0fb8ea1ca1ea8aab5ab5797c11e0d0a4bf12103a6acbf2014e1836b35788183f

Analysis

max time kernel
33s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mouseclicker.exe
Size

9.8MB
MD5

933af071c1afade46438939b27806ed4
SHA1

3d313c046d4e601e421c923148c7127d9b69ade8
SHA256

0fb8ea1ca1ea8aab5ab5797c11e0d0a4bf12103a6acbf2014e1836b35788183f
SHA512

d5bd8c63d4ee2fe1eae6f6c2695f652340d03634c3acded4d674e59f1401efa5e22b12e9228d838a932aa396b9f156166976581ce43fcd613e291e120a0288de
SSDEEP

196608:LUye3EbT9bwiIHa3Q7CezjQ7MKpa9BJB6ZX7LkqadqGLno/:Be0/y+e0npa9neXvkqaMGjo/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4772	main.exe

Loads dropped DLL 22 IoCs

pid	Process
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe
4772	main.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4772	main.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	main.exe
Token: SeIncreaseQuotaPrivilege	2376	WMIC.exe
Token: SeSecurityPrivilege	2376	WMIC.exe
Token: SeTakeOwnershipPrivilege	2376	WMIC.exe
Token: SeLoadDriverPrivilege	2376	WMIC.exe
Token: SeSystemProfilePrivilege	2376	WMIC.exe
Token: SeSystemtimePrivilege	2376	WMIC.exe
Token: SeProfSingleProcessPrivilege	2376	WMIC.exe
Token: SeIncBasePriorityPrivilege	2376	WMIC.exe
Token: SeCreatePagefilePrivilege	2376	WMIC.exe
Token: SeBackupPrivilege	2376	WMIC.exe
Token: SeRestorePrivilege	2376	WMIC.exe
Token: SeShutdownPrivilege	2376	WMIC.exe
Token: SeDebugPrivilege	2376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2376	WMIC.exe
Token: SeRemoteShutdownPrivilege	2376	WMIC.exe
Token: SeUndockPrivilege	2376	WMIC.exe
Token: SeManageVolumePrivilege	2376	WMIC.exe
Token: 33	2376	WMIC.exe
Token: 34	2376	WMIC.exe
Token: 35	2376	WMIC.exe
Token: 36	2376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2376	WMIC.exe
Token: SeSecurityPrivilege	2376	WMIC.exe
Token: SeTakeOwnershipPrivilege	2376	WMIC.exe
Token: SeLoadDriverPrivilege	2376	WMIC.exe
Token: SeSystemProfilePrivilege	2376	WMIC.exe
Token: SeSystemtimePrivilege	2376	WMIC.exe
Token: SeProfSingleProcessPrivilege	2376	WMIC.exe
Token: SeIncBasePriorityPrivilege	2376	WMIC.exe
Token: SeCreatePagefilePrivilege	2376	WMIC.exe
Token: SeBackupPrivilege	2376	WMIC.exe
Token: SeRestorePrivilege	2376	WMIC.exe
Token: SeShutdownPrivilege	2376	WMIC.exe
Token: SeDebugPrivilege	2376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2376	WMIC.exe
Token: SeRemoteShutdownPrivilege	2376	WMIC.exe
Token: SeUndockPrivilege	2376	WMIC.exe
Token: SeManageVolumePrivilege	2376	WMIC.exe
Token: 33	2376	WMIC.exe
Token: 34	2376	WMIC.exe
Token: 35	2376	WMIC.exe
Token: 36	2376	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4772	main.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4772	4480	mouseclicker.exe	88
PID 4480 wrote to memory of 4772	4480	mouseclicker.exe	88
PID 4772 wrote to memory of 2260	4772	main.exe	92
PID 4772 wrote to memory of 2260	4772	main.exe	92
PID 2260 wrote to memory of 2376	2260	cmd.exe	93
PID 2260 wrote to memory of 2376	2260	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\mouseclicker.exe
"C:\Users\Admin\AppData\Local\Temp\mouseclicker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\main.exe
  "C:\Users\Admin\AppData\Local\Temp\mouseclicker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic useraccount where name='%username%' get sid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic useraccount where name='Admin' get sid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
84KB

