986444443dfd75420bcfa42a6f2009921c9bf0b52b08ee8567ba8257af34fc90

Resubmissions

04-07-2023 15:12

230704-slhpxaga8t 7

17-06-2023 10:41

230617-mrj72aba8t 7

Analysis

max time kernel
26s
max time network
33s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NetherWorkshopDownloader3 v0.1.exe
Size

37.3MB
MD5

d6777db75ced8e402db8248fdaab138e
SHA1

000b16b9f41e04a7bd56410d4243094959bea265
SHA256

986444443dfd75420bcfa42a6f2009921c9bf0b52b08ee8567ba8257af34fc90
SHA512

29c991ba5f2ca23b9cc39b8f38abb1245027f59f4a214a23d2398282083789e7159b4ded83344f6d78b9cfec39354a1e707157335407be4009f257252faff7cc
SSDEEP

786432:IaC1DKoRdANYTPWR+uDONxDClZvl11IDcN62jeFarOzAElud:pC1e8dTTu3DOiLN1akVwGI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

frame.exe

pid process

800 frame.exe
Loads dropped DLL 2 IoCs

Processes:

NetherWorkshopDownloader3 v0.1.exeframe.exe

pid process

2280 NetherWorkshopDownloader3 v0.1.exe
800 frame.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
800	frame.exe

pid	process
2280	NetherWorkshopDownloader3 v0.1.exe
800	frame.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

NetherWorkshopDownloader3 v0.1.exe

description	pid	process	target process
PID 2280 wrote to memory of 800	2280	NetherWorkshopDownloader3 v0.1.exe	frame.exe
PID 2280 wrote to memory of 800	2280	NetherWorkshopDownloader3 v0.1.exe	frame.exe
PID 2280 wrote to memory of 800	2280	NetherWorkshopDownloader3 v0.1.exe	frame.exe

C:\Users\Admin\AppData\Local\Temp\NetherWorkshopDownloader3 v0.1.exe
"C:\Users\Admin\AppData\Local\Temp\NetherWorkshopDownloader3 v0.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\onefile_2280_133329572174282000\frame.exe
"C:\Users\Admin\AppData\Local\Temp\NetherWorkshopDownloader3 v0.1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2280_133329572174282000\frame.exe
Filesize
64.8MB

MD5
01931ae865c1cc3985d104258f254e7e

SHA1
c12e11d3a215beaa6f3ca1f3c3acd8fef5255037

SHA256
8d3fe2af364860e18e3d6f727b9a388a464624aae9117905bed4b12bfdf4e57d

SHA512
dde40aa93273e58187f33c3160d84a2d9b017e77cf8e88e462bc30744f1e1b38ec84f7aa7aa73fd380bb2550c1cfb228fcab1139783f37adf3f785cd73cd2903

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2280_133329572174282000\python311.dll
Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2280_133329572174282000\frame.exe
Filesize
64.8MB

MD5
01931ae865c1cc3985d104258f254e7e

SHA1
c12e11d3a215beaa6f3ca1f3c3acd8fef5255037

SHA256
8d3fe2af364860e18e3d6f727b9a388a464624aae9117905bed4b12bfdf4e57d

SHA512
dde40aa93273e58187f33c3160d84a2d9b017e77cf8e88e462bc30744f1e1b38ec84f7aa7aa73fd380bb2550c1cfb228fcab1139783f37adf3f785cd73cd2903

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2280_133329572174282000\python311.dll
Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
memory/800-1089-0x000000013F430000-0x0000000143601000-memory.dmp

Filesize
65.8MB

Download
memory/2280-1090-0x000000013F450000-0x00000001419AA000-memory.dmp

Filesize
37.4MB

Download
memory/2280-2121-0x000000013F450000-0x00000001419AA000-memory.dmp

Filesize
37.4MB

Download