f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exe
Size

4.7MB
MD5

7d53c663dba982300cf2969655b248df
SHA1

3403d17ca074389177d1d03b397585fd917c1ab1
SHA256

f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a
SHA512

a6650d8700de0252b9cf30de377219a4fd0e755344b5a624ce42cf223d36635f26997324fba891d7ddad509db5f7bb7cb232857e4a9a325b306894aa94860958
SSDEEP

98304:DK9eiBEy6gr5sXXpfiIjulgcudr/XfuKVDHv/RmPxtnnoueqaj4tCyjkZl4:DKjW6CndLfcudT7PwZzK+ol4

Score

8^/10

pyinstaller

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

sh6.exesh6.exe

pid process

1876 sh6.exe
1304 sh6.exe

pid	process
1876	sh6.exe
1304	sh6.exe

Loads dropped DLL 12 IoCs

Processes:

f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exesh6.exesh6.exe

pid	process
1644	f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exe
1644	f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exe
1644	f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exe
1644	f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exe
1876	sh6.exe
1304	sh6.exe
1304	sh6.exe
1304	sh6.exe
1304	sh6.exe
1304	sh6.exe
1304	sh6.exe
1304	sh6.exe

Detects Pyinstaller 8 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sh6.exe

description pid process

Token: 35 1304 sh6.exe

description	pid	process
Token: 35	1304	sh6.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exesh6.exe

description	pid	process	target process
PID 1644 wrote to memory of 1876	1644	f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exe	sh6.exe
PID 1644 wrote to memory of 1876	1644	f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exe	sh6.exe
PID 1644 wrote to memory of 1876	1644	f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exe	sh6.exe
PID 1644 wrote to memory of 1876	1644	f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exe	sh6.exe
PID 1876 wrote to memory of 1304	1876	sh6.exe	sh6.exe
PID 1876 wrote to memory of 1304	1876	sh6.exe	sh6.exe
PID 1876 wrote to memory of 1304	1876	sh6.exe	sh6.exe
PID 1876 wrote to memory of 1304	1876	sh6.exe	sh6.exe

C:\Users\Admin\AppData\Local\Temp\f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exe
"C:\Users\Admin\AppData\Local\Temp\f151c8538f92a38501c2b89f4e3e937a77c19ef6323e806de4285620ad40369a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1304

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe
Filesize
4.5MB

MD5
3edee63ff573e7fc5d7646d92a124b43

SHA1
b660eaa669f1b3ea741fad31524de73e02c20434

SHA256
1b66f7fc00ce8a5d1e709f3f424cb8d8e9f6d23e625fce745cb8790674955723

SHA512
f7d9802deec3ac1b48068edd4a60c945f4c42a55400beb5603114931e00ff069767e082e1f133a7324b166aa5a3496801dfb33b3a686f0b931aacef8a4f9c0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe
Filesize
4.5MB

MD5
3edee63ff573e7fc5d7646d92a124b43

SHA1
b660eaa669f1b3ea741fad31524de73e02c20434

SHA256
1b66f7fc00ce8a5d1e709f3f424cb8d8e9f6d23e625fce745cb8790674955723

SHA512
f7d9802deec3ac1b48068edd4a60c945f4c42a55400beb5603114931e00ff069767e082e1f133a7324b166aa5a3496801dfb33b3a686f0b931aacef8a4f9c0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe
Filesize
4.5MB

MD5
3edee63ff573e7fc5d7646d92a124b43

SHA1
b660eaa669f1b3ea741fad31524de73e02c20434

SHA256
1b66f7fc00ce8a5d1e709f3f424cb8d8e9f6d23e625fce745cb8790674955723

SHA512
f7d9802deec3ac1b48068edd4a60c945f4c42a55400beb5603114931e00ff069767e082e1f133a7324b166aa5a3496801dfb33b3a686f0b931aacef8a4f9c0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\MSVCR100.dll
Filesize
756KB

MD5
ef3e115c225588a680acf365158b2f4a

SHA1
ecda6d3b4642d2451817833b39248778e9c2cbb0

SHA256
25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8

SHA512
d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_bz2.pyd
Filesize
52KB

MD5
fb47d434edb65e28d9a05381f646dc01

SHA1
d64f38c378625a21917a54c6e5c1d76430ccc679

SHA256
2e0cdab46bf899f8a433d57643d909c3883f95e32ca37817bf4f9e72d84a5a5f

SHA512
448824d83f22c4343353e900666d095d89698ae6f80278a29b6061163313e9e53060568241682fb18df430c5f1214836c4cf0b66c8ab2cd08cbd60f527ff7c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_ctypes.pyd
Filesize
83KB

