ae91b21039878b0292c48fbb5aa6c829a1d00b0d4e826ea0cd5bc79c16a79644

Analysis

max time kernel
201s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Desktop.rar
Size

6.0MB
MD5

665243f335118403e7cfdc4c99fd42e1
SHA1

4b0dd49ec90f04f6626ac9e0b520b9a1acf648db
SHA256

ae91b21039878b0292c48fbb5aa6c829a1d00b0d4e826ea0cd5bc79c16a79644
SHA512

7b725e486c1e954b14f75619b8ed7f100a33e48ee69f9404f40cb984b42b1fc2e5147dcd75f1c491a1d0a2bbc7760eb4a497942dd60ea4e3b2394959a8a7f522
SSDEEP

98304:kU8P0iWYYcUztj56lTfSEbb/+skWHTEWy4mfg/UV42QtrWquJUwk51:kU1csl6lRkWzA4eg/Uq2Dqu5k51

Score

7^/10

pyinstaller

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
1116	287f733bde8588e4.exe
4776	287f733bde8588e4.exe
4164	287f733bde8588e4.exe
2872	287f733bde8588e4.exe

Loads dropped DLL 4 IoCs

pid	Process
4776	287f733bde8588e4.exe
4776	287f733bde8588e4.exe
2872	287f733bde8588e4.exe
2872	287f733bde8588e4.exe

Detects Pyinstaller 5 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0006000000023220-8.dat	pyinstaller
behavioral2/files/0x0006000000023220-11.dat	pyinstaller
behavioral2/files/0x0006000000023220-12.dat	pyinstaller
behavioral2/files/0x0007000000023228-45.dat	pyinstaller
behavioral2/files/0x0007000000023228-46.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	7zFM.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3912	7zFM.exe
3912	7zFM.exe
3912	7zFM.exe
3912	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3912	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3912	7zFM.exe
Token: 35	3912	7zFM.exe
Token: SeSecurityPrivilege	3912	7zFM.exe
Token: SeSecurityPrivilege	3912	7zFM.exe
Token: SeSecurityPrivilege	3912	7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3912	7zFM.exe
3912	7zFM.exe
3912	7zFM.exe
3912	7zFM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 3912	1272	cmd.exe	89
PID 1272 wrote to memory of 3912	1272	cmd.exe	89
PID 3912 wrote to memory of 2172	3912	7zFM.exe	100
PID 3912 wrote to memory of 2172	3912	7zFM.exe	100
PID 3912 wrote to memory of 1116	3912	7zFM.exe	104
PID 3912 wrote to memory of 1116	3912	7zFM.exe	104
PID 1116 wrote to memory of 4776	1116	287f733bde8588e4.exe	106
PID 1116 wrote to memory of 4776	1116	287f733bde8588e4.exe	106
PID 3912 wrote to memory of 4164	3912	7zFM.exe	112
PID 3912 wrote to memory of 4164	3912	7zFM.exe	112
PID 4164 wrote to memory of 2872	4164	287f733bde8588e4.exe	114
PID 4164 wrote to memory of 2872	4164	287f733bde8588e4.exe	114

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Desktop.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Desktop.rar"
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO84F2F7D7\Новый текстовый документ (2).txt
    3⤵
    PID:2172
- - C:\Users\Admin\AppData\Local\Temp\7zO84FA1A38\287f733bde8588e4.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO84FA1A38\287f733bde8588e4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\7zO84FA1A38\287f733bde8588e4.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO84FA1A38\287f733bde8588e4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4776
- - C:\Users\Admin\AppData\Local\Temp\7zO84F8CFD9\287f733bde8588e4.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO84F8CFD9\287f733bde8588e4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\7zO84F8CFD9\287f733bde8588e4.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO84F8CFD9\287f733bde8588e4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO84F2F7D7\Новый текстовый документ (2).txt

