ed3588a0ea55834f7964684d9b97f05a70aea91fbc9eb4f1c5d0a1248acc7fbf

General

Target

Install.exe
Size

5.2MB
MD5

2528a0992ee8ce05ef2bc65d43606adc
SHA1

732067d766460ba20cbf8b4faf965f6d58af3d43
SHA256

ed3588a0ea55834f7964684d9b97f05a70aea91fbc9eb4f1c5d0a1248acc7fbf
SHA512

d297042c28af346aa0e8f8e60962c08865ed1216671a11f67df50256ab9dec3edc4a32d320598d15e048dcac66868ea743f962de5354f4ef687b61ca6f9fd8a8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

Install.exe

pid process

1048 Install.exe
1048 Install.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Install.exe

description pid process

Token: 35 1048 Install.exe

pid	process
1048	Install.exe
1048	Install.exe

description	pid	process
Token: 35	1048	Install.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

Install.exeInstall.exe

description	pid	process	target process
PID 756 wrote to memory of 1048	756	Install.exe	Install.exe
PID 756 wrote to memory of 1048	756	Install.exe	Install.exe
PID 756 wrote to memory of 1048	756	Install.exe	Install.exe
PID 1048 wrote to memory of 1736	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1736	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1736	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1584	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1584	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1584	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1760	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1760	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1760	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1820	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1820	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1820	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 432	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 432	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 432	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1180	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1180	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1180	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1124	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1124	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1124	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1116	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1116	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1116	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 324	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 324	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 324	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1336	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1336	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1336	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1084	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1084	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1084	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1168	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1168	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1168	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1536	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1536	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 1536	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 996	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 996	1048	Install.exe	cmd.exe
PID 1048 wrote to memory of 996	1048	Install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install wmi
3⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install windows_tools.product_key
3⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install winregistry
3⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install psutil
3⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install Pillow
3⤵
PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install pypiwin32
3⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install browser-cookie3
3⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install pycryptodome
3⤵
PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install psutial
3⤵
PID:324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install requests
3⤵
PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install pywin32
3⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install discord
3⤵
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pip install colorama
3⤵
PID:1536

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI7562\VCRUNTIME140.dll
MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\base_library.zip
MD5
378eb34c5e7074598da9e5d861b320b9

SHA1
96784f2c1e8a844db2d7b6a07ace5ca8643018ec

SHA256
fa1c553cc705b7fab9c8cb1c73962edd132a86aa59edbd6eab6ead64f827af62

SHA512
8f8b153832474a9ce1199af1db5909eb1ba0cad29847d43d4d4a6b94eefddf5c398c7fcac32ee58863107c6edb6e6b24df2454b0fea9fc05b6b42993b53eb054

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\python36.dll
MD5
41abc45fdbf189eed1e93c55580f01e3

SHA1
90da6c1d287cdf3b8dd9745694df2f95ff528f17

SHA256
aba20db313e3ab53c0d26a6669a54359f78fa8ec997a2673ee1527e8774f3618

SHA512
505bb5c4a31d275c7b85dba14a4eccd278f827aec3e4f778089ae4cc7b76660a7f23c183dcf65c35cfa6f2226d3863b42efee33d5c4a291bb4cd1a0cb6db00ed

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7562\VCRUNTIME140.dll
MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI7562\python36.dll
MD5
41abc45fdbf189eed1e93c55580f01e3

SHA1
90da6c1d287cdf3b8dd9745694df2f95ff528f17

SHA256
aba20db313e3ab53c0d26a6669a54359f78fa8ec997a2673ee1527e8774f3618

SHA512
505bb5c4a31d275c7b85dba14a4eccd278f827aec3e4f778089ae4cc7b76660a7f23c183dcf65c35cfa6f2226d3863b42efee33d5c4a291bb4cd1a0cb6db00ed

Download Submit
memory/324-69-0x0000000000000000-mapping.dmp

Download
memory/432-65-0x0000000000000000-mapping.dmp

Download
memory/996-74-0x0000000000000000-mapping.dmp

Download
memory/1048-55-0x0000000000000000-mapping.dmp

Download
memory/1084-71-0x0000000000000000-mapping.dmp

Download
memory/1116-68-0x0000000000000000-mapping.dmp

Download
memory/1124-67-0x0000000000000000-mapping.dmp

Download
memory/1168-72-0x0000000000000000-mapping.dmp

Download
memory/1180-66-0x0000000000000000-mapping.dmp

Download
memory/1336-70-0x0000000000000000-mapping.dmp

Download
memory/1536-73-0x0000000000000000-mapping.dmp

Download
memory/1584-62-0x0000000000000000-mapping.dmp

Download
memory/1736-61-0x0000000000000000-mapping.dmp

Download
memory/1760-63-0x0000000000000000-mapping.dmp

Download
memory/1820-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads