8e871e599503382b87d5046eadf266aca81eba11e32dc99f2eb23ed5367135ca

Analysis

max time kernel
46s
max time network
56s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
24/11/2023, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SUPERCALCULATOR.exe
Size

7.8MB
MD5

fe0163ed6a3417cb6e6628bcc6b119e9
SHA1

7cc27cf944b0d957d1afd597164d847571baccca
SHA256

8e871e599503382b87d5046eadf266aca81eba11e32dc99f2eb23ed5367135ca
SHA512

d0c8b7cfa041dc362c0d70a6663ac5d3249254b4f3a5650b2f3a85ee803e34be1ee7b77310d9dc9aa1c79c50dfdba54eca6e39b314682894315d91ddc57e0592
SSDEEP

196608:JqGB7cp+Cb63VdQIp2+wSJxgQrOzfEquwjZUj73DuUu2xztM5E:EK8gFdQIwhExgYwfEqNjKj7zuUuIzyG

Score

7^/10

discovery pyinstaller

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
584	calc.exe
2900	calc.exe
4812	systemData.exe

Loads dropped DLL 6 IoCs

pid	Process
2900	calc.exe
2900	calc.exe
2900	calc.exe
2900	calc.exe
2900	calc.exe
2900	calc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4812	systemData.exe
4812	systemData.exe
4812	systemData.exe
4812	systemData.exe
4812	systemData.exe

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000800000001abe0-8.dat	pyinstaller
behavioral1/files/0x000800000001abe0-9.dat	pyinstaller
behavioral1/files/0x000800000001abe0-30.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4812	systemData.exe
4812	systemData.exe
4812	systemData.exe
4812	systemData.exe
4812	systemData.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	systemData.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4812	systemData.exe
4812	systemData.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 584	4832	SUPERCALCULATOR.exe	71
PID 4832 wrote to memory of 584	4832	SUPERCALCULATOR.exe	71
PID 584 wrote to memory of 2900	584	calc.exe	74
PID 584 wrote to memory of 2900	584	calc.exe	74
PID 4832 wrote to memory of 4812	4832	SUPERCALCULATOR.exe	75
PID 4832 wrote to memory of 4812	4832	SUPERCALCULATOR.exe	75
PID 4832 wrote to memory of 4812	4832	SUPERCALCULATOR.exe	75

C:\Users\Admin\AppData\Local\Temp\SUPERCALCULATOR.exe
"C:\Users\Admin\AppData\Local\Temp\SUPERCALCULATOR.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\calc.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\calc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\calc.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\calc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2900
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemData.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemData.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\calc.exe

Filesize
6.6MB

MD5
3da409efdc5d9657b4ae650a551bd102

SHA1
53c052af5f1e6260f57c67963b43419d24d789df

SHA256
271afb351a86fb3758a4b0496140b9dc795673ce0f3b1975c73a0e8803af1f96

SHA512
667f4b40191a981c69d0351ca89dfc3c92128140e407ddccfc3f112dc40d7833a53c963166e21172c0f0fc0c31622dd10e0f72ef5d54389df6e498ada732eb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\calc.exe

Filesize
6.6MB

MD5
3da409efdc5d9657b4ae650a551bd102

SHA1
53c052af5f1e6260f57c67963b43419d24d789df

SHA256
271afb351a86fb3758a4b0496140b9dc795673ce0f3b1975c73a0e8803af1f96

SHA512
667f4b40191a981c69d0351ca89dfc3c92128140e407ddccfc3f112dc40d7833a53c963166e21172c0f0fc0c31622dd10e0f72ef5d54389df6e498ada732eb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\calc.exe

Filesize
6.6MB

MD5
3da409efdc5d9657b4ae650a551bd102

SHA1
53c052af5f1e6260f57c67963b43419d24d789df

SHA256
271afb351a86fb3758a4b0496140b9dc795673ce0f3b1975c73a0e8803af1f96

SHA512
667f4b40191a981c69d0351ca89dfc3c92128140e407ddccfc3f112dc40d7833a53c963166e21172c0f0fc0c31622dd10e0f72ef5d54389df6e498ada732eb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemData.exe

Filesize
1.1MB

MD5
e164ef8fb6c00cb6e2620d38552d0de2

SHA1
84627945d0027a9e9be3ddbbf52f29470d25fe07

SHA256
c5c92d10cc4caaf10873a82380cd105a4ff428fbda6308cb4d2b8855d902e302

SHA512
d39408e573840e243fc41d21856e1bd14d46843843cae482138f1416c66f195aaac7d8fada92b645b05136bda05ba68c64952c86ced94028807e8f5e5df442f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemData.exe

Filesize
1.1MB

MD5
e164ef8fb6c00cb6e2620d38552d0de2

SHA1
84627945d0027a9e9be3ddbbf52f29470d25fe07

SHA256
c5c92d10cc4caaf10873a82380cd105a4ff428fbda6308cb4d2b8855d902e302

SHA512
d39408e573840e243fc41d21856e1bd14d46843843cae482138f1416c66f195aaac7d8fada92b645b05136bda05ba68c64952c86ced94028807e8f5e5df442f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5842\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5842\_ctypes.pyd

