce5428dae562791f5a343a3469ac185921b90ed0f4a54aeddd72881f270136d6d514
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\_socket.pydMD5
ebc7fdfca5b26f6345fee06b44544409
SHA1530371a5c7e877809e0874777fb5acb50553f768
SHA256df15c011dfe9b3e11b294a7789bbc45cc17c82bb8c44e349ecc2f09f0ef15079
SHA512be9648a29f16e54c6700ace7425a7e30c7d2486919228cdf61feccd4e68c40943a2d2209e956349390d3628158c58110feb0d46185dade5dc0c27e3a817c20b7
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\base_library.zipMD5
378eb34c5e7074598da9e5d861b320b9
SHA196784f2c1e8a844db2d7b6a07ace5ca8643018ec
SHA256fa1c553cc705b7fab9c8cb1c73962edd132a86aa59edbd6eab6ead64f827af62
SHA5128f8b153832474a9ce1199af1db5909eb1ba0cad29847d43d4d4a6b94eefddf5c398c7fcac32ee58863107c6edb6e6b24df2454b0fea9fc05b6b42993b53eb054
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\pyexpat.pydMD5
87a2272d987ed0201cd2ace5ff2701eb
SHA10fbb3322971e684580c52a8b5bee7b80709e2abf
SHA25606e04c52d60de362f7fd77ec0c36774d7bf51df50d08ba06b84d04efc3c48d6f
SHA51283ebb065d36ebc81fedb18586a712a23f49f6f246eb6f8a4dc8af527189cde38e805bc93cda9169fbb409425ecd663faa9e984a89e9c182dcc592dfd60ebfb0d
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\python36.dllMD5
41abc45fdbf189eed1e93c55580f01e3
SHA190da6c1d287cdf3b8dd9745694df2f95ff528f17
SHA256aba20db313e3ab53c0d26a6669a54359f78fa8ec997a2673ee1527e8774f3618
SHA512505bb5c4a31d275c7b85dba14a4eccd278f827aec3e4f778089ae4cc7b76660a7f23c183dcf65c35cfa6f2226d3863b42efee33d5c4a291bb4cd1a0cb6db00ed
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\select.pydMD5
ec9a17a02d9740da121e206b4593f5be
SHA15365763f29adb4d2ea75521d23f8ac14bca511a1
SHA2561e45ffc36ace0819bf243d2a14d01ec52e067ee33b4223451ba90fe939347132
SHA512998fda17ca19eca64a1467a0b2c04ed9f6a0f0a003777ab91625ed9586bd7c34b53cea49a4165c968cffcf6a7008000af14ce72d9d9c9cddc9401cf30e11c1ab
-
C:\Users\Admin\AppData\Local\Temp\_MEI7602\unicodedata.pydMD5
b74e95e5f6505588e16265eb0719a00f
SHA167193fa380512c3a391c030c7536fe7b99ec0dc9
SHA2567b790c744d16de63308c46cabcf46784bf15e05322daf8774a88a71b2235549a
SHA5120f4d816d84ca20a38d3fd0bd0b3f0f9bda6f447fdb939f07b49c2dec07c783ed299ba70283a1c5ae63bb0808d4acf3ee32768d203ea3f751bdaecf81db452f9e
-
\Users\Admin\AppData\Local\Temp\_MEI7602\VCRUNTIME140.dllMD5
89a24c66e7a522f1e0016b1d0b4316dc
SHA15340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA2563096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a
-
\Users\Admin\AppData\Local\Temp\_MEI7602\_bz2.pydMD5
ec1a47eed2618fcd9a85f2e722507210
SHA191343c6bea0bbb572e23ba0874ca070c74d505d8
SHA256edcf82e987cc8d4c8803308edc559957e44387eacdd48c0a3c50c5f1b33678aa
SHA5124d3ef0882e4f858936d0f6f329724e30f0e0005558e4a015392c6d1465565519038f749fb7c5e153a6f3d0e900afbf57776c3c8ff81cf18fe8ba1cd5658ff250
-
\Users\Admin\AppData\Local\Temp\_MEI7602\_ctypes.pydMD5
bdbacc15ba660f400571f592541b941b
SHA143b78396270a1cd1671cf1f6221db368402dea68
SHA256e88aaa4594713cc8bfce92e35f9a9a32af506b84f56b3bdf2306f23f83cfb718
