c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28/05/2023, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe
Size

12.2MB
MD5

b4b84decc017efa8cb3e191d864d6f1e
SHA1

c4d01a4d31cadaf8829922fd4e342440fddbeb94
SHA256

c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642
SHA512

4ab9980bc3ac54795ddc55be6c1e91013f96597ba05c4b113e3a9c73ecb2e5a8c248cdbf99033d09fb84c4d7526079a9734337d0d210d312c235cf23941e5a7b
SSDEEP

196608:2+MdpYwfY8+X1333jAYHcKHZOVlBfXSunq5b9Yq3/mfLRlpLfFLOyomFHKnP:Hw6cK1nzDHcK56Lhq5/3kdX7F

Score

7^/10

pyinstaller

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
976	setup.exe
1408	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
1260	c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe
976	setup.exe
1408	setup.exe

Detects Pyinstaller 5 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0009000000012301-69.dat	pyinstaller
behavioral1/files/0x0009000000012301-70.dat	pyinstaller
behavioral1/files/0x0009000000012301-71.dat	pyinstaller
behavioral1/files/0x0009000000012301-97.dat	pyinstaller
behavioral1/files/0x0009000000012301-98.dat	pyinstaller

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
976	setup.exe
1408	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1260	c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 976	1260	c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe	28
PID 1260 wrote to memory of 976	1260	c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe	28
PID 1260 wrote to memory of 976	1260	c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe	28
PID 1260 wrote to memory of 976	1260	c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe	28
PID 1260 wrote to memory of 976	1260	c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe	28
PID 1260 wrote to memory of 976	1260	c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe	28
PID 1260 wrote to memory of 976	1260	c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe	28
PID 976 wrote to memory of 1408	976	setup.exe	29
PID 976 wrote to memory of 1408	976	setup.exe	29
PID 976 wrote to memory of 1408	976	setup.exe	29
PID 976 wrote to memory of 1408	976	setup.exe	29
PID 976 wrote to memory of 1408	976	setup.exe	29
PID 976 wrote to memory of 1408	976	setup.exe	29
PID 976 wrote to memory of 1408	976	setup.exe	29

C:\Users\Admin\AppData\Local\Temp\c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe
"C:\Users\Admin\AppData\Local\Temp\c040dc2a52208b4ceb487a5d9ef469a4966f4787ba4d27d01c6074c48f017642.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    C:\Users\Admin\AppData\Local\Temp\setup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI9762\python310.dll

Filesize
3.9MB

MD5
87bb8d7f9f22e11d2a3c196ee9bf36a5

SHA1
45dfcb22987f5a20a9b32410336c0d097ca91b35

SHA256
1269f15b1c8daa25af81e6ad22f9bcebfd2c76aec81c18c6d800460b7105bf98

SHA512
75bb2ae36b693e2a1e5ba003503d07ba975f9436fb3da9bf3fc4087a281cb172fa9bd13ad6fc27a62f796af6cbe0c800e2a169c65949a96bd4d0e150f4858288

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.dll

Filesize
6.1MB

MD5
edcf13d3fcf440332ba7d0a5dc956546

SHA1
218b66e36c233e9adde31b1c68d35a08b8fbd0ca

SHA256
07900f5fe6a1f75b8d0a5c499539f800fbbacc7b882bf3f592a7e99e122a7f91

SHA512
e9c65a890c42014fcad4b428d28096d479fa3e057bdc4a22e75284bc316711cbe9fd032e04e59b6a6b422a0ca24cbb6d3567c7404c44bf6dfc3980078b61ccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
7.2MB

MD5
42ccb2adb5c296a5eda3f3d505dc4044

SHA1
2c68b70e26c1d3b0e24e9bee13b5f9ab31d8a813

SHA256
93533eb77671810b187a73a69a888551b2a09925ea064505ea286d8034c4cbe6

SHA512
550564e8721f29066c13af462cf176b70b310ea2c22d47c65475156a83bb567ace2e0547158efba7138864c41d8d253dfef29bef26d908f44b93becbb83c7d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
7.2MB

MD5
42ccb2adb5c296a5eda3f3d505dc4044

SHA1
2c68b70e26c1d3b0e24e9bee13b5f9ab31d8a813

SHA256
93533eb77671810b187a73a69a888551b2a09925ea064505ea286d8034c4cbe6

SHA512
550564e8721f29066c13af462cf176b70b310ea2c22d47c65475156a83bb567ace2e0547158efba7138864c41d8d253dfef29bef26d908f44b93becbb83c7d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
7.2MB

