fc9a120e7b08b083411b642d03dd7d42ab110043f7147257529f86eae7bc9ccb

Analysis

max time kernel
2s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e908dc360b0a331fc24a00debdc1db3.exe
Size

37.0MB
MD5

0e908dc360b0a331fc24a00debdc1db3
SHA1

99560ecd633be67b590c559e219ded4665efbcd1
SHA256

fc9a120e7b08b083411b642d03dd7d42ab110043f7147257529f86eae7bc9ccb
SHA512

f174ecdbc01012236c408d55a36e6dc772403ae028d7efe9a68830388a045a8c1cde297e044bd91c3ad3db47764f9e712d0e4e683383776777e4f85328b86876
SSDEEP

786432:OyqQbH1tOc8qyBElPGOuK3JrCE16uclhGdTw0615nIWL+9Oe3vh2b:aaHzyBE7rCwhclog5nIWe3vh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3048	maple.exe

Loads dropped DLL 28 IoCs

pid	Process
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe
3048	maple.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 3048	740	0e908dc360b0a331fc24a00debdc1db3.exe	48
PID 740 wrote to memory of 3048	740	0e908dc360b0a331fc24a00debdc1db3.exe	48
PID 3048 wrote to memory of 956	3048	maple.exe	58
PID 3048 wrote to memory of 956	3048	maple.exe	58
PID 3048 wrote to memory of 3768	3048	maple.exe	57
PID 3048 wrote to memory of 3768	3048	maple.exe	57

C:\Users\Admin\AppData\Local\Temp\0e908dc360b0a331fc24a00debdc1db3.exe
"C:\Users\Admin\AppData\Local\Temp\0e908dc360b0a331fc24a00debdc1db3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\maple.exe
  "C:\Users\Admin\AppData\Local\Temp\0e908dc360b0a331fc24a00debdc1db3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
92KB

MD5
d9e62b5343baff0f57b890bc27c15e0c

SHA1
00f70a46346e89113244baac027f5803332fe2c6

SHA256
db39187102efe100015cb59dc74864e98dc9842c4c24502f7eb6dc59f1a52c9a

SHA512
7821e2ef68d56816f8dde666c3185077ad5bfe1ee7bdd292c13b7076021b8bbcec3dcf492f36b08da31a6e7881e7d63b1a32c015b3b314f398011ec8cd0386d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
50KB

MD5
7f0f67ca0fb9d4e072250baa10bbd1a7

SHA1
a27d7ba30842a7138e96448aeb975923a8d7ed25

SHA256
c6f9d040291bbc6c2dd4cd061c36a96869eed99eb644f6d7479eee2909d7b452

SHA512
b5ab1939c775f8fa5fe28ca9a7f069ed7c99733ae0d3999e0a70281338d4fb1e92bc4fdb14c579089e8c2a46511c36f9974657ffa417cef3c1d6669eb2631806

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
46KB

MD5
c94e5bbcfd2b2c17071841cfc19500c2

SHA1
99da1ed65de96ad4b61131156a0253f768f9f4d4

SHA256
8ceb4459ce530b50919bed62fb521413ac422d457ee67c08a719af022b76b27d

SHA512
7d8889e012ba133ad010016dac5fcfcef775bf6d9a3a58aa50f4addaaeba3d76c3b16ab384a1d2be93e15f51b39ac68c4c993c7cb4b0a557f03326a78dc282da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
57KB

MD5
1ebbb65d4b697ae35b5d73a068ea75bf

SHA1
74f57dfa7bf1fd77b3521d1813c2ac8e0d9d0441

SHA256
4d9a424b6c7bad7d293c4e5129299c3e5cb5a1b1234a85881172661c3811cdb8

SHA512
30304141b388743aefc1e38dc8031d91c097853bcc41a90aba746338a0a50d701a285bc2d6cf39368b9baa4a708a69dcb8a5998549a2ad6df1a94acef6538cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll

Filesize
32KB

MD5
04135eaaae5acb438e5d2f6cb0b6e6db

SHA1
a3d4ae0a9e7f28dd500907bb34f76b4595354a3e

SHA256
c5d90c57f571d13dc34b47093c55b7125665f0f61ac4ec1d0b2954daf23d423a

SHA512
6ca5f092419d1f0ccfb8c4e6360ba060f04dad688d30409d1140b06156831c8c26d7c0117833aebf851433124ed50f0cf42e484d92595aac0f3f5ddc5fc70e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
1KB

MD5
0e4561405f4990b0e02664c964229ead

SHA1
3bda892aa6fa9b0d13194756590d9029696b08ad

SHA256
d8dbee44a660c7fae04638b75c100eaa0f7b472be32288c1ecf9fb959c1960d2

SHA512
6f65ced8c2409996d2f70a446bca8cb092aef629f4d7c05af540a128a1866e56148fc00ee0231f2748f02b53522843d2ecef7ab99538c2f7febfa5626ed453f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\VCRUNTIME140.dll

