b1383f05b364c2a76152b560a54ddb40772fd6ca33ef241425afda7e73ef9f26

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2022, 01:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

20.3MB
MD5

b2835b47293370de452edea0186536f7
SHA1

e050d290579c37c57d4bba630ad6c24e054f55a4
SHA256

b1383f05b364c2a76152b560a54ddb40772fd6ca33ef241425afda7e73ef9f26
SHA512

3598859c3d765cb33b59f2c31e9df860c39d020e78c12dbf23f943141c8989b7c05c0c840e7f1c06a29c2ec43d3a5a8cb8ba90a5ae0f6613e1524eb5ba10fe93
SSDEEP

393216:uI6W4+W86FLK+kFc1CPwDv3uFZt7gyBDfgN7iEfWWbz5IP:34+E6V

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4732	main.exe

Loads dropped DLL 12 IoCs

pid	Process
4732	main.exe
4732	main.exe
4732	main.exe
4732	main.exe
4732	main.exe
4732	main.exe
4732	main.exe
4732	main.exe
4732	main.exe
4732	main.exe
4732	main.exe
4732	main.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4732	main.exe
4732	main.exe
4732	main.exe
4732	main.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 35	4732	main.exe
Token: SeDebugPrivilege	4732	main.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4732	4112	main.exe	84
PID 4112 wrote to memory of 4732	4112	main.exe	84

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
87KB

MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
129KB

MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
251KB

MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
74KB

MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_win32sysloader.pyd

Filesize
14KB

MD5
bab3f9d9fae462b6ac6deacbee3dc87b

SHA1
7e14cc08c9107ac8bac509e5fb6d5e9b902a7e36

SHA256
fe72e5cbf483f00abfccbac39788c6d9b37c222faa4765d2d9a6d3dcf712c515

SHA512
b86356ab819e302991062dd3917641fbd72c3e1a70859e934bfa75953f56275a2b7062456268c85bc91b81171e9bdd5beac4ef87c9ae4b09ccdf8c72bcddd03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\psutil\_psutil_windows.pyd

Filesize
75KB

MD5
5e9fc79283d08421683cb9e08ae5bf15

SHA1
b3021534d2647d90cd6d445772d2e362a04d5ddf

SHA256
d5685e38faccdf97ce6ffe4cf53cbfcf48bb20bf83abe316fba81d1abd093cb6

SHA512
9133011ae8eb0110da9f72a18d26bbc57098a74983af8374d1247b9a336ee32db287ed26f4d010d31a7d64eacdc9cf99a75faab194eff25b04299e5761af1a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\python3.dll

Filesize
57KB

MD5
99dbd61e8f7f81818928207d8b1209ba

SHA1
bb299fa92c1f6bc73441f9d5aff7ca1243916104

SHA256
caea9ad7ed099acf1fb8e9481480def0ac0cabb9d368bb7043fcdf2e2829d121

SHA512
8a3c4331a016b68f3105c9a3b391e803b0f1d03e4c42c81e316a624133ac8ba5a13f919e5f1bca4a7ff661b411058cda950029f875416c7d946d468b0d38af5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pywintypes37.dll

Filesize
133KB

MD5
f9d8093503c0eb02a2d30db794dbaa81

SHA1
d11ac482caef0a4f3b008644e34b5c962c69a3af

SHA256
47cfa248363c3e5e3c2fcd847bd73435890bac14c3403f2841fd5e138f936869

SHA512
c4ce86cecef6e2b3785f076667381f3e8e4b7d9e6e7c9e48d2fedde83670df61c51bdd852c3fadc826bee6025d9c22a1cd2f1ba255a7123047ac11e2ed262fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
26KB

MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32file.pyd

Filesize
155KB

MD5
710aa2ff34b52eb718a3aeb1a4f033be

SHA1
5b77c42b0183c63c477a066edcc0d9d00f4fadd5

SHA256
bacb8c3ad2b12560aa7fa150c76276280ca1aa642aba20ff6de2c415b983f51d

SHA512
13562e698881467d0a11f2693e169ecce6813449516cdad0036386a9ae4b3a209380c9ad46b01a024970cf399c56fa93a701bfdcecf803fbd0b07d0dcdf972d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\_bz2.pyd

Filesize
87KB

MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\_ctypes.pyd

Filesize
129KB

MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\_lzma.pyd

Filesize
251KB

MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\_socket.pyd

Filesize
74KB

MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\_win32sysloader.pyd

Filesize
14KB

MD5
bab3f9d9fae462b6ac6deacbee3dc87b

SHA1
7e14cc08c9107ac8bac509e5fb6d5e9b902a7e36

SHA256
fe72e5cbf483f00abfccbac39788c6d9b37c222faa4765d2d9a6d3dcf712c515

SHA512
b86356ab819e302991062dd3917641fbd72c3e1a70859e934bfa75953f56275a2b7062456268c85bc91b81171e9bdd5beac4ef87c9ae4b09ccdf8c72bcddd03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\main.exe

Filesize
7.4MB

MD5
ac17d76884cf5a98ab5213d0be9e3120

SHA1
b4ffff5824395042f45b86186718d714e8fad40a

SHA256
2fb3aa8060efb4b67e84cb2e00c94959e70e59ad350820f6d013faf0d3e9e2c9

SHA512
d55e6e87c4bdd5a76679c8a925a4852c1afaf1e5833354c58fe4bd94f02f4272eee415d4a0e4474d76e78b6094e201e4a130f5b3c2f574535023885effe7f0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\psutil\_psutil_windows.pyd

Filesize
75KB

MD5
5e9fc79283d08421683cb9e08ae5bf15

SHA1
b3021534d2647d90cd6d445772d2e362a04d5ddf

SHA256
d5685e38faccdf97ce6ffe4cf53cbfcf48bb20bf83abe316fba81d1abd093cb6

SHA512
9133011ae8eb0110da9f72a18d26bbc57098a74983af8374d1247b9a336ee32db287ed26f4d010d31a7d64eacdc9cf99a75faab194eff25b04299e5761af1a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\python3.dll

Filesize
57KB

MD5
99dbd61e8f7f81818928207d8b1209ba

SHA1
bb299fa92c1f6bc73441f9d5aff7ca1243916104

SHA256
caea9ad7ed099acf1fb8e9481480def0ac0cabb9d368bb7043fcdf2e2829d121

SHA512
8a3c4331a016b68f3105c9a3b391e803b0f1d03e4c42c81e316a624133ac8ba5a13f919e5f1bca4a7ff661b411058cda950029f875416c7d946d468b0d38af5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\python37.dll

Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\python37.dll

Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\pywintypes37.dll

Filesize
133KB

MD5
f9d8093503c0eb02a2d30db794dbaa81

SHA1
d11ac482caef0a4f3b008644e34b5c962c69a3af

SHA256
47cfa248363c3e5e3c2fcd847bd73435890bac14c3403f2841fd5e138f936869

SHA512
c4ce86cecef6e2b3785f076667381f3e8e4b7d9e6e7c9e48d2fedde83670df61c51bdd852c3fadc826bee6025d9c22a1cd2f1ba255a7123047ac11e2ed262fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\select.pyd

Filesize
26KB

MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\vcruntime140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4112_133167554421688756\win32file.pyd

Filesize
155KB

MD5
710aa2ff34b52eb718a3aeb1a4f033be

SHA1
5b77c42b0183c63c477a066edcc0d9d00f4fadd5

SHA256
bacb8c3ad2b12560aa7fa150c76276280ca1aa642aba20ff6de2c415b983f51d

SHA512
13562e698881467d0a11f2693e169ecce6813449516cdad0036386a9ae4b3a209380c9ad46b01a024970cf399c56fa93a701bfdcecf803fbd0b07d0dcdf972d3

Download Submit