Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/02/2024, 06:14

General

  • Target

    a315a8e4b26288c75f450072835251f1.exe

  • Size

    5.5MB

  • MD5

    a315a8e4b26288c75f450072835251f1

  • SHA1

    6dd6fb1e604fc0b10bbdbc73ff5f65aa3a93461a

  • SHA256

    bedc22b00fad7e6d2aa970363ecce95aac1dd5fa76c41160a995be672d8fdf91

  • SHA512

    008cef181d02a0bc75206eac904ecc29366db2500887c6cb0661775aa1163f410bf762d55f3809fc4146191aadaf8f195c68c9ee2dc34a138243f21706d45dab

  • SSDEEP

    98304:9I7CZFpDpvdIWXe+q2WWmQNfTBBGzQuKLQ59PzNYMA+M7lQVE9RjBUUqC:9IuZfDpd9e+q2WWmQNLBBGZlrO9QORiZ

Score
7/10

Malware Config

Signatures

  • Drops startup file 7 IoCs
  • Loads dropped DLL 14 IoCs
  • Detects Pyinstaller 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe
    "C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe
      "C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "whoami"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\system32\whoami.exe
          whoami
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:224
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "hostname"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3096
        • C:\Windows\system32\HOSTNAME.EXE
          hostname
          4⤵
            PID:3480
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""
          3⤵
          • Drops startup file
          PID:1832
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""
          3⤵
          • Drops startup file
          PID:2772
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""
          3⤵
          • Drops startup file
          PID:2468
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""
          3⤵
          • Drops startup file
          PID:2972
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""
          3⤵
          • Drops startup file
          PID:2404
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "copy C:\Users\Admin\AppData\Local\Temp\a315a8e4b26288c75f450072835251f1.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup""
          3⤵
          • Drops startup file
          PID:4856

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\VCRUNTIME140.dll

            Filesize

            87KB

            MD5

            0e675d4a7a5b7ccd69013386793f68eb

            SHA1

            6e5821ddd8fea6681bda4448816f39984a33596b

            SHA256

            bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

            SHA512

            cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\_bz2.pyd

            Filesize

            87KB

            MD5

            429ad9f0d7240a1eb9c108b2d7c1382f

            SHA1

            f54e1c1d31f5dd6698e47750daf48b9291b9ea69

            SHA256

            d2571d3a553ea586fb1e5695dd9745caef9f0e30ac5b876d1307678360674f38

            SHA512

            bae51da3560e0a720d45f0741f9992fe0729ead0112a614dba961c50cd6f82ddbdcf7b47aeda4f1093f6654f6db77d767ccddd59d34d2143df54121e9d486760

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\_ctypes.pyd

            Filesize

            130KB

            MD5

            985d2c5623def9d80d1408c01a8628be

            SHA1

            317c298cb2e1728f9c7f14de2f7764c9861be101

            SHA256

            7257178f704cd43e68cd7bc80f9814385b2e5d4f35d6e198ae99dce9f4118976

            SHA512

            be6a9d3465a5e00e6752a4b681fb8ef75126b132965624d4373b8817d68ed11337b068034ebedcfe59fb9486b86a03e67e81badc29375a776f366bf7f834f0dc

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\_hashlib.pyd

            Filesize

            38KB

            MD5

            d61618c28373d7bbdf1dec7ec2b2b1c1

            SHA1

            51f4bab84620752aedf7d71dcccb577ed518e9fd

            SHA256

            33c4d06c91166db9ece6e6ad6b9fa1344316f995f7db268bf1b7f9c08ed3e6fb

            SHA512

            ca7ca581c8d8d67f43e7858d7b4859fec1228fd1ba6e63711d508c1ab3477a071d40090fdae6ec0c8d1445e15fbb2fc60154e32e03f8398056388f1148f920de

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\_lzma.pyd

            Filesize

            251KB

            MD5

            5e7a6b749a05dd934ee4471411420053

            SHA1

            fcd1e54011b98928edbb3820a5838568b9573453

            SHA256

            4dcd803319e24ba8c8e3d5ce2e02c209bd14a9ab07a540d6e3ae52f69d01e742

            SHA512

            ce4c5456308adbef0a9d44064aae67b2bb2a913881405ae2e69127eb7ab00a09882fa5304d80d5b3728942b0ab56d1c99132666b6c0ea8809a21396aeaadd8a2

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\_queue.pyd

            Filesize

            27KB

            MD5

            3f536949d0fcae286b08f6a90d4c5198

            SHA1

            04877dff7e8c994e4875a1b85b7388684b97da25

            SHA256

            613c0fc66b1f2f8dccb47f24f1578137a99c5a62550719f0402f13337ad5c60a

            SHA512

            cd59a4a2d839dec513b912e33bd92281a0fdfe0a210ae972cce8b77347e000bb87c8074d8b8cbfeba75158f2b8f3d0669f778fccec0dec936f055616cedbbb4c

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\_socket.pyd

            Filesize

            74KB

            MD5

            7c5c5e6e4ed888dd26c7aa063bb9f88e

            SHA1

            a7a3694739b27c3d34beb1a9730fc3dcbae6744a

            SHA256

            2bb4e5d711fe521e2c9a80f04d2f745f58561dc35f169e06ea17aabf27d334fe

            SHA512

            9c49c3fe740464f649a0379bdc6bc474cce6a1331f87d2ba2ab489c4545ad7cb311c757af59e8174bb3c87af438a5d47621bd9b2b4750abe128d189d14d80065