MD5
7f2bba8a38712d00907f6e37f0ce6028

SHA1
e22227fc0fd45afdcf6c5d31a1cebffee22dfc32

SHA256
cd04ebe932b2cb2fd7f01c25412bddd77b476fa47d0aff69a04a27d3bfe4b37b

SHA512
ca46ceaf1b6683e6d505edbe33b1d36f2940a72fc34f42fa4aa0928f918d836803113bf9a404657ec3a65bc4e40ed13117ad48457a048c82599db37f98b68af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
159KB

MD5
ad02ea81a127a401f4df84c082f3cce6

SHA1
9c6c851c52f331d17a33936c9aad8dcef2542709

SHA256
4213fbb6936ad3eac1e1ba28f10e15719176bc3a59ff01ddc6828dd7eee52132

SHA512
cdccd9e5fffc2a2836f7677985d63c0a8a90fc91f1d98a0f2355c11141e21ecd564bbbfba87e717ac80f784a68b6f43430476fbd72cec9820c691df6612ffd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
152KB

MD5
3baf56d4e63a800fcaf2cc98fc120709

SHA1
2a33341eda4b4549452b6db9b259f8ae6ec9c806

SHA256
d7610dd6be63aada4fe1895b64bbac961840257c6988e1f68bbf3d8e486b5a45

SHA512
e48899ed5581fe9f45c02219d62e0acbc92906af5b7a3b7d9be1bb28b41f5cfdb0d3496abc6d0c1a809bb80d2a49c5a456d34e4667995fb88ef8aca6958881dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\dearpygui\_dearpygui.pyd

Filesize
576KB

MD5
f8cad366651baeba5c719fd098569fab

SHA1
d743244cd4e1b0914cf84b6bc8c100330f65d98c

SHA256
da900e735f368c26f7a1cc00acdd23dc00f4f9c955bdc85b54b6e9034bed19e9

SHA512
4061dc075f68884ab760733825dfc7ccfbfc28412106f1ea5b52880c1564a364dcf81f40da6bb1cc58be8caa21b72d03d5ab827079d449762641647869a565e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
1.7MB

MD5
97652f1f5df91b6376bd75d91d24abff

SHA1
5e83d17a74455f051a67449743caaad62c001cdf

SHA256
6fbd979db936229f22d5b740efcdb858346df170cb5e70b68604abb87cd1df41

SHA512
cffac092c739dca1f51e2aac918130e96d29356b71c0f7ffefd3ee8d1a80a7998d6bd15ac6c20ca7660ee9a764ad49dce0616d7faa3572d8551342cdfedc0eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pyMeow\pyMeow.pyd

Filesize
1024KB

MD5
fc71e0f4302cee615827ee667752cb52

SHA1
714905ee840567956b956ae325524e6731239f86

SHA256
73a73374725ec3334a153c058eb451c0aa0a91a8250350000859f01f85e2415e

SHA512
d01e74a6b2788c30874891b0d1edd74f79225404c74dfb55a5144bedc1718dfa36e1c0657cddfd5b328e8e393b809abfc295c49e61b142e9011b63378350dce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pywintypes39.dll

Filesize
136KB

MD5
f0c9ae2851bdadd218d864430281b576

SHA1
b7fb397f1c9cd07c81c7ae794b2af794c918746f

SHA256
15ff353b873b58c7a8af42d94462aa4cb4ea03c10673a87a0d7f2c42b7ec60c0

SHA512
915aa0121265b11d6ab58643fb1e4d867e3c49608dd5c8842364d4ed913f4742b4c4d54b21526ea62d7d48598b02c613f1ab39a4a071e403d4cc6fe68f839b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32api.pyd

Filesize
129KB

MD5
30d431bdd2419b1c59f22c0ab790ab88

SHA1
fe4c07f5e77806e5f0f5f90762849818eb4d29d1

SHA256
0813e92197b04508363d93f3fc2065e962baab44f8a2c18c6297e1fb348cc679

SHA512
d5c8e362c5be1decffb7960b0169e18641816ada783e0ec5a3c909c163bf1aa8878d6e7d7efb0258a0f1a031ac8e71c084d7220347b85b07412d6717f3b5ff58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32gui.pyd

Filesize
222KB

MD5
3ec45c06ad3a38ddd434d480d575150e

SHA1
9489842d16c1bb3c7619c6595d4c8d21690afd2c

SHA256
03ea618102198c9ef41d00b0b197544cb6998452221f1f66f7bf0ef5874df1e9

SHA512
af38ea0f462eafcd226a84cbbff9e2bf7f6302c15063796e8117aab9cd49ffcc33969447c27c8952f1d694a92abde9500c257d308c185b54f7578fd788f8f4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32process.pyd

