eb79eca8cfe119f44e673c28f731ea3e31c196b872c4755e643d6ed67d157ec0

Analysis

max time kernel
122s
max time network
137s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImageGrabber.exe
Size

6.3MB
MD5

fb70cec4b4450ef2ab595994eb5e2cb8
SHA1

4ec80034f42c077be82a0bf31bfe5b73f6ce281c
SHA256

eb79eca8cfe119f44e673c28f731ea3e31c196b872c4755e643d6ed67d157ec0
SHA512

54daccdcdef510a6ce4e53ce32cf6ef9688593bf6f6514160e320a5337ee8b09baee45d1634424b7888b64194a7a6d73c3b23469fa7c1a080e165188e1502c0a

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 11 IoCs

Processes:

ImageGrabber.exe

pid	process
640	ImageGrabber.exe
640	ImageGrabber.exe
640	ImageGrabber.exe
640	ImageGrabber.exe
640	ImageGrabber.exe
640	ImageGrabber.exe
640	ImageGrabber.exe
640	ImageGrabber.exe
640	ImageGrabber.exe
640	ImageGrabber.exe
640	ImageGrabber.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ImageGrabber.exe

pid process

640 ImageGrabber.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ImageGrabber.exe

description pid process

Token: 35 640 ImageGrabber.exe

description	pid	process
Token: 35	640	ImageGrabber.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ImageGrabber.exeImageGrabber.execmd.exe

description	pid	process	target process
PID 2136 wrote to memory of 640	2136	ImageGrabber.exe	ImageGrabber.exe
PID 2136 wrote to memory of 640	2136	ImageGrabber.exe	ImageGrabber.exe
PID 640 wrote to memory of 8	640	ImageGrabber.exe	cmd.exe
PID 640 wrote to memory of 8	640	ImageGrabber.exe	cmd.exe
PID 8 wrote to memory of 1448	8	cmd.exe	mode.com
PID 8 wrote to memory of 1448	8	cmd.exe	mode.com
PID 640 wrote to memory of 3024	640	ImageGrabber.exe	cmd.exe
PID 640 wrote to memory of 3024	640	ImageGrabber.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ImageGrabber.exe
"C:\Users\Admin\AppData\Local\Temp\ImageGrabber.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Temp\ImageGrabber.exe
"C:\Users\Admin\AppData\Local\Temp\ImageGrabber.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls & title [ImageGrabber] Loading... & mode 80,25
3⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\system32\mode.com
mode 80,25
4⤵
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI21362\VCRUNTIME140.dll
MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21362\_bz2.pyd
MD5
ec1a47eed2618fcd9a85f2e722507210

SHA1
91343c6bea0bbb572e23ba0874ca070c74d505d8

SHA256
edcf82e987cc8d4c8803308edc559957e44387eacdd48c0a3c50c5f1b33678aa

SHA512
4d3ef0882e4f858936d0f6f329724e30f0e0005558e4a015392c6d1465565519038f749fb7c5e153a6f3d0e900afbf57776c3c8ff81cf18fe8ba1cd5658ff250

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21362\_ctypes.pyd
MD5
bdbacc15ba660f400571f592541b941b

SHA1
43b78396270a1cd1671cf1f6221db368402dea68

SHA256
e88aaa4594713cc8bfce92e35f9a9a32af506b84f56b3bdf2306f23f83cfb718

SHA512
60d72fbf0d64695cfb8693d049c900b0989138009505d0ca5401c94289e5a572e030d50d065940446f2a47464920af7b1df69743658982b27319c10119ab9834

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21362\_hashlib.pyd
MD5
d2f515f68d76c629196ce80ac9cb0e42

SHA1
948f0507a8187333df38373ddafd592a15dfd681

SHA256
b66d89cd960c7033b2ff29a5cb80a18f688292fa94948bf39010baff995a1402

SHA512
24ed28e853906939ad43d6cb3cff36e58b76c2ea90659bbb98eb4b6bd08b7500b055a22c542679924d4ce0d836393c6797c4e1faff34dc66791be60e4da0f95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21362\_lzma.pyd
MD5
5e8590aefa6cf35bab4c41f05ac787f6

SHA1
a28309c5030092c9fff1c02a828ee37d26899fd2

SHA256
be07b45abf5ea4023c29591a58b6a2090143bb1632e1427f1831558f4452df13

SHA512
cee3efd4277091d81b3e59a16f5b12bc943f73ac687ee1dc1f178654b03dcb80b4b6aab4a51787b21c7c7c38c51880c5ded96d13d2200afa3feaac7c2ca30cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21362\_pytransform.dll
MD5
55b0d09265e0418eb2c218ae1f2b568b

