dc0bba54dc123ee0d029d0b7cfb2cbd0666417203cad460d9d42a60a0e736bcf

Analysis

max time kernel
142s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/06/2023, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pharmacy_3_0_160808.exe
Size

17.9MB
MD5

e075a2ae385e716722636d43deba48a5
SHA1

8bbde4c30a63dce4f27da9a95f950bee9022da3e
SHA256

dc0bba54dc123ee0d029d0b7cfb2cbd0666417203cad460d9d42a60a0e736bcf
SHA512

3b643a02729fc43291278b59cb847ca993083aac676b94499a4f6aef5ca3e7ce4ea1e125c7523a4b1d448fb3762386dbd9cffa5f76e0417100a3d1bdc4a11baf
SSDEEP

393216:qBLmbGbT1uyHwb5TZgfGbrw4s/fxCS9PZv6GPdo/hJS+5lixTmmQTq5lAW:8miVuywbcgrw4u5bZS0mNlcSiXAW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
976	pharmacy_3_0.exe

Loads dropped DLL 7 IoCs

pid	Process
1988	pharmacy_3_0_160808.exe
1988	pharmacy_3_0_160808.exe
976	pharmacy_3_0.exe
976	pharmacy_3_0.exe
976	pharmacy_3_0.exe
976	pharmacy_3_0.exe
976	pharmacy_3_0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1988	pharmacy_3_0_160808.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
976	pharmacy_3_0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 976	1988	pharmacy_3_0_160808.exe	28
PID 1988 wrote to memory of 976	1988	pharmacy_3_0_160808.exe	28
PID 1988 wrote to memory of 976	1988	pharmacy_3_0_160808.exe	28
PID 1988 wrote to memory of 976	1988	pharmacy_3_0_160808.exe	28

C:\Users\Admin\AppData\Local\Temp\pharmacy_3_0_160808.exe
"C:\Users\Admin\AppData\Local\Temp\pharmacy_3_0_160808.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Micard-Lana\Pharmacy_3_0\pharmacy_3_0.exe
  "C:\Micard-Lana\Pharmacy_3_0\pharmacy_3_0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Micard-Lana\Pharmacy_3_0\USI_lib_0x20.dll

Filesize
216KB

MD5
9ac74a95715de2fbb300db1c3568a594

SHA1
cdad9b768a875833a8f6bc86ae53649a48275280

SHA256
a60d63ebfd858bfcaddc0c187cad81128703c21a60e948a7d2b2fa700547169e

SHA512
8aa152e209a1246d04a416e185c63aa4c92a23bcf680e32b733e7aa828d88da9affe0e9e3c158714c2890a1bac084cb554ed74a52e7e8b4d660d28d9737fbb5c

Download Submit
C:\Micard-Lana\Pharmacy_3_0\bluetooth.dll

Filesize
68KB

MD5
d99dce2272ab741767ba9f515e721ef9

SHA1
ba57d1b050318ced63a89a12ee6f813f3b6b6415

SHA256
c40c7ca82e2c392a51b69acfbbb7d0068709bbe562b749c783b0b85b5e1f6934

SHA512
ef815e9cb02181100278a57daa65bca11e8d274ed0ec427b9b96cad1c913f7b7db2756aaa787eb33b62a315a8338355b6d2909f445d1279e5d5f70fdeab247e2

Download Submit
C:\Micard-Lana\Pharmacy_3_0\libdemodulator.dll

Filesize
480KB

MD5
ded788f6284bc319d1765ca1ba8723e4

SHA1
cd53855735e9154fa7c4e7709aec45706925d6fb

SHA256
7b19abd1ed08420118bdd8c0c6e645acae236fdf2c5ca0360a8eb5da6fdffca1

SHA512
626706c8a6fd583831004454e0af9116127220e65a094e53e6c72e79c85315d811b74c89de00068c4c2af0ef3959fa256e089640232a403a739532ca99d8094a

