7c71c471a91d678d1ee60d1f2f8058ce2588fba81c3836c952bbcc1e861ee7d6

Analysis

max time kernel
20s
max time network
19s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Desktop.exe
Size

16.3MB
MD5

d0f8a153efa37f3809298a35af4e554b
SHA1

03048b1501eaee47dd7e705f99bebf9b3061f04d
SHA256

7c71c471a91d678d1ee60d1f2f8058ce2588fba81c3836c952bbcc1e861ee7d6
SHA512

31a136bd17426e9e61b54a6098b667e6f551182ef3e910f74499c37428301fb7d524e0ed8cc35a450d5889c7818f0dbb002498e193c8063e4c441618520bbca1
SSDEEP

393216:k1lgAxOYy75enI9f03JPPsMsNA/fI2cdxxxOAWO+B8Di:glgy+En0f053QAokTOm

Score

7^/10

pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2416	pic.exe
2868	pic.exe

Loads dropped DLL 5 IoCs

pid	Process
2444	Desktop.exe
2416	pic.exe
2868	pic.exe
1380	Process not Found
1380	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a453-111.dat	upx
behavioral1/memory/2868-113-0x000007FEF5C10000-0x000007FEF62E0000-memory.dmp	upx

Detects Pyinstaller 8 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000e0000000122c0-8.dat	pyinstaller
behavioral1/files/0x000e0000000122c0-11.dat	pyinstaller
behavioral1/files/0x000e0000000122c0-10.dat	pyinstaller
behavioral1/files/0x000e0000000122c0-12.dat	pyinstaller
behavioral1/files/0x000e0000000122c0-110.dat	pyinstaller
behavioral1/files/0x000e0000000122c0-109.dat	pyinstaller
behavioral1/files/0x000e0000000122c0-115.dat	pyinstaller
behavioral1/files/0x000e0000000122c0-114.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2660	DllHost.exe
2660	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2416	2444	Desktop.exe	31
PID 2444 wrote to memory of 2416	2444	Desktop.exe	31
PID 2444 wrote to memory of 2416	2444	Desktop.exe	31
PID 2444 wrote to memory of 2416	2444	Desktop.exe	31
PID 2416 wrote to memory of 2868	2416	pic.exe	32
PID 2416 wrote to memory of 2868	2416	pic.exe	32
PID 2416 wrote to memory of 2868	2416	pic.exe	32

C:\Users\Admin\AppData\Local\Temp\Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2868

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:816

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe

Filesize
3.1MB

MD5
7d1fec2d382aef90c310fc7ceea9ca71

SHA1
75ae0dd822832bd39d13c9e4fa0f9e9ded9d1e16

SHA256
5751de39375a6b2bbfda219a16b717d41682f8711f2a083babac1527e361bbf4

SHA512
e99209e8e12f061be088e22f87d4cd3dccbe6fb8ee640639f8c0bdaed9d33c2898504304b5dbab638aa629a08553a56debfc557ecfbdd806fcaa31811e55e159

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe

Filesize
1.9MB

MD5
6b6f7f9a73ceda19dce90a406c33468d

SHA1
f2dd1c393c0ad5083d224cb70ef5b0511486e1b8

SHA256
bcd233cf4e25f763f8c7b012cf9357d24e50bb7a5139de93d7ba875d10e24008

SHA512
752e917bcdbd6847e5f1db9f58c4a3e9abb648c5dd8e2d97c54a525f7e9afe20b844c2acf73fbbd0ca07a9dfac3998ef091c576b754167984dc7a671e3cadf94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe

Filesize
4.8MB

MD5
2149a5632d0df456eda5dbdb6d3b04d8

SHA1
feb95b671d2a5d16c4fa29e60aba0b15ae4c0a80

SHA256
d3a822537635d1ca95d24ed9b5b666313f064f85bb09bf9603bb7cd9f74c901f

SHA512
4c5b74e98c427f4d2a1d46d017c526368ec417087c154fdb8721a5d7cd508fb0bff46cf6b10572f86e7a682cfad771519b375f7f8983f25a62fd54bf84ba0b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe

Filesize
2.9MB

MD5
5a9dfd11aa2e635b052644a7afa3c07d

SHA1
8b14a02e9e2c6789c31fdb707f69dc5532c4ed55

SHA256
d523c36525754cb6451c9a987155f4fcc80cdeab8dddc2a5051d27ae555fc0a9

SHA512
4d5725a844efd62eb7c127ac8d3e3fdf4161f45aeb251dd087f20faeb073ece6edce261097545e318e92c4b712bd3cfc7c845e4cefa1b3dbe13b7c41c83619a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\th.ico

Filesize
239KB

MD5
f9753a1ec5fd2350cdc949d7fc4e9a48

SHA1
54dae64b8c0cf51a1f0063b517d0f4f1507c25bf

SHA256
1c687f9abf9aa6bc6892b080efb028e6327e50dfc176feae873baf4cfff0fefc

SHA512
6cd64e1232775693d00a06dd10b6df06a202c30db8451e4b5c27d54252a9b5bfaec87478d10f6d141e4c27e2bb08db38afe46e1bf6f11f6e28ef5541cbf78260

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24162\python312.dll

Filesize
1.7MB

MD5
86d9b8b15b0340d6ec235e980c05c3be

SHA1
a03bdd45215a0381dcb3b22408dbc1f564661c73

SHA256
12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6

SHA512
d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe

Filesize
6.1MB

MD5
9f33508a21920f0059c931ca0cafb801

SHA1
348e0981b5784fa654d0c9d09a28ed7bd52f4b27

SHA256
8a701300a20ff64c001425a6954f3d1d55c8a6c828c09754849d81552d006583

SHA512
f3d246ee2554923d06c9e32393dec29efd82a258b1c2d6506b3c64ed71909099410b6898a9f7c35a5caf8886404eaa9a35247cd8a0e3b6f9443874376f8777cb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe

Filesize
5.0MB

MD5
a339ff20cadcba0c4059dfabb70cb975

SHA1
3c11ce8832d732a9288bece9974f3ede119d1b6e

SHA256
5f58d82392f1fd60bb1a4a308e3785bc3904b7cbaabaf2358c437eb108cb3b18

SHA512
9f4224c29edff3d2272f4f837b46a82223c477c1c67622d03a2bdb0218a28824a23af714a6a0884c5ecdf8aeb3b2fa6aa0f8165635968a178b57b1dc2fffc808

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe

Filesize
3.9MB

MD5
f1f590917eab64e9ba86f921b6ad2107

SHA1
169fb9a233666659f2c3d5539e36a5cd010a88e9

SHA256
5342083fb81bd9c4e48e8511b3d1bc80fdd8ef855927b639772335b7bc90bd7d

SHA512
2374af5688272dc901dfbdf2cf537b0693936e230291ebedfaf4e1c898c19ffbdc93b2e6239a42693bd2dcd7e2a7094c18088d8ad021682b4a7d0048cfe593bb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\pic.exe

Filesize
34KB

MD5
2f544bc7b40e0184c73edf9b271fd6b6

SHA1
e93e68c0417842a25d86cb9c162e380b263e379e

SHA256
ff68d6c78c1831c34f3fba009c81383f3f4268f6683e2e49dc98b2adc47ab5b4

SHA512
7946830ccea460bc4a4d61aeb0e497a7c9e987a715c2ff8ded347a1851aba0232b8d35651957c240bb9b20fffee821dd8161c7b292a275ff3c0bd3a6917d0851

Download Submit
memory/2444-4-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download
memory/2660-6-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2660-5-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2868-113-0x000007FEF5C10000-0x000007FEF62E0000-memory.dmp

Filesize
6.8MB

Download