7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315

Analysis

max time kernel
28s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-04-2023 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe
Size

2.6MB
MD5

71a0ca15307459ac022cc94745b4e4d6
SHA1

08203769381e9b2593cb4dc525f4bf166892abc5
SHA256

7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315
SHA512

664c0cd101a8d3ad67c1c943c23eaeaf095a700e9c1d7d8e07893b3628a06d7c80af233c6f38f2f6cd4110df3830914f4a641362f211bd3c9e7ec27e39c0d2d4
SSDEEP

49152:IBJ+lPvy/ydUPzMTwt5whOO0BaRPu/TBHXCzjXSZfofdZo6qNx:yMlo1YD+aRPoTB38jlfdZo/Nx

Score

7^/10

spyware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1832	Mahatga.exe

Loads dropped DLL 12 IoCs

pid	Process
1980	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe
1980	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe
1980	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe
1980	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe
1980	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 360	1832	Mahatga.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	1832	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
360	AppLaunch.exe
360	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	360	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1832	1980	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	27
PID 1980 wrote to memory of 1832	1980	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	27
PID 1980 wrote to memory of 1832	1980	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	27
PID 1980 wrote to memory of 1832	1980	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	27
PID 1832 wrote to memory of 360	1832	Mahatga.exe	29
PID 1832 wrote to memory of 360	1832	Mahatga.exe	29
PID 1832 wrote to memory of 360	1832	Mahatga.exe	29
PID 1832 wrote to memory of 360	1832	Mahatga.exe	29
PID 1832 wrote to memory of 360	1832	Mahatga.exe	29
PID 1832 wrote to memory of 360	1832	Mahatga.exe	29
PID 1832 wrote to memory of 360	1832	Mahatga.exe	29
PID 1832 wrote to memory of 360	1832	Mahatga.exe	29
PID 1832 wrote to memory of 360	1832	Mahatga.exe	29
PID 1832 wrote to memory of 1776	1832	Mahatga.exe	30
PID 1832 wrote to memory of 1776	1832	Mahatga.exe	30
PID 1832 wrote to memory of 1776	1832	Mahatga.exe	30
PID 1832 wrote to memory of 1776	1832	Mahatga.exe	30

C:\Users\Admin\AppData\Local\Temp\7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe
"C:\Users\Admin\AppData\Local\Temp\7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
memory/360-84-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/360-83-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/360-81-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/360-77-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/360-76-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/360-92-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download