Analysis

  • max time kernel
    81s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-03-2024 19:34

General

  • Target

    aware2.0.exe

  • Size

    17.0MB

  • MD5

    97cb8b3a2607a6ff9839e76ed7841ab7

  • SHA1

    4cbb14b7d67aa40588c552d0372ed413925937a5

  • SHA256

    e8ea10c3d64051d884a5814f499af8d7fdcff0d28baecb8d032763e301fb0e86

  • SHA512

    ad083b6bab60ba7fa1f1eae42da932f36fc8b617c143c7794aae5fa2972b4928c53f40fc7d3faa6248c312ee703776dea3984c013cf22cb152c63a9fa1941609

  • SSDEEP

    393216:LdG13d6KculSiTNZnyByA2AkUWzhDhQ5CEDcZkyPs6:hgcuYiT+XXQtgCEDcZky/

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 19 IoCs
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Detects Pyinstaller 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aware2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\aware2.0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\AWARE PRIVATE.EXE
      "C:\Users\Admin\AppData\Local\Temp\AWARE PRIVATE.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Users\Admin\AppData\Local\Temp\AWARE_PRIVATE.EXE
        "C:\Users\Admin\AppData\Local\Temp\AWARE_PRIVATE.EXE"
        3⤵
        • Executes dropped EXE
        PID:2624
      • C:\Users\Admin\AppData\Local\Temp\MAP.EXE
        "C:\Users\Admin\AppData\Local\Temp\MAP.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 592
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2196
    • C:\Users\Admin\AppData\Local\Temp\MAPE2.EXE
      "C:\Users\Admin\AppData\Local\Temp\MAPE2.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Users\Admin\AppData\Local\Temp\MAPE2.EXE
        "C:\Users\Admin\AppData\Local\Temp\MAPE2.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:656
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
      PID:1960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AWARE PRIVATE.EXE

      Filesize

      1.8MB

      MD5

      c2d08aaa6690a327c27077a68f3372ba

      SHA1

      9bb49c28525818a52fadd4fe3219d95f27bce57b

      SHA256

      464c7e45a45182089f7246c6cf4376eea799d746cc91f2f539d0dad97366376d

      SHA512

      f573246d67b703a7d05bef7e71ab1f2971b3dcbe0f1a787f57062920addade5a10d8bd16f1d2982a0136ac8f99531bd760ae30de51da072811b75fe9b7356693

    • C:\Users\Admin\AppData\Local\Temp\AWARE PRIVATE.EXE

      Filesize

      1.7MB

      MD5

      d34c5b0916aaf3cdf98e0bac8fe0e546

      SHA1

      91ac4e64db62f63423608c3cb1acf328c7c58ba4

      SHA256

      10484ebed2529c739a8a8283ca442ff40703da76b02f906b2e82d359083f1945

      SHA512

      8b262216520d08026e6c499794c81de917f5ab22caddf50d037781bedf24cf2cbd43c0d55b722c8ceb6a1630b5b120766724f23614569d7b27d0c3bb956182ba

    • C:\Users\Admin\AppData\Local\Temp\AWARE_PRIVATE.EXE

      Filesize

      576KB

      MD5

      a04b9778c2180e879d64a04d4e293084

      SHA1

      d86a95402cc6150b6e87298b0975ba8688fd474f

      SHA256

      ceafa52df50875dc3afacbbdba220c780c4bcb719b25754b36dc3d11f6ad136d

      SHA512

      d3e0368b229ff57860017b4638a5b7462427a0c650d5bac49e72013cf4ab6c485e30575960e056a038b7f498109fd298f360bc8d39ecf16d1a379bcba3cf2fcd

