8d4f62cde112ebad1da13a63c1620437e8dd5bfb07572f16a900a0ce0a0f40f3

Analysis

max time kernel
1s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Creal.exe
Size

14.3MB
MD5

334b8b048cbba70b243d7b2a722019e9
SHA1

e4f6057edaaa4531c9c69b92858ebdd6bd8e75f2
SHA256

8d4f62cde112ebad1da13a63c1620437e8dd5bfb07572f16a900a0ce0a0f40f3
SHA512

f889cdc91074c14b3dd924ba9acbd1764a4df073256ec999d3f6d8501f00f1808d15fe1452f88274a243f6213ae713e0b43185e95fcd04e460ed290b2cb35391
SSDEEP

393216:sX7QJidQuslSq99oWOv+9fgVByXmHE2w:sLQwdQuSDorvSYVBAGEX

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 46 IoCs

pid	Process
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe
2148	Creal.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	api.ipify.org
30	api.ipify.org
54	api.ipify.org
63	api.ipify.org
13	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1148	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	tasklist.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 2148	4884	Creal.exe	29
PID 4884 wrote to memory of 2148	4884	Creal.exe	29
PID 2148 wrote to memory of 1516	2148	Creal.exe	34
PID 2148 wrote to memory of 1516	2148	Creal.exe	34
PID 2148 wrote to memory of 2312	2148	Creal.exe	105
PID 2148 wrote to memory of 2312	2148	Creal.exe	105
PID 2312 wrote to memory of 1148	2312	sihclient.exe	36
PID 2312 wrote to memory of 1148	2312	sihclient.exe	36

C:\Users\Admin\AppData\Local\Temp\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Creal.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\Creal.exe
  "C:\Users\Admin\AppData\Local\Temp\Creal.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2312

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv TPgPO4xr50aO/h8rWwHcwA.0.2
1⤵
- Suspicious use of WriteProcessMemory
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48842\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48842\_bz2.pyd

Filesize
81KB

MD5
bbe89cf70b64f38c67b7bf23c0ea8a48

SHA1
44577016e9c7b463a79b966b67c3ecc868957470

SHA256
775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

SHA512
3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48842\_ctypes.pyd

Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48842\_lzma.pyd

Filesize
153KB

MD5
0a94c9f3d7728cf96326db3ab3646d40

SHA1
8081df1dca4a8520604e134672c4be79eb202d14

SHA256
0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31

SHA512
6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48842\_lzma.pyd

Filesize
92KB

MD5
a1e9a164293a2fe04c22448984e8166d

SHA1
5724336a11d3291341f91567b22a358271ec0b07

SHA256
c3237c0659dd221a1093a2f5f71786d73f16dc6ecee340e986081b0003e0c4b7

SHA512
f0f4c45a62cca1626651ec1cb93b43ccebf2438374cca889bb93aaf7bf351f9d3d3f60b6c70e4d9d1064ecde75ca631738198903a6f1f9e4025c1bd055508918

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48842\base_library.zip

Filesize
859KB

MD5
22fee1506d933abb3335ffb4a1e1d230

SHA1
18331cba91f33fb6b11c6fdefa031706ae6d43a0

SHA256
03f6a37fc2e166e99ce0ad8916dfb8a70945e089f9fc09b88e60a1649441ab6e

SHA512
3f764337a3fd4f8271cba9602aef0663d6b7c37a021389395a00d39bd305d2b927a150c2627b1c629fdbd41c044af0f7bc9897f84c348c2bccc085df911eee02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48842\libcrypto-1_1.dll

Filesize
92KB

MD5
323131641ab47482ed238ae48fd5be2f

SHA1
aac08d55ba19887b6f0563595beacdac0923554f

SHA256
0a626e77404a42b26e1bf9464590ab3f9ffc968a872defd081f05c67d808ee5e

SHA512
abe28f8d242b53236a301a3c5ee2e4bbae55a3948bf8145b10e9a0232de801522aa6c7e113b7ec9312664137979b54442f26dadcd30468d1e61f148ea5d49d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48842\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48842\python310.dll

Filesize
1024KB

MD5
8e113f5c3d606883697173e91ac28b2c

SHA1
1b687e37797e48ea762eef3f68c0201f548e13ec

SHA256
bb240b352b4f7060f6fe99a004bb8e9954ffa85315dbda890008815f2e1e1d08

SHA512
a9cba13cc482dec056b4254b3dbfc8188a5cd7a445d0902e287e0f3b218312b4288435673bbe78fdbcf4e898734a31e008a9ce57a4176813d2333d80739ddd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48842\python310.dll

Filesize
2.3MB

MD5
0d839f00e6aeffb2c901f32465b9d551

SHA1
b2ac65d1b5116fe68a9605bb770237a2effac4e9

SHA256
e75022189bba228ec5dae612d45fefe44364b3984fa82a4dffae076334ce940f

SHA512
bbfd874ebe5f543b9cfe088ec4984a5f7e903af7d92e06ed750ddda6ef5bd536579b9838c741b508c2570f3a577d16b7b6077ac1493ab2bd654c6f9ce7275e43

Download Submit