Filesize
51KB

MD5
6118ce8d4464764969741fe82e3d2bf4

SHA1
b8376b45b7fb2893643fd355559aa287ff8897e8

SHA256
9e040738216f2d806c7230a57cd1143178bb0c9e13c12779b644e4da98a3cef3

SHA512
e6be8c55a3559783a3083949348949fed92f45f9fc05a1d6926363aacc9f8d7e5d076d8a31becf35852b881988ae299cb3c0c8e942f9337e10e345e5facd37db

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\_asyncio.pyd

Filesize
64KB

MD5
43e7da594af7c0655cb9f57bd5556a49

SHA1
b75042853453e902ee54d0311311b4de74d40241

SHA256
6241f72162099095f111819fd5b9b2a0995ed7cf45ca08f1d0134ab7b3fe601a

SHA512
b088211220a6b73aa55e8ce1ed8d1517b25a5f53245abd9a07ba4c39518db9bd8742750d1f7f12c58955ee1ea642c733d4dca45bc7b67e1d18d25526806c4be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\_overlapped.pyd

Filesize
45KB

MD5
5302eaf1e9af8e6550ab3720acf7ff63

SHA1
ce2dfdf34616a84a041ddaec025516ee6c5e2762

SHA256
42c7a03bffe76eafdee596f6b4c3ff950ff8808a31d194932c2bf48fdfc7f7c2

SHA512
7649a8356aff0b9f7012ca25a433771e84a722a3eda0608226d5871828d5a3e5c7eca009ae9c32d02bc01a5ceceb972f35d9ec9bf538f3151145469769c8ebf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\_socket.pyd

Filesize
78KB

MD5
0a6c6fd7697e4c3757014fa6bf6dd615

SHA1
f14f79831b8b16a7b31f4c7f698317c023d446f9

SHA256
a611e9b4f4e5fe67e945b771d79cf15c48441ecfa11ce186cec9bf233dc20c0d

SHA512
f5fcfede06f0f81229b946f803b6e292fd0c909191f3c2a82ca317ff7c2e08d1ea98aa2d11ec85edd5449994a2a7c61318a15d47806cd761e25739494f3e18e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\dearpygui\_dearpygui.pyd

Filesize
768KB

MD5
302775cb9cf65a5f755e4a8a5db28af4

SHA1
5bf82d4cd6a97533fba8a0ff909825574376fa19

SHA256
5d42b10e5adae15bd70967bd498ef927306509191cc5e5362fd4d2bff2dedcbe

SHA512
197d1cfbbb34780d440dd29aa26756576ff737ff38476c23836e45bed554c1223f170e9b29788bc52ab0a5989a0e6f181e02156485b576594dd5f52689a30f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\libcrypto-1_1.dll

Filesize
1.4MB

MD5
7983f5969f5c7746ab2d3131fb5df34c

SHA1
69050c0ce2f2da6390600328be04ca24314c1c2a

SHA256
aea67fce7709ab562d4f3a9f7a6783ce6bf4569cd480e346951f1d87cdb0efc6

SHA512
02cf8e2031d10704465849fd1af0d27097e596d790bcd07708829b86693169d8275f71ff96cc5bb66e090f7de095f0b5d477fb7ccf36871e417bfe92bcb35a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\libcrypto-1_1.dll

Filesize
1.2MB

MD5
19fd955fc6c09c7c43c758a1e0e26f39

SHA1
a787e0e5369170a4c4ab9dd9c4d9b7aec0a6cc11

SHA256
ae44e011868b512badfaca3838ef617df0657b6af7ab9f10bd8d48cca5c68772

SHA512
3def389711f02985e71b5952a7fc24446d5df0bc24cf40815ecd3b75cf416bf7592b0e7e4de92131fd51ec1051e2f54d3f457c1190dfa76a599a01e081762ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\main.exe

Filesize
10.6MB

MD5
ec948aba4a2ea4c99e82471c55f3a9ce

SHA1
0730293baed00476bc7a62c96f0caa10e3f9403d

SHA256
86222ea4c0600562c3b00961e6984b00851ff5c5aab2686648c5fc32601abff1

SHA512
62fe292abfe983beddd08b1e6c51ce08cf04af7a93e8a5a3868817c2f881fd94996c199d2e02ad4a83787ed5dce7e4727b805bf34b710078be4670e7350d6b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\main.exe