SHA1
65ce1156fd219e17b0c45e7eaad48dcdbdf604b0

SHA256
6d16bde9befdab5c411d221c759b662fac8c3325cf28c052cce2133e4f44c12c

SHA512
85d6472a2f2777b6d9785faae48b1803110226817c2016a37a5b607e4ca5ce5428dae562791f5a343a3469ac185921b90ed0f4a54aeddd72881f270136d6d514

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21362\_socket.pyd
MD5
ebc7fdfca5b26f6345fee06b44544409

SHA1
530371a5c7e877809e0874777fb5acb50553f768

SHA256
df15c011dfe9b3e11b294a7789bbc45cc17c82bb8c44e349ecc2f09f0ef15079

SHA512
be9648a29f16e54c6700ace7425a7e30c7d2486919228cdf61feccd4e68c40943a2d2209e956349390d3628158c58110feb0d46185dade5dc0c27e3a817c20b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21362\base_library.zip
MD5
378eb34c5e7074598da9e5d861b320b9

SHA1
96784f2c1e8a844db2d7b6a07ace5ca8643018ec

SHA256
fa1c553cc705b7fab9c8cb1c73962edd132a86aa59edbd6eab6ead64f827af62

SHA512
8f8b153832474a9ce1199af1db5909eb1ba0cad29847d43d4d4a6b94eefddf5c398c7fcac32ee58863107c6edb6e6b24df2454b0fea9fc05b6b42993b53eb054

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21362\pyexpat.pyd
MD5
87a2272d987ed0201cd2ace5ff2701eb

SHA1
0fbb3322971e684580c52a8b5bee7b80709e2abf

SHA256
06e04c52d60de362f7fd77ec0c36774d7bf51df50d08ba06b84d04efc3c48d6f

SHA512
83ebb065d36ebc81fedb18586a712a23f49f6f246eb6f8a4dc8af527189cde38e805bc93cda9169fbb409425ecd663faa9e984a89e9c182dcc592dfd60ebfb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21362\python36.dll
MD5
41abc45fdbf189eed1e93c55580f01e3

SHA1
90da6c1d287cdf3b8dd9745694df2f95ff528f17

SHA256
aba20db313e3ab53c0d26a6669a54359f78fa8ec997a2673ee1527e8774f3618

SHA512
505bb5c4a31d275c7b85dba14a4eccd278f827aec3e4f778089ae4cc7b76660a7f23c183dcf65c35cfa6f2226d3863b42efee33d5c4a291bb4cd1a0cb6db00ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21362\select.pyd
MD5
ec9a17a02d9740da121e206b4593f5be

SHA1
5365763f29adb4d2ea75521d23f8ac14bca511a1

SHA256
1e45ffc36ace0819bf243d2a14d01ec52e067ee33b4223451ba90fe939347132

SHA512
998fda17ca19eca64a1467a0b2c04ed9f6a0f0a003777ab91625ed9586bd7c34b53cea49a4165c968cffcf6a7008000af14ce72d9d9c9cddc9401cf30e11c1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21362\unicodedata.pyd
MD5
b74e95e5f6505588e16265eb0719a00f

SHA1
67193fa380512c3a391c030c7536fe7b99ec0dc9

SHA256
7b790c744d16de63308c46cabcf46784bf15e05322daf8774a88a71b2235549a

SHA512
0f4d816d84ca20a38d3fd0bd0b3f0f9bda6f447fdb939f07b49c2dec07c783ed299ba70283a1c5ae63bb0808d4acf3ee32768d203ea3f751bdaecf81db452f9e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21362\VCRUNTIME140.dll
MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21362\_bz2.pyd
MD5
ec1a47eed2618fcd9a85f2e722507210

SHA1
91343c6bea0bbb572e23ba0874ca070c74d505d8

SHA256
edcf82e987cc8d4c8803308edc559957e44387eacdd48c0a3c50c5f1b33678aa

SHA512
4d3ef0882e4f858936d0f6f329724e30f0e0005558e4a015392c6d1465565519038f749fb7c5e153a6f3d0e900afbf57776c3c8ff81cf18fe8ba1cd5658ff250

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21362\_ctypes.pyd
MD5
bdbacc15ba660f400571f592541b941b

SHA1
43b78396270a1cd1671cf1f6221db368402dea68

SHA256
e88aaa4594713cc8bfce92e35f9a9a32af506b84f56b3bdf2306f23f83cfb718

SHA512
60d72fbf0d64695cfb8693d049c900b0989138009505d0ca5401c94289e5a572e030d50d065940446f2a47464920af7b1df69743658982b27319c10119ab9834