Download Submit
C:\Micard-Lana\Pharmacy_3_0\libfftw3-3.dll

Filesize
2.3MB

MD5
fa3e0a8ba3d210d80ac31aa02d2f5b6b

SHA1
0b645437c808f3cd85881802cd73d920cb0d2524

SHA256
9a1c6f59eddd4fa2dd4f4c31d1bbaab88d2843712d5283fd4e674c93f6540d1f

SHA512
fa1d05de2192fe6e8391e18e542dc8585081fac7cc62a4dc0da62f69c4b45879a7115a1499367fcbb22d00340952c67da0cd694d0f594db9e94755db014db4b1

Download Submit
C:\Micard-Lana\Pharmacy_3_0\mtp.DLL

Filesize
16KB

MD5
00de3e23cf30f197ea60abb67c3a801b

SHA1
0ef566c8f493f55464d5c74ac01ecc790a408ee4

SHA256
42922b20694e680f569f7d48252d8d9f27cdef2beda34cfb4751995831f9d1b1

SHA512
1f7551ea799db7b636ee239b7124a212e41a390a3e669e64ece5e28b5da04d89fcb0ec01e0620bc04af02a17ca64280b6be1b977b1a5e4abd9f4c271ba0dc5d7

Download Submit
C:\Micard-Lana\Pharmacy_3_0\pharmacy_3_0.exe

Filesize
27.5MB

MD5
a8acb252c44eb76f7fc5da17fdf8df3b

SHA1
66a2739871b45a83e10df43620d94f31b1f5756f

SHA256
cc9f2e87d4c417a1af16f95794cfcca32cff5e4c7bf2c578ee3cd685e876b291

SHA512
a0d9b20948a832d1bcca515d5b22248af4816679e5809bbb707112110c7ac03ef31ef8838eadac58c838c56bee3e5d9fd641a8ffc7e324e15ab2db2cdb8a6a8f

Download Submit
C:\Micard-Lana\Pharmacy_3_0\pharmacy_3_0.exe

Filesize
27.5MB

MD5
a8acb252c44eb76f7fc5da17fdf8df3b

SHA1
66a2739871b45a83e10df43620d94f31b1f5756f

SHA256
cc9f2e87d4c417a1af16f95794cfcca32cff5e4c7bf2c578ee3cd685e876b291

SHA512
a0d9b20948a832d1bcca515d5b22248af4816679e5809bbb707112110c7ac03ef31ef8838eadac58c838c56bee3e5d9fd641a8ffc7e324e15ab2db2cdb8a6a8f

Download Submit
C:\Micard-Lana\Pharmacy_3_0\pic.dll

Filesize
110KB

MD5
bacfc0c9470acfbdf6212d79cb214027

SHA1
724dbb2618e15a10bfe83bb211c7d6562cd5f148

SHA256
d1af88fb4d7fd850748f049426edb7001c7d58ad1ccaff8f50474b493f8061cf

SHA512
e091af1445afdee144e31dd0b977983e56ab3f86540e9333d1653fae088a47adcc817034d91353528cd1e9945b95135b2f583c7cc809dd08df91422edb0965d6

Download Submit
\??\c:\Micard-Lana\Pharmacy_3_0\oktmo.db

Filesize
14.6MB

MD5
2c278b47e8273751d4de23165ee41c8e

SHA1
059d2f23a6a126e1bd86f8ad522384aa913903b0

SHA256
620851dd6f9ef358ed5460856ca5fe6965210eb70f8718be40e2f29ef12346cc

SHA512
f75c361f80b84b57233575ded015ac605baef3177252007004651fa052f3a79bc2fabc4a57b66ee28cf4d0a503fe133a940143ffd31687a99d94e3f368ef41ab

Download Submit
\Micard-Lana\Pharmacy_3_0\bluetooth.dll

Filesize
68KB

MD5
d99dce2272ab741767ba9f515e721ef9

SHA1
ba57d1b050318ced63a89a12ee6f813f3b6b6415

SHA256
c40c7ca82e2c392a51b69acfbbb7d0068709bbe562b749c783b0b85b5e1f6934

SHA512
ef815e9cb02181100278a57daa65bca11e8d274ed0ec427b9b96cad1c913f7b7db2756aaa787eb33b62a315a8338355b6d2909f445d1279e5d5f70fdeab247e2