Filesize
4.8MB

MD5
55aff03fef02fffb05a4cc48706fd9c3

SHA1
16021a0e85b014df1e90745bd849a66d49bfb977

SHA256
d383bf14b39b700ab844532cf2fb0e9b7c81fd9bf07b2d2f9a13a60a108f4d29

SHA512
82697a8191e326bddff8eefff2f2069f0e6b16ae0afd7a75a3fd25521ecd3184edd213da4558bea9cccd107384b7c6e92110929333f0d62d47ef151ad2944830

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\msvcp140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\psutil\_psutil_windows.pyd

Filesize
67KB

MD5
1350d7dd4c8715fb749092b370362d91

SHA1
6a706c275c48ab835c9d1a3e6e619306003a41c7

SHA256
1090e69fa90e0f55b90a2ae429aad7843db013eeef42aa8b0f0267f76abbf6be

SHA512
65e2051669daed30a89c60e96c52214bb161de8571eaf26dd680bf9ad91a1474497cfa2399f5da2023e9205f32c668de654fe81cf7bcacdcd58995be451e981c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\pyMeow\pyMeow.pyd

Filesize
896KB

MD5
fb32ba36b00388d092a4dd7db64b97a5

SHA1
3c6e40e08f05c5e9e39c26a07f59d7fd385aeedd

SHA256
e656807bab7696c0a4e9d1631336dd58f3a13b1e2c2e70546497986e3ae0c25f

SHA512
a2d355d9580f29218c9c2cc51a9cda66d6f85e0330186350d39d426348959dfaf032a84161759544f11a7f3793745703bcf3008f76fb7c05c29639dc79e7ceac

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\python39.dll

Filesize
4.3MB

MD5
19e6d310c1bd0578d468a888d3ec0e3d

SHA1
32561ad9b89dc9e9a086569780890ad10337e698

SHA256
f4609ec3bbcc74ed9257e3440ec15adf3061f7162a89e4e9a370e1c2273370a1

SHA512
4a8332c22a40a170ea83fc8cfd5b8a0ed0df1d59fd22ebe10088ba0be78cc0e91a537d7085549a4d06204cbe77e83154a812daed885c25aa4b4cb4aca5b9cc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\select.pyd

Filesize
28KB

MD5
196c4d2f8bdc9e9d2dbcce866050684c

SHA1
1166c85c761d8188c45d9cc7441abfe8a7071132

SHA256
cd31f9f557d57a6909186940eafe483c37de9a7251e604644a747c7ec26b7823

SHA512
cb9a02530721482f0ff912ca65dae94f6930676e2390cb5523f99452174622d7e2e70cafaf46e053f0c3dfc314edc8c2f4fd3bc7ea888be81e83ff40d3a30e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\vcruntime140_1.dll

Filesize
36KB

MD5
37c372da4b1adb96dc995ecb7e68e465

SHA1
6c1b6cb92ff76c40c77f86ea9a917a5f854397e2

SHA256
1554b5802968fdb2705a67cbb61585e9560b9e429d043a5aa742ef3c9bbfb6bf

SHA512
926f081b1678c15dc649d7e53bfbe98e4983c9ad6ccdf11c9383ca1d85f2a7353d5c52bebf867d6e155ff897f4702fc4da36a8f4cf76b00cb842152935e319a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4480_133532724294261258\winsound.pyd

Filesize
29KB

MD5
fb5fe1850a861cdd0e65f48a648ec659

SHA1
b41cfa72cb660f671676f78fe5fdaaa771c9a35c

SHA256
690d2e9b91792c0ca63da116e679368f52c7b0673668f4b5957989f1ab9ffb32

SHA512
71c5e62c6bedf73e2cf8b91225154b0e1894788a16df90778e34d587c61a7c3af4ee76b6b256b94d704de9597b69be2c3404c4787896168eb4fc50679a39f6c9

Download Submit
memory/4772-118-0x00007FFA5DF10000-0x00007FFA5E209000-memory.dmp

Filesize
3.0MB

Download
memory/4772-140-0x00007FFA5DF10000-0x00007FFA5E209000-memory.dmp

Filesize
3.0MB

Download