MD5
5d1bc1be2f02b4a2890e921af15190d2

SHA1
057c88438b40cd8e73554274171341244f107139

SHA256
97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da

SHA512
9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_hashlib.pyd
Filesize
900KB

MD5
82ae4e8208d58bffc95f68c2c1d8f280

SHA1
8874b66dcaf142cfca6b72aa46f2247ab6d96e8c

SHA256
2c905f0809749f5494b2a638a8551af3d914a148d282fc3da9d68ce12d067eb9

SHA512
737109f330f1ab8302c5f73ead54dfa53b39d73a806054ba725f7f1e9be82adec678e08fc127b6b5658daf465aea34d0c4226162f6e067b8d4c461b3d051ce37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_socket.pyd
Filesize
46KB

MD5
ebc931925d333427e182eb58eb4cecce

SHA1
90a811fa23c1ea1244eddef5f3371411af354fd6

SHA256
e29cc2340a9577f82c45abe6707e2817575ee02ac374f4864885410d411e6bea

SHA512
52767f0e49a600ab6b025265cd0220dfd84c24ccec24f7268974123cad41a287a015021357ec4b88eae0dc0dd2517bb5d07f1aaaf08fd36e7bedd0fab8047ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\_ssl.pyd
Filesize
1.3MB

MD5
12b5156dd0e8de73b6c96dc61729cbbd

SHA1
126903ac9e8447d52745782a14cd95818c048a53

SHA256
7a622e57f85120cefe38f473e57b7363c8afc551a35a6e4a4677b05f5d43881b

SHA512
1c2db35190861237259f1761c4c24becaae1c3a525ebb70dd9e68b1be5b16edeb3d1ebad6e710b0880448cf4f6f4c72a37926d584fc034956a91e1600ef3f335

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\base_library.zip
Filesize
717KB

MD5
1837b9848033c3f301f5bc47c46aa447

SHA1
fa89873e73deb81722b9d26cf1a5a713c54c261e

SHA256
83afb48874c0cf877e7affb447f2dc4c64cee39f28c263c4f4af1200ce9cfc12

SHA512
cbdd7d18c8613f1a694532a9676e191959c69f957da55bd63e381f33e442073c509423955ba45395773e9080a6db830f4556b6d1661d2095433788c30ac669c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\python34.dll
Filesize
2.6MB

MD5
74814d5b0ecccc52fb4aa683306f5c1f

SHA1
f750b804e7937b70f85126dc2b9a35a314ff2f19

SHA256
3df740a176649ca8614bb7c8f9f871fe1ed6edfc64470d1801e40518bd95a242

SHA512
0284724ec72882ba106e6c1ff89f9767f3ed10c06b543e06b0e674afb6c258672373bdc70d786970cec040ee84fa0f7278021e696d16f668e368c6bfe2a6fa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18762\update.exe.manifest
Filesize
944B

MD5
442fefd848dbc6610d641e3bb37a662a

SHA1
d6775bacbf756c11e0684dca1bee2719c761fcee

SHA256
2009bfbc4afbc9d4db18fe244a7e6a7f7cfbbefdab8ed0437b46c6d8b8a255ab

SHA512
af984f84bc829161d9c2dd5268c25e793a2287aa6e4f1a19ef332dee5c6d71a5680e2169df69e8b5aecd50f3549a508f2b973253ea5deefeb058147d6753cfdf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe
Filesize
4.5MB

MD5
3edee63ff573e7fc5d7646d92a124b43

SHA1
b660eaa669f1b3ea741fad31524de73e02c20434

SHA256
1b66f7fc00ce8a5d1e709f3f424cb8d8e9f6d23e625fce745cb8790674955723

SHA512
f7d9802deec3ac1b48068edd4a60c945f4c42a55400beb5603114931e00ff069767e082e1f133a7324b166aa5a3496801dfb33b3a686f0b931aacef8a4f9c0c7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe
Filesize
4.5MB

MD5
3edee63ff573e7fc5d7646d92a124b43

SHA1
b660eaa669f1b3ea741fad31524de73e02c20434

SHA256
1b66f7fc00ce8a5d1e709f3f424cb8d8e9f6d23e625fce745cb8790674955723

SHA512
f7d9802deec3ac1b48068edd4a60c945f4c42a55400beb5603114931e00ff069767e082e1f133a7324b166aa5a3496801dfb33b3a686f0b931aacef8a4f9c0c7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe
Filesize
4.5MB