Filesize
123KB

MD5
7ab242d7c026dad5e5837b4579bd4eda

SHA1
b3ff01b8b3da2b3a9c37bfffafc4fb9ee957cc0f

SHA256
1548506345d220d68e9089b9a68b42a9d796141eb6236e600283951cb206eaa1

SHA512
1dd09cf14c87f60b42e5e56d0104154513902c9bfa23eef76a92f4a96c2356b2812dd6eee5e9a74d5ed078ade5f8f6d1f1b01961d7efadfebb543d71c2d31a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5842\_socket.pyd

Filesize
78KB

MD5
4b2f1faab9e55a65afa05f407c92cab4

SHA1
1e5091b09fc0305cf29ec2e715088e7f46ccbbd4

SHA256
241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba

SHA512
68070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5842\base_library.zip

Filesize
781KB

MD5
086f710a1419bab91163e6d7dd0344d4

SHA1
d5245ddb5b0e8e2c080d19ad247bc9aa97b99cbb

SHA256
2373097d47ad262a1d1cb9dbb6867095f2c9f859d9bbcbd6203f8daf07abb12a

SHA512
04c1bdb4619bbd723c255e695c715d8c2180e403336a973964ccd0b61cc49306b39576b4ddc28f5c23351c67c064940cfbb63129142e58eb1b16061e0e00130f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5842\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5842\python39.dll

Filesize
4.3MB

MD5
7e9d14aa762a46bb5ebac14fbaeaa238

SHA1
a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

SHA256
e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

SHA512
280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5842\select.pyd

Filesize
28KB

MD5
f8f5a047b98309d425fd06b3b41b16e4

SHA1
2a44819409199b47f11d5d022e6bb1d5d1e77aea

SHA256
5361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012

SHA512
f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5842\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5842\_ctypes.pyd

Filesize
123KB

MD5
7ab242d7c026dad5e5837b4579bd4eda

SHA1
b3ff01b8b3da2b3a9c37bfffafc4fb9ee957cc0f

SHA256
1548506345d220d68e9089b9a68b42a9d796141eb6236e600283951cb206eaa1

SHA512
1dd09cf14c87f60b42e5e56d0104154513902c9bfa23eef76a92f4a96c2356b2812dd6eee5e9a74d5ed078ade5f8f6d1f1b01961d7efadfebb543d71c2d31a30

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5842\_socket.pyd

Filesize
78KB

MD5
4b2f1faab9e55a65afa05f407c92cab4

SHA1
1e5091b09fc0305cf29ec2e715088e7f46ccbbd4

SHA256
241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba

SHA512
68070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5842\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5842\python39.dll

Filesize
4.3MB

MD5
7e9d14aa762a46bb5ebac14fbaeaa238

SHA1
a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9

SHA256
e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3

SHA512
280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5842\select.pyd

Filesize
28KB

MD5
f8f5a047b98309d425fd06b3b41b16e4

SHA1
2a44819409199b47f11d5d022e6bb1d5d1e77aea

SHA256
5361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012

SHA512
f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9

Download Submit
memory/4812-50-0x0000000071F30000-0x000000007261E000-memory.dmp

Filesize
6.9MB

Download
memory/4812-56-0x00000000070B0000-0x00000000070BA000-memory.dmp

Filesize
40KB

Download
memory/4812-49-0x0000000000B60000-0x0000000000EDE000-memory.dmp

Filesize
3.5MB

Download
memory/4812-51-0x00000000064E0000-0x00000000069DE000-memory.dmp

Filesize
5.0MB

Download
memory/4812-53-0x0000000005FD0000-0x0000000005FE0000-memory.dmp

Filesize
64KB

Download
memory/4812-54-0x000000007745F000-0x0000000077460000-memory.dmp

Filesize
4KB

Download
memory/4812-55-0x00000000062E0000-0x0000000006372000-memory.dmp

Filesize
584KB

Download
memory/4812-48-0x0000000000B60000-0x0000000000EDE000-memory.dmp

Filesize
3.5MB

Download
memory/4812-59-0x00000000074A0000-0x000000000753C000-memory.dmp

Filesize
624KB

Download
memory/4812-60-0x00000000076C0000-0x0000000007726000-memory.dmp

Filesize
408KB

Download
memory/4812-62-0x0000000005FD0000-0x0000000005FE0000-memory.dmp

Filesize
64KB

Download
memory/4812-65-0x0000000000B60000-0x0000000000EDE000-memory.dmp

Filesize
3.5MB

Download
memory/4812-66-0x0000000071F30000-0x000000007261E000-memory.dmp

Filesize
6.9MB

Download
memory/4812-67-0x0000000005FD0000-0x0000000005FE0000-memory.dmp

Filesize
64KB

Download
memory/4812-69-0x0000000005FD0000-0x0000000005FE0000-memory.dmp

Filesize
64KB

Download