    • C:\Users\Admin\AppData\Local\Temp\MAP.EXE

      Filesize

      11KB

      MD5

      22d149842b1fb73ae68dba7226fc0e44

      SHA1

      8cc1bdaa6263ae95084060515b616075c34c7543

      SHA256

      7c048755ac81badf221d8cdd63cbcd18c18acfe638f051f0c47d5f6ab4c29e55

      SHA512

      86f34869c3105e28907376d6e76377dc8af8e9ff5365632dc631b74dbe9132254b4a3fba5555d2e4fb062ddeb041c4124971ea9ff2c066bb9619fe559e0034d5

    • C:\Users\Admin\AppData\Local\Temp\MAPE2.EXE

      Filesize

      576KB

      MD5

      ff028dd93f02f3f1d81d456203de94ba

      SHA1

      0fea1ebed7a96cadcf9e6d04440b6ed866fbabda

      SHA256

      4994648a8cfd833a83fdc31c4f0a3fdfd09ae36903fbe5e93340498caaf6a835

      SHA512

      9194640afabe031e0ee3b8d1f047459e4e82c36283c3a0f46391aed311875a24e943a67a8c96207f0f64f969b3002040fd8b0d67a6483cdf0e3d97610f772a07

    • C:\Users\Admin\AppData\Local\Temp\MAPE2.EXE

      Filesize

      7.2MB

      MD5

      f2bb3db0f38b2d5190f10a01ca1b45af

      SHA1

      1bdbbf85b09fe6c3e8883ba81fbd8cd12f3ddb79

      SHA256

      21b4731a53c01819d503508e39fa6b79571f799412c9be68ad977fbbd38ea4bc

      SHA512

      0ab9a004f470412ac32eb68d9eae6c2e855f5016ef84c1cc6e9f7fd8c7238f7906b33500ab56f87c866ad9c0f8b6f91eabf7deec2999b1e6a1ef4248cb2d318f

    • C:\Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-timezone-l1-1-0.dll

      Filesize

      21KB

      MD5

      2554060f26e548a089cab427990aacdf

      SHA1

      8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

      SHA256

      5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

      SHA512

      fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

    • C:\Users\Admin\AppData\Local\Temp\_MEI25242\python39.dll

      Filesize

      4.3MB

      MD5

      5cd203d356a77646856341a0c9135fc6

      SHA1

      a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

      SHA256

      a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

      SHA512

      390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

    • C:\Users\Admin\AppData\Local\Temp\_MEI25242\ucrtbase.dll

      Filesize

      992KB

      MD5

      0e0bac3d1dcc1833eae4e3e4cf83c4ef

      SHA1

      4189f4459c54e69c6d3155a82524bda7549a75a6

      SHA256

      8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

      SHA512

      a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

    • \Users\Admin\AppData\Local\Temp\AWARE PRIVATE.EXE

      Filesize

      2.2MB

      MD5

      277ee19cc5e402211546ae5f2b07a307

      SHA1

      4c3b84d84139e396ee5b92ed116cc3a2a2fad4bc

      SHA256

      ce19597244699ef4b65ba2da3df3e5b9920ab85101adf3757bbbab920ee9deb9

      SHA512

      d07fb8b9a6ba0e95422de456a983d0af6a66865ccf11d14c9aeeca4c683e9fb71ea98b6d0edb670be3005a00e9fbdf7f5132fd2c2e2d695bebe64850069bfe69

    • \Users\Admin\AppData\Local\Temp\AWARE PRIVATE.EXE

      Filesize

      1.8MB

      MD5

      13ac2390339b8facb6bd1d5cf3262d31

      SHA1

      cc20a27cb627e96e2a553f2904e3406279485d9f

      SHA256

      aaf69eb05c14641ec182946ecfc1906825694c77a58b083befa8a63219342fc5

      SHA512

      a99e26029bc708faccbe51a4f93699661bb47e5561c0b1da6a90207a783004221046f7a9a5d84a83cd6c67f0edfc602f19521c4f6dc451d2628d641a94719787