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21362\_hashlib.pyd
MD5
d2f515f68d76c629196ce80ac9cb0e42

SHA1
948f0507a8187333df38373ddafd592a15dfd681

SHA256
b66d89cd960c7033b2ff29a5cb80a18f688292fa94948bf39010baff995a1402

SHA512
24ed28e853906939ad43d6cb3cff36e58b76c2ea90659bbb98eb4b6bd08b7500b055a22c542679924d4ce0d836393c6797c4e1faff34dc66791be60e4da0f95d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21362\_lzma.pyd
MD5
5e8590aefa6cf35bab4c41f05ac787f6

SHA1
a28309c5030092c9fff1c02a828ee37d26899fd2

SHA256
be07b45abf5ea4023c29591a58b6a2090143bb1632e1427f1831558f4452df13

SHA512
cee3efd4277091d81b3e59a16f5b12bc943f73ac687ee1dc1f178654b03dcb80b4b6aab4a51787b21c7c7c38c51880c5ded96d13d2200afa3feaac7c2ca30cab

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21362\_pytransform.dll
MD5
55b0d09265e0418eb2c218ae1f2b568b

SHA1
65ce1156fd219e17b0c45e7eaad48dcdbdf604b0

SHA256
6d16bde9befdab5c411d221c759b662fac8c3325cf28c052cce2133e4f44c12c

SHA512
85d6472a2f2777b6d9785faae48b1803110226817c2016a37a5b607e4ca5ce5428dae562791f5a343a3469ac185921b90ed0f4a54aeddd72881f270136d6d514

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21362\_socket.pyd
MD5
ebc7fdfca5b26f6345fee06b44544409

SHA1
530371a5c7e877809e0874777fb5acb50553f768

SHA256
df15c011dfe9b3e11b294a7789bbc45cc17c82bb8c44e349ecc2f09f0ef15079

SHA512
be9648a29f16e54c6700ace7425a7e30c7d2486919228cdf61feccd4e68c40943a2d2209e956349390d3628158c58110feb0d46185dade5dc0c27e3a817c20b7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21362\pyexpat.pyd
MD5
87a2272d987ed0201cd2ace5ff2701eb

SHA1
0fbb3322971e684580c52a8b5bee7b80709e2abf

SHA256
06e04c52d60de362f7fd77ec0c36774d7bf51df50d08ba06b84d04efc3c48d6f

SHA512
83ebb065d36ebc81fedb18586a712a23f49f6f246eb6f8a4dc8af527189cde38e805bc93cda9169fbb409425ecd663faa9e984a89e9c182dcc592dfd60ebfb0d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21362\python36.dll
MD5
41abc45fdbf189eed1e93c55580f01e3

SHA1
90da6c1d287cdf3b8dd9745694df2f95ff528f17

SHA256
aba20db313e3ab53c0d26a6669a54359f78fa8ec997a2673ee1527e8774f3618

SHA512
505bb5c4a31d275c7b85dba14a4eccd278f827aec3e4f778089ae4cc7b76660a7f23c183dcf65c35cfa6f2226d3863b42efee33d5c4a291bb4cd1a0cb6db00ed

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21362\select.pyd
MD5
ec9a17a02d9740da121e206b4593f5be

SHA1
5365763f29adb4d2ea75521d23f8ac14bca511a1

SHA256
1e45ffc36ace0819bf243d2a14d01ec52e067ee33b4223451ba90fe939347132

SHA512
998fda17ca19eca64a1467a0b2c04ed9f6a0f0a003777ab91625ed9586bd7c34b53cea49a4165c968cffcf6a7008000af14ce72d9d9c9cddc9401cf30e11c1ab

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21362\unicodedata.pyd
MD5
b74e95e5f6505588e16265eb0719a00f

SHA1
67193fa380512c3a391c030c7536fe7b99ec0dc9

SHA256
7b790c744d16de63308c46cabcf46784bf15e05322daf8774a88a71b2235549a

SHA512
0f4d816d84ca20a38d3fd0bd0b3f0f9bda6f447fdb939f07b49c2dec07c783ed299ba70283a1c5ae63bb0808d4acf3ee32768d203ea3f751bdaecf81db452f9e

Download Submit
memory/8-139-0x0000000000000000-mapping.dmp

Download
memory/640-115-0x0000000000000000-mapping.dmp

Download
memory/1448-140-0x0000000000000000-mapping.dmp

Download
memory/3024-141-0x0000000000000000-mapping.dmp

Download