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\_ssl.pyd

            Filesize

            120KB

            MD5

            a3c9649e68206c25eff2d09a0bd323f0

            SHA1

            0f485f37ac3960da624b80667410061efe1f888d

            SHA256

            b9100db5d225c4103f781a6ea4074ce76387467c3a4bba2ac5bfc65870ab6123

            SHA512

            aeef27bf73cb7dd96b06c3403fc74c108a8a7d80aa25db35a4b1a96b8931aef63b3037a9a51075ead1e5ad1c001d6afe6f3c3e19af30344177fd562751b00d63

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\base_library.zip

            Filesize

            760KB

            MD5

            f1c1030e6ac4e315ede96b546e9b5612

            SHA1

            c8d6da2cd10710f117b7aabe57a71e43a5bdf1d1

            SHA256

            61cc67509028bbd220d77e009e1145dbecd32e7ed20e22018c751f37010d0951

            SHA512

            3728885f42039f94e356f59d6fe1ed2d7b20239f247d2a3477a1ebd917da24bb70ca94482ef35d66180a216c052c976d8dafd7a563c54afa5cbd123b266f2dc0

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\certifi\cacert.pem

            Filesize

            257KB

            MD5

            1ba3b44f73a6b25711063ea5232f4883

            SHA1

            1b1a84804f896b7085924f8bf0431721f3b5bdbe

            SHA256

            bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197

            SHA512

            0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\libcrypto-1_1-x64.dll

            Filesize

            2.4MB

            MD5

            8c75bca5ea3bea4d63f52369e3694d01

            SHA1

            a0c0fd3d9e5688d75386094979171dbde2ce583a

            SHA256

            8513e629cd85a984e4a30dfe4b3b7502ab87c8bc920825c11035718cb0211ea0

            SHA512

            6d80d26d91b704d50ff3ad74f76d6b1afe98af3d7a18e43011dbe3809adc305b0e382c10868328eb82c9f8b4c77bca1522bdc023c7c8712057b65f6579c9dff5

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\libssl-1_1-x64.dll

            Filesize

            511KB

            MD5

            0205c08024bf4bb892b9f31d751531a0

            SHA1

            60875676bc6f2494f052769aa7d644ef4a28c5e5

            SHA256

            ebe7ffc7eb0b79e29bfc4e408ea27e9b633584dd7bc8e0b5ffc46af19263844b

            SHA512

            45da0c128bfb706cb0340ad40fbc691696f3483a0235faaac864dea4580b57e36aa5b4b55a60322081d2d2e2df788c550fd43c317582a9b6a2d66712df215bd0

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\python37.dll

            Filesize

            3.6MB

            MD5

            28f9065753cc9436305485567ce894b0

            SHA1

            36ebb3188a787b63fb17bd01a847511c7b15e88e

            SHA256

            6f2f87b74aea483a0636fc5c480b294a8103b427a3daf450c1e237c2a2271b1a

            SHA512

            c3bbc50afb4a0b625aff28650befd126481018bd0b1b9a56c107e3792641679c7d1bfc8be6c9d0760fff6853f8f114b62490cd3567b06abc76ab7db3f244ab54

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\select.pyd

            Filesize

            26KB

            MD5

            1650617f3378c5bd469906ae1256a54c

            SHA1

            dd89ffd426b6820fd79631e4c99760cb485d3a67

            SHA256

            5724cea789a2ebc148ce277ce042e27432603db2ec64e80b13d37bcb775aee98

            SHA512

            89ecbbf156e2be066c7d4e3e0ecd08c2704b6a796079517c91cf4aa6682040ba07460596aaddc5550c6ec588979dfec010fed4b87e049000caceed26e8f86ffe

          • C:\Users\Admin\AppData\Local\Temp\_MEI39122\unicodedata.pyd

            Filesize

            1.0MB

            MD5

            2b2156a32b7ef46906517ae49a599c16

            SHA1

            892134a20f118d9326da6c1b98c01f31d771a5d1

            SHA256

            2c5f5abf982e8b4bb5e28d217a5e437907acfb7a7e9ee96cd9fa64c4ba304418

            SHA512

            d6aa25cdfca13db260110b3f34a3d731b325efcaccde5ec36b4f88406841b4ec9c9ab88ad54944eba476772bfd69c3975d9cb1a92994b0ae8e56278353214100

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a315a8e4b26288c75f450072835251f1.exe

            Filesize

            5.5MB

            MD5

            a315a8e4b26288c75f450072835251f1

            SHA1

            6dd6fb1e604fc0b10bbdbc73ff5f65aa3a93461a

            SHA256

            bedc22b00fad7e6d2aa970363ecce95aac1dd5fa76c41160a995be672d8fdf91

            SHA512

            008cef181d02a0bc75206eac904ecc29366db2500887c6cb0661775aa1163f410bf762d55f3809fc4146191aadaf8f195c68c9ee2dc34a138243f21706d45dab