Download Submit
\Micard-Lana\Pharmacy_3_0\libdemodulator.dll

Filesize
480KB

MD5
ded788f6284bc319d1765ca1ba8723e4

SHA1
cd53855735e9154fa7c4e7709aec45706925d6fb

SHA256
7b19abd1ed08420118bdd8c0c6e645acae236fdf2c5ca0360a8eb5da6fdffca1

SHA512
626706c8a6fd583831004454e0af9116127220e65a094e53e6c72e79c85315d811b74c89de00068c4c2af0ef3959fa256e089640232a403a739532ca99d8094a

Download Submit
\Micard-Lana\Pharmacy_3_0\libfftw3-3.dll

Filesize
2.3MB

MD5
fa3e0a8ba3d210d80ac31aa02d2f5b6b

SHA1
0b645437c808f3cd85881802cd73d920cb0d2524

SHA256
9a1c6f59eddd4fa2dd4f4c31d1bbaab88d2843712d5283fd4e674c93f6540d1f

SHA512
fa1d05de2192fe6e8391e18e542dc8585081fac7cc62a4dc0da62f69c4b45879a7115a1499367fcbb22d00340952c67da0cd694d0f594db9e94755db014db4b1

Download Submit
\Micard-Lana\Pharmacy_3_0\mtp.dll

Filesize
16KB

MD5
00de3e23cf30f197ea60abb67c3a801b

SHA1
0ef566c8f493f55464d5c74ac01ecc790a408ee4

SHA256
42922b20694e680f569f7d48252d8d9f27cdef2beda34cfb4751995831f9d1b1

SHA512
1f7551ea799db7b636ee239b7124a212e41a390a3e669e64ece5e28b5da04d89fcb0ec01e0620bc04af02a17ca64280b6be1b977b1a5e4abd9f4c271ba0dc5d7

Download Submit
\Micard-Lana\Pharmacy_3_0\pharmacy_3_0.exe

Filesize
27.5MB

MD5
a8acb252c44eb76f7fc5da17fdf8df3b

SHA1
66a2739871b45a83e10df43620d94f31b1f5756f

SHA256
cc9f2e87d4c417a1af16f95794cfcca32cff5e4c7bf2c578ee3cd685e876b291

SHA512
a0d9b20948a832d1bcca515d5b22248af4816679e5809bbb707112110c7ac03ef31ef8838eadac58c838c56bee3e5d9fd641a8ffc7e324e15ab2db2cdb8a6a8f

Download Submit
\Micard-Lana\Pharmacy_3_0\pharmacy_3_0.exe

Filesize
27.5MB

MD5
a8acb252c44eb76f7fc5da17fdf8df3b

SHA1
66a2739871b45a83e10df43620d94f31b1f5756f

SHA256
cc9f2e87d4c417a1af16f95794cfcca32cff5e4c7bf2c578ee3cd685e876b291

SHA512
a0d9b20948a832d1bcca515d5b22248af4816679e5809bbb707112110c7ac03ef31ef8838eadac58c838c56bee3e5d9fd641a8ffc7e324e15ab2db2cdb8a6a8f

Download Submit
\Micard-Lana\Pharmacy_3_0\pic.dll

Filesize
110KB

MD5
bacfc0c9470acfbdf6212d79cb214027

SHA1
724dbb2618e15a10bfe83bb211c7d6562cd5f148

SHA256
d1af88fb4d7fd850748f049426edb7001c7d58ad1ccaff8f50474b493f8061cf

SHA512
e091af1445afdee144e31dd0b977983e56ab3f86540e9333d1653fae088a47adcc817034d91353528cd1e9945b95135b2f583c7cc809dd08df91422edb0965d6

Download Submit
memory/976-117-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-123-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-112-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-115-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-110-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-119-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-121-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-111-0x0000000070680000-0x0000000070886000-memory.dmp

Filesize
2.0MB

Download
memory/976-125-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-127-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-129-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-131-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-133-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/976-135-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download