SHA51260d72fbf0d64695cfb8693d049c900b0989138009505d0ca5401c94289e5a572e030d50d065940446f2a47464920af7b1df69743658982b27319c10119ab9834
-
\Users\Admin\AppData\Local\Temp\_MEI7602\_hashlib.pydMD5
d2f515f68d76c629196ce80ac9cb0e42
SHA1948f0507a8187333df38373ddafd592a15dfd681
SHA256b66d89cd960c7033b2ff29a5cb80a18f688292fa94948bf39010baff995a1402
SHA51224ed28e853906939ad43d6cb3cff36e58b76c2ea90659bbb98eb4b6bd08b7500b055a22c542679924d4ce0d836393c6797c4e1faff34dc66791be60e4da0f95d
-
\Users\Admin\AppData\Local\Temp\_MEI7602\_lzma.pydMD5
5e8590aefa6cf35bab4c41f05ac787f6
SHA1a28309c5030092c9fff1c02a828ee37d26899fd2
SHA256be07b45abf5ea4023c29591a58b6a2090143bb1632e1427f1831558f4452df13
SHA512cee3efd4277091d81b3e59a16f5b12bc943f73ac687ee1dc1f178654b03dcb80b4b6aab4a51787b21c7c7c38c51880c5ded96d13d2200afa3feaac7c2ca30cab
-
\Users\Admin\AppData\Local\Temp\_MEI7602\_pytransform.dllMD5
55b0d09265e0418eb2c218ae1f2b568b
SHA165ce1156fd219e17b0c45e7eaad48dcdbdf604b0
SHA2566d16bde9befdab5c411d221c759b662fac8c3325cf28c052cce2133e4f44c12c
SHA51285d6472a2f2777b6d9785faae48b1803110226817c2016a37a5b607e4ca5ce5428dae562791f5a343a3469ac185921b90ed0f4a54aeddd72881f270136d6d514
-
\Users\Admin\AppData\Local\Temp\_MEI7602\_socket.pydMD5
ebc7fdfca5b26f6345fee06b44544409
SHA1530371a5c7e877809e0874777fb5acb50553f768
SHA256df15c011dfe9b3e11b294a7789bbc45cc17c82bb8c44e349ecc2f09f0ef15079
SHA512be9648a29f16e54c6700ace7425a7e30c7d2486919228cdf61feccd4e68c40943a2d2209e956349390d3628158c58110feb0d46185dade5dc0c27e3a817c20b7
-
\Users\Admin\AppData\Local\Temp\_MEI7602\pyexpat.pydMD5
87a2272d987ed0201cd2ace5ff2701eb
SHA10fbb3322971e684580c52a8b5bee7b80709e2abf
SHA25606e04c52d60de362f7fd77ec0c36774d7bf51df50d08ba06b84d04efc3c48d6f
SHA51283ebb065d36ebc81fedb18586a712a23f49f6f246eb6f8a4dc8af527189cde38e805bc93cda9169fbb409425ecd663faa9e984a89e9c182dcc592dfd60ebfb0d
-
\Users\Admin\AppData\Local\Temp\_MEI7602\python36.dllMD5
41abc45fdbf189eed1e93c55580f01e3
SHA190da6c1d287cdf3b8dd9745694df2f95ff528f17
SHA256aba20db313e3ab53c0d26a6669a54359f78fa8ec997a2673ee1527e8774f3618
SHA512505bb5c4a31d275c7b85dba14a4eccd278f827aec3e4f778089ae4cc7b76660a7f23c183dcf65c35cfa6f2226d3863b42efee33d5c4a291bb4cd1a0cb6db00ed
-
\Users\Admin\AppData\Local\Temp\_MEI7602\select.pydMD5
ec9a17a02d9740da121e206b4593f5be
SHA15365763f29adb4d2ea75521d23f8ac14bca511a1
SHA2561e45ffc36ace0819bf243d2a14d01ec52e067ee33b4223451ba90fe939347132
SHA512998fda17ca19eca64a1467a0b2c04ed9f6a0f0a003777ab91625ed9586bd7c34b53cea49a4165c968cffcf6a7008000af14ce72d9d9c9cddc9401cf30e11c1ab
-
\Users\Admin\AppData\Local\Temp\_MEI7602\unicodedata.pydMD5
b74e95e5f6505588e16265eb0719a00f
SHA167193fa380512c3a391c030c7536fe7b99ec0dc9
SHA2567b790c744d16de63308c46cabcf46784bf15e05322daf8774a88a71b2235549a
SHA5120f4d816d84ca20a38d3fd0bd0b3f0f9bda6f447fdb939f07b49c2dec07c783ed299ba70283a1c5ae63bb0808d4acf3ee32768d203ea3f751bdaecf81db452f9e
-
memory/556-55-0x0000000000000000-mapping.dmp
-
memory/816-81-0x0000000000000000-mapping.dmp
-
memory/1108-80-0x0000000000000000-mapping.dmp
-
memory/1668-79-0x0000000000000000-mapping.dmp