Filesize
40B

MD5
ae94a1769e59cad86553831ca811e4eb

SHA1
4ab2f04c7df2f4e4a531cda8346080485d144cfc

SHA256
8c9de32be13b159291638cc91edb6e7f9a2650f49b59d439171654568370ef03

SHA512
d58919b7fb847b71092a27994f65eb6f4e79a94c1fe1be04ece4671de2d5aa92c495fe0934e6f2265b1d4bd0931ef6bac195012fa0df5b7fb9d16e3e7c611348

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO84F8CFD9\287f733bde8588e4.exe

Filesize
4.8MB

MD5
be75e7435bc93b9bf230b023e4d34c9d

SHA1
574f1018c5557c033219d7febc4525812733567d

SHA256
dbfd398db56471ced3480ca708f51d55cf49057a684bf2d41c90f999738d6200

SHA512
c9922eb3f36fb1d20ed0648012af89258eb579bb58c22d99ffdfd329749d6b5f1d227a2eb2c5a29e3fd672fca1b767b8c5868d5b0e0767e39012626816401f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO84F8CFD9\287f733bde8588e4.exe

Filesize
3.9MB

MD5
922bd46c44b4434d70009bea89c6f4aa

SHA1
fbd014aa7d6b4a345dc2d8a736319be4ff4e215e

SHA256
9ef8fc21e382c93d87e8c5bcf4b61e4bff23732fac24f00c91db679268ec84bd

SHA512
e2f703deb8e288c9e56c6c290aea8f74cdf8c098de250ad31d9234c7664e343b37a93f03765954fd59d7da3bbeded582bb6c9fab55b8b60158b13777124b485f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO84FA1A38\287f733bde8588e4.exe

Filesize
4.9MB

MD5
9f72c25a15ec041cf4542b8c40ebcd56

SHA1
fac9355ee79cd525fdb0d32470172fa18d43961e

SHA256
eb438d54063a8337560f31da5415023d37274c0d256753797f5991f308b8770a

SHA512
7a134c4476ae476ef9aa9dbe88be37eef7222cad365265955197fab8b926e782f3328d7b870fb0bc4a6f98b782b6cb8dfae06a50b422dd532b2d7dcba0b44182

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO84FA1A38\287f733bde8588e4.exe

Filesize
6.1MB

MD5
6f34b08519ca22bf64cd762e60214ca2

SHA1
cffec009dd6c17c3f05cf93b3fcb861beed6a64f

SHA256
9f48e3dd8ed280cd901205aaa3236f25a99952550d245a838685b024af8b8fd8

SHA512
4d43f0e3d91a0eafe0eac370a20947ddaccfc0a696082523d10f2eb4ce158acfdc2f65909c0ca1507067544535934a4bc43f06aad70a3da9d15747b4e6925e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO84FA1A38\287f733bde8588e4.exe

Filesize
3.5MB

MD5
e706ed641a59a4544db0cc1d0182e767

SHA1
1de1ecc7a5edd4d333113cabaf4b8e62c58981b7

SHA256
5d21fe110306d188ee5380d0571800ee85c8683119120be9e487a48ba6c4afd6

SHA512
58a85ea9a01fb6ab40d077b4b4ec7bc0c837286670785a03dd22f6c685684cbd22789d57824829bb48888ecebc413260f93d2c8c596892b2678d353649b80045

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_decimal.pyd

Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_hashlib.pyd

Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11162\unicodedata.pyd

Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\python311.dll

Filesize
5.4MB

MD5
19d093eda05c8e18fe5adf41449b6b13

SHA1
f5d86d7cc5d2364f5b3b1c691417a2249756ecd5

SHA256
29ca91beae679d234f6c68785ccc88d52502bdc14a7ba0c1d565fae6c4934a89

SHA512
fff544329662a39385fb2de5c2e6c00c23346ea294a89bed8ab395884fce51397ab419f384b4a55869462cfe558467b59a2c1b55d1fe7c9ab4c4042c5dcdc08f

Download Submit