7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-04-2023 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71a0ca15307459ac022cc94745b4e4d6.exe
Size

2.6MB
MD5

71a0ca15307459ac022cc94745b4e4d6
SHA1

08203769381e9b2593cb4dc525f4bf166892abc5
SHA256

7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315
SHA512

664c0cd101a8d3ad67c1c943c23eaeaf095a700e9c1d7d8e07893b3628a06d7c80af233c6f38f2f6cd4110df3830914f4a641362f211bd3c9e7ec27e39c0d2d4
SSDEEP

49152:IBJ+lPvy/ydUPzMTwt5whOO0BaRPu/TBHXCzjXSZfofdZo6qNx:yMlo1YD+aRPoTB38jlfdZo/Nx

Score

7^/10

spyware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	Mahatga.exe

Loads dropped DLL 12 IoCs

pid	Process
1232	71a0ca15307459ac022cc94745b4e4d6.exe
1232	71a0ca15307459ac022cc94745b4e4d6.exe
1232	71a0ca15307459ac022cc94745b4e4d6.exe
1232	71a0ca15307459ac022cc94745b4e4d6.exe
1232	71a0ca15307459ac022cc94745b4e4d6.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 1252	1708	Mahatga.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1676	1708	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1252	AppLaunch.exe
1252	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1708	1232	71a0ca15307459ac022cc94745b4e4d6.exe	28
PID 1232 wrote to memory of 1708	1232	71a0ca15307459ac022cc94745b4e4d6.exe	28
PID 1232 wrote to memory of 1708	1232	71a0ca15307459ac022cc94745b4e4d6.exe	28
PID 1232 wrote to memory of 1708	1232	71a0ca15307459ac022cc94745b4e4d6.exe	28
PID 1708 wrote to memory of 1252	1708	Mahatga.exe	30
PID 1708 wrote to memory of 1252	1708	Mahatga.exe	30
PID 1708 wrote to memory of 1252	1708	Mahatga.exe	30
PID 1708 wrote to memory of 1252	1708	Mahatga.exe	30
PID 1708 wrote to memory of 1252	1708	Mahatga.exe	30
PID 1708 wrote to memory of 1252	1708	Mahatga.exe	30
PID 1708 wrote to memory of 1252	1708	Mahatga.exe	30
PID 1708 wrote to memory of 1252	1708	Mahatga.exe	30
PID 1708 wrote to memory of 1252	1708	Mahatga.exe	30
PID 1708 wrote to memory of 1676	1708	Mahatga.exe	31
PID 1708 wrote to memory of 1676	1708	Mahatga.exe	31
PID 1708 wrote to memory of 1676	1708	Mahatga.exe	31
PID 1708 wrote to memory of 1676	1708	Mahatga.exe	31

C:\Users\Admin\AppData\Local\Temp\71a0ca15307459ac022cc94745b4e4d6.exe
"C:\Users\Admin\AppData\Local\Temp\71a0ca15307459ac022cc94745b4e4d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
memory/1252-83-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1252-84-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1252-81-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1252-77-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1252-76-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1252-92-0x0000000000770000-0x00000000007B0000-memory.dmp

Filesize
256KB

Download