MD5
3edee63ff573e7fc5d7646d92a124b43

SHA1
b660eaa669f1b3ea741fad31524de73e02c20434

SHA256
1b66f7fc00ce8a5d1e709f3f424cb8d8e9f6d23e625fce745cb8790674955723

SHA512
f7d9802deec3ac1b48068edd4a60c945f4c42a55400beb5603114931e00ff069767e082e1f133a7324b166aa5a3496801dfb33b3a686f0b931aacef8a4f9c0c7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe
Filesize
4.5MB

MD5
3edee63ff573e7fc5d7646d92a124b43

SHA1
b660eaa669f1b3ea741fad31524de73e02c20434

SHA256
1b66f7fc00ce8a5d1e709f3f424cb8d8e9f6d23e625fce745cb8790674955723

SHA512
f7d9802deec3ac1b48068edd4a60c945f4c42a55400beb5603114931e00ff069767e082e1f133a7324b166aa5a3496801dfb33b3a686f0b931aacef8a4f9c0c7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\sh6.exe
Filesize
4.5MB

MD5
3edee63ff573e7fc5d7646d92a124b43

SHA1
b660eaa669f1b3ea741fad31524de73e02c20434

SHA256
1b66f7fc00ce8a5d1e709f3f424cb8d8e9f6d23e625fce745cb8790674955723

SHA512
f7d9802deec3ac1b48068edd4a60c945f4c42a55400beb5603114931e00ff069767e082e1f133a7324b166aa5a3496801dfb33b3a686f0b931aacef8a4f9c0c7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\MSVCR100.dll
Filesize
756KB

MD5
ef3e115c225588a680acf365158b2f4a

SHA1
ecda6d3b4642d2451817833b39248778e9c2cbb0

SHA256
25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8

SHA512
d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\_bz2.pyd
Filesize
52KB

MD5
fb47d434edb65e28d9a05381f646dc01

SHA1
d64f38c378625a21917a54c6e5c1d76430ccc679

SHA256
2e0cdab46bf899f8a433d57643d909c3883f95e32ca37817bf4f9e72d84a5a5f

SHA512
448824d83f22c4343353e900666d095d89698ae6f80278a29b6061163313e9e53060568241682fb18df430c5f1214836c4cf0b66c8ab2cd08cbd60f527ff7c66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\_ctypes.pyd
Filesize
83KB

MD5
5d1bc1be2f02b4a2890e921af15190d2

SHA1
057c88438b40cd8e73554274171341244f107139

SHA256
97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da

SHA512
9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\_hashlib.pyd
Filesize
900KB

MD5
82ae4e8208d58bffc95f68c2c1d8f280

SHA1
8874b66dcaf142cfca6b72aa46f2247ab6d96e8c

SHA256
2c905f0809749f5494b2a638a8551af3d914a148d282fc3da9d68ce12d067eb9

SHA512
737109f330f1ab8302c5f73ead54dfa53b39d73a806054ba725f7f1e9be82adec678e08fc127b6b5658daf465aea34d0c4226162f6e067b8d4c461b3d051ce37

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\_socket.pyd
Filesize
46KB

MD5
ebc931925d333427e182eb58eb4cecce

SHA1
90a811fa23c1ea1244eddef5f3371411af354fd6

SHA256
e29cc2340a9577f82c45abe6707e2817575ee02ac374f4864885410d411e6bea

SHA512
52767f0e49a600ab6b025265cd0220dfd84c24ccec24f7268974123cad41a287a015021357ec4b88eae0dc0dd2517bb5d07f1aaaf08fd36e7bedd0fab8047ab9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\_ssl.pyd
Filesize
1.3MB

MD5
12b5156dd0e8de73b6c96dc61729cbbd

SHA1
126903ac9e8447d52745782a14cd95818c048a53

SHA256
7a622e57f85120cefe38f473e57b7363c8afc551a35a6e4a4677b05f5d43881b

SHA512
1c2db35190861237259f1761c4c24becaae1c3a525ebb70dd9e68b1be5b16edeb3d1ebad6e710b0880448cf4f6f4c72a37926d584fc034956a91e1600ef3f335

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18762\python34.dll
Filesize
2.6MB

MD5
74814d5b0ecccc52fb4aa683306f5c1f

SHA1
f750b804e7937b70f85126dc2b9a35a314ff2f19

SHA256
3df740a176649ca8614bb7c8f9f871fe1ed6edfc64470d1801e40518bd95a242

SHA512
0284724ec72882ba106e6c1ff89f9767f3ed10c06b543e06b0e674afb6c258672373bdc70d786970cec040ee84fa0f7278021e696d16f668e368c6bfe2a6fa9c

Download Submit
memory/1304-63-0x0000000000000000-mapping.dmp

Download
memory/1644-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1876-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads