2a332f209daa3b58df34483be1ac792f75f08d166e6c6f2f702538d17b5ef56b

Resubmissions

07/01/2024, 17:46

240107-wcqwpsbedq 10

07/01/2024, 17:45

240107-wbsnxacdg6 10

Analysis

max time kernel
1s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Creal.exe
Size

13.2MB
MD5

709bfa6c20f38aa909f80c0eca2d624c
SHA1

48cef5ce3cdfbb9f3cddffb0647b2d80ced6ad13
SHA256

2a332f209daa3b58df34483be1ac792f75f08d166e6c6f2f702538d17b5ef56b
SHA512

5a53983304b62c6ab065cffce08e97231ea52f1ea51ca3eb4da06c884019f414a4781dd65d7205b02b6f45abb61c9c58f808ddde21d4fb5630625e445cc68da0
SSDEEP

393216:dXGDn5nwW+eGQRIMTozGxu8C0ibfz6e575A8K5aWCuVl:d2DnRwW+e5R5oztZ026e5JxVuVl

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 42 IoCs

pid	Process
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe
4760	Creal.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	api.ipify.org
53	api.ipify.org
61	api.ipify.org
10	api.ipify.org
12	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2056	tasklist.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 4760	3212	Creal.exe	25
PID 3212 wrote to memory of 4760	3212	Creal.exe	25
PID 4760 wrote to memory of 3660	4760	Creal.exe	33
PID 4760 wrote to memory of 3660	4760	Creal.exe	33
PID 3660 wrote to memory of 2056	3660	cmd.exe	34
PID 3660 wrote to memory of 2056	3660	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Creal.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Users\Admin\AppData\Local\Temp\Creal.exe
  "C:\Users\Admin\AppData\Local\Temp\Creal.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI32122\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32122\_bz2.pyd

Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32122\_ctypes.pyd

Filesize
122KB

MD5
452305c8c5fda12f082834c3120db10a

SHA1
9bab7b3fd85b3c0f2bedc3c5adb68b2579daa6e7

SHA256
543ce9d6dc3693362271a2c6e7d7fc07ad75327e0b0322301dd29886467b0b0e

SHA512
3d52afdbc8da74262475abc8f81415a0c368be70dbf5b2bd87c9c29ca3d14c44770a5b8b2e7c082f3ece0fd2ba1f98348a04b106a48d479fa6bd062712be8f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32122\_lzma.pyd

Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32122\_lzma.pyd

Filesize
92KB

MD5
78a85ba7eacb60a71c8953b97a1fd51b

SHA1
8a7553ca4d8a67c5cc751fabb85cbf17ace44977

SHA256
182e0b43180b444362de2d65f3a45134e2b64b1b662196ef7cf004d2bfb17eaf

SHA512
5a0005ac7a7b443d2cb9429bc3d2ec0db0a11c38b3112777db936bcad96298665208bdfdde7b5427bb68837d85c509ff8922e9e4cbbfd01460060e917cba65b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32122\base_library.zip

Filesize
1.3MB

MD5
c55ad50db3ba71c56c6fb55e7b116550

SHA1
6699e6d9c6625634641bcabe01ed2e34eb923ded

SHA256
e599cf77eb7d4e4789d50f59ffb858389f3494438517e537e759bdb3e51c2a6b

SHA512
402de5d1ddfea29b3fb2bfcb1766afeaa6ea4a37a9ca24e94ed4b1312172dd7795b23c78156091e6a81dfe1c76363c0aea35d0d372b268daaa79d7bef719eb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32122\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32122\python312.dll

Filesize
1.1MB

MD5
899414c16cf7c5033a3a83da9419c48a

SHA1
0916077d5ebbb01aadc5bdcba20dd6fb8787eb79

SHA256
95a53d7a442c3fb6ed2aadbd58e9fd5255083477e2f2c370e50b7698a7f1bdca

SHA512
a26be554d4c3e5acd166341892f2f7f26cd371cab64f55f149eb89d28eb061fbc1c2dca7cbf86f8f4e2eedd1afa9f54688110508fd76d224551e137245c1324a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32122\python312.dll

Filesize
887KB

MD5
533e260a2ea4a31114df57b53c9bb62b

SHA1
aedf06fe72d05eeb69bda942d969cbb67f7d4fc5

SHA256
18c5660db8defcff0e75ffa403d848c07130cd8b40a8bce80fa9d6f1f81aa5ab

SHA512
d2f894c338765861a39d329a60ed4ebcad6a70bfa52e08b2e340622576d6f27aaf1df628970502f2402ad4e68edcfa852378dda429f853bda776fa9856ed99b5

Download Submit