Filesize
76KB

MD5
1b7815502da04d5e28256b0fac18712e

SHA1
6839691fab8f1475c41d47474439427776ae0597

SHA256
8db1c6909b64a304dc9982b596a2289b7481d2355f0e4f90277b73e493f927e4

SHA512
32e15b67163c52118ff7f7c3a536dacc146986b398301fa1a9e7e68354e98984c31e7ebb8f90c8cff801e208f587f43342f6f65eaf58ea8ab6f322fbcc9c0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\_ctypes.pyd

Filesize
62KB

MD5
44080f2d342cd8426c22670e9b7cf1b0

SHA1
d6a010c565a32e1fce651adf643fcdf7bdb7e82a

SHA256
1ec89a5ccf7f1d6b5be0551af76ade758a04b6c59575d7f3e618f54f30803103

SHA512
9e558cb6a5b5f8f0bf277768cfcf647e0cf1ca7747447ee0614d39fc45121b7f5aa2344ef62e548d3526472b90f34889f9b5f4c6a92d4596cd0520be829abeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\_socket.pyd

Filesize
13KB

MD5
da293ef29b1db635c9aa957a088e9c9b

SHA1
d90a3de6f3f5a618e776f4ea7417c3c04a23a2a0

SHA256
9b56aaef30ad1647f3b68e56251b2015402ecfb8b415a78f7420ef27b4640417

SHA512
08479f40e745e66847f707cdd2141d658eb1b35544ffac997d26ed429d7ab096c77e2c7f100ac6872a20d265e9b9e25b887ba7351b3f27ef117050e3d0d2138d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\libcrypto-1_1.dll

Filesize
35KB

MD5
45c1c7ecbd6d35b80f3244f0ae7033fe

SHA1
c76e213d90a93e0d21e0b1a3b6dfdc5e09f778a0

SHA256
1b1ea3b910d76449555fb80b6368557acce3f261349dc1ea039735684b2b5cae

SHA512
9473007e300f6eba4d97d1f923a7a63d29880ca1402f88488afa38a48bd60fc350410e76edd88d241da4d49c2f0e0142207f8e5ac2544d3c7ad1436003445726

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\maple.exe

Filesize
92KB

MD5
d18d2f8db245ad3a3fa305722ddf10b9

SHA1
a4f6423b83e1e54ed4ab6623d11ff0be7ef5f65b

SHA256
fc9b09868034a0141fc9bdbc01c1b5edf4eab084dfc2da47b256e869f0c34da2

SHA512
7537c94356bdffa484bbda302ab0b9d75b22a2d2f816243d8ad2867a0e10f5fdf95cb3f5fe255556f1bc95b900e3283182d6a8b683d501570b1d01bedf172dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\maple.exe

Filesize
32KB

MD5
aed3eee45b7f13566141a90c4eb69a7f

SHA1
d1d058a89c7b342d60b22db4ab56ab107c54f359

SHA256
328379685975aa32755477e38c5dc674fd8e537e3529c4b974148766fbe6205e

SHA512
81ee7ab95e30876e21adc40d0814895dc4fdc493d82b83a772d859672349f28432bc14a4dbbcef6c282e705a889b82f97354f80ca97b75896d7f4bcfe9b544d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\python311.dll

Filesize
32KB

MD5
521e9db1f597477c7fef316dcc5b2a05

SHA1
aa3116e010f86e21dd13aae3f3665d30f7ebb8c0

SHA256
cd5828c5e0508e881b0d29f721e78e9d620ca321a87fadce1576a44c6e1d55cb

SHA512
71a5f896c5230a714f954dcec07ffc54059a6a6248fcf8dc32f8d0ae948cdc1453a0655d62a4f6e0390b129cdd3dcd3eaca1c47b7132db587505ba035af6b3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\python311.dll

Filesize
147KB

MD5
04d66842fae6a2409b61add545ef9627

SHA1
022c1102bd1fcf0100bc28dfb2e71d1779c218e0

SHA256
512bc7c852313bfc2b160d4c7c49cd95642201ed5ab86b0abe24a03a227c03e4

SHA512
b86b1ea31b4c23b98b48afa67bc755ba5ecf5f1943b5c5193867fefcf61a860d5cf51ff6e85f11372585c143b098b85cd9423cdc9aff5a49fe00b4002ddf652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\tls_client\dependencies\tls-client-64.dll

Filesize
71KB

MD5
8ff9c1eacc42fdc5d7fcfc5482efc79c

SHA1
a2f2a6dcce2e8ce723cabc81c0224764b6e7d16f

SHA256
7acb0b4933f0f72193f6adfe1a8dff9a0fdc0b6f31bda6fa59b16ddc2f3f1116

SHA512
ef83762b11f2dc4afbacab2d31843331f7a0d7cf0ac426629e83788c540531ce727271952a212f3786f18ce6cca8ef8aeb41227ef6ca466249fd561ceb4bc39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133478533188245496\vcruntime140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
memory/3048-141-0x00007FFBDE910000-0x00007FFBDF7B7000-memory.dmp

Filesize
14.7MB

Download