MD5
42ccb2adb5c296a5eda3f3d505dc4044

SHA1
2c68b70e26c1d3b0e24e9bee13b5f9ab31d8a813

SHA256
93533eb77671810b187a73a69a888551b2a09925ea064505ea286d8034c4cbe6

SHA512
550564e8721f29066c13af462cf176b70b310ea2c22d47c65475156a83bb567ace2e0547158efba7138864c41d8d253dfef29bef26d908f44b93becbb83c7d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
7.2MB

MD5
42ccb2adb5c296a5eda3f3d505dc4044

SHA1
2c68b70e26c1d3b0e24e9bee13b5f9ab31d8a813

SHA256
93533eb77671810b187a73a69a888551b2a09925ea064505ea286d8034c4cbe6

SHA512
550564e8721f29066c13af462cf176b70b310ea2c22d47c65475156a83bb567ace2e0547158efba7138864c41d8d253dfef29bef26d908f44b93becbb83c7d1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evbCFD.tmp

Filesize
1KB

MD5
2c06818cb38d62e254f8fab1069e5bae

SHA1
15e1ddb1555ae0dfa4626c310f6811bc8536e1fa

SHA256
d80117b4bbdc8b91088d246d777ada78c52983a42de62cb2130e2f5128d0bdab

SHA512
7d5611320c31c694aee80005890e69466617394a34fdb425fa315b4e1b3b287af1186e4d2b6050f34a88bb80e67f0a278bc89b2603c86dcec756bfc5f858e7d3

Download Submit
\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
1.4MB

MD5
ad10eb4e59b416e5364a44ee7e0ab9c9

SHA1
554b0e0c944deecd4cf23f7ffd82fcf52e4b3655

SHA256
57d80707ef2454be0f6f4f90986e64e740e990ead23c8657fac2073ba0bd4147

SHA512
e1d285037c4abba6d0388f3a7cf012ff7c74d1e71c4a23b272f71835705db25cc792fdb0e89027922a98fba8ff52f06f012cbc203f3c41c9845278d43f9e9789

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9762\python310.dll

Filesize
3.9MB

MD5
87bb8d7f9f22e11d2a3c196ee9bf36a5

SHA1
45dfcb22987f5a20a9b32410336c0d097ca91b35

SHA256
1269f15b1c8daa25af81e6ad22f9bcebfd2c76aec81c18c6d800460b7105bf98

SHA512
75bb2ae36b693e2a1e5ba003503d07ba975f9436fb3da9bf3fc4087a281cb172fa9bd13ad6fc27a62f796af6cbe0c800e2a169c65949a96bd4d0e150f4858288

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
7.2MB

MD5
42ccb2adb5c296a5eda3f3d505dc4044

SHA1
2c68b70e26c1d3b0e24e9bee13b5f9ab31d8a813

SHA256
93533eb77671810b187a73a69a888551b2a09925ea064505ea286d8034c4cbe6

SHA512
550564e8721f29066c13af462cf176b70b310ea2c22d47c65475156a83bb567ace2e0547158efba7138864c41d8d253dfef29bef26d908f44b93becbb83c7d1c

Download Submit
memory/976-74-0x0000000010000000-0x00000000100DF000-memory.dmp

Filesize
892KB

Download
memory/976-90-0x0000000010000000-0x00000000100DF000-memory.dmp

Filesize
892KB

Download
memory/976-88-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/976-77-0x0000000076010000-0x0000000076020000-memory.dmp

Filesize
64KB

Download
memory/976-108-0x0000000076010000-0x0000000076020000-memory.dmp

Filesize
64KB

Download
memory/976-109-0x0000000002980000-0x0000000002A18000-memory.dmp

Filesize
608KB

Download
memory/976-130-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/976-131-0x0000000010000000-0x00000000100DF000-memory.dmp

Filesize
892KB

Download
memory/1408-110-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1408-111-0x0000000010000000-0x00000000100DF000-memory.dmp

Filesize
892KB

Download
memory/1408-112-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1408-113-0x0000000010000000-0x00000000100DF000-memory.dmp

Filesize
892KB

Download