    • \Users\Admin\AppData\Local\Temp\AWARE_PRIVATE.EXE

      Filesize

      640KB

      MD5

      b6425862c96d9fdc4e77552b8653af56

      SHA1

      aabcb60ced3751e63bc12a8bfff498c7cefa8bf4

      SHA256

      f21c013d3ed2a885f6686ef7a3479aa22740b1cb63c8d6ed59086c279c097bd9

      SHA512

      4b391a0501e4ed633ea265c4b8fe26f59147997f1cccc36574bc61c467a729c75dab25a57eadc7da289713cb00031b273a7f0df4bfffa9b31f083893a5fa45a3

    • \Users\Admin\AppData\Local\Temp\AWARE_PRIVATE.EXE

      Filesize

      256KB

      MD5

      26d210e6716e56ea8b85e511ec39a4a8

      SHA1

      9695a78028e982233552f17467f0791c957a5db0

      SHA256

      0cc3b538ebabf9052669bfd0179565915cbdc24e218f9d3e8e1bb030a41f9d85

      SHA512

      7e4236fcb538cddb0af9cdd25abb78b121090467cae977192e45aab74062fc07067b9c12b311a01af4019a960fc5a541ddb0a0f8688e6323a8e9902ddd0fe997

    • \Users\Admin\AppData\Local\Temp\MAPE2.EXE

      Filesize

      640KB

      MD5

      80c4e23561036bc80c06aad874411b83

      SHA1

      3ec34cd39f2d168fda5df884e9d20d701c97a30e

      SHA256

      c8ce22172b33fb82ac58cac6c53d5a62623c353dd4571d443c97a52e96148fe7

      SHA512

      aba62afe9e4562256d30bc3b813769954a19dc9eda8a07b565fa850974868d134899af24c973dd0e51a769506f4e5708b20f728672e007cf9cfce2eae7b5628c

    • \Users\Admin\AppData\Local\Temp\MAPE2.EXE

      Filesize

      958KB

      MD5

      036456c63d096433a7fe0ac3e2346022

      SHA1

      c2bd9a39aecca6d8c86621b8c58a6b98256e9409

      SHA256

      4a3162c1ef9c198b7ca9129a3e1f99c4128cef5046ec4dab86d87a1879f36514

      SHA512

      b4eb64b5fc335747ae9e14f0e900bf3d504bce6586203b818618a0a5ddf8b3e08a64a4eb29eabb09c656f206a7ff28740e941c816018ae8b98de0951d25afa9e

    • \Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-file-l1-2-0.dll

      Filesize

      21KB

      MD5

      bcb8b9f6606d4094270b6d9b2ed92139

      SHA1

      bd55e985db649eadcb444857beed397362a2ba7b

      SHA256

      fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

      SHA512

      869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

    • \Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-file-l2-1-0.dll

      Filesize

      18KB

      MD5

      bfffa7117fd9b1622c66d949bac3f1d7

      SHA1

      402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

      SHA256

      1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

      SHA512

      b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

    • \Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-localization-l1-2-0.dll

      Filesize

      21KB

      MD5

      20ddf543a1abe7aee845de1ec1d3aa8e

      SHA1

      0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

      SHA256

      d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

      SHA512

      96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

    • \Users\Admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-processthreads-l1-1-1.dll

      Filesize

      21KB

      MD5

      4380d56a3b83ca19ea269747c9b8302b

      SHA1

      0c4427f6f0f367d180d37fc10ecbe6534ef6469c

      SHA256

      a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

      SHA512

      1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

    • memory/2624-107-0x000000013F900000-0x0000000140A5A000-memory.dmp

      Filesize

      17.4MB

    • memory/2844-104-0x0000000074A00000-0x00000000750EE000-memory.dmp

      Filesize

      6.9MB

    • memory/2844-105-0x0000000001080000-0x000000000108A000-memory.dmp

      Filesize

      40KB

    • memory/2844-106-0x0000000000280000-0x000000000029A000-memory.dmp

      Filesize

      104KB

    • memory/2844-108-0x0000000004530000-0x0000000004570000-memory.dmp

      Filesize

      256KB

    • memory/2844-109-0x00000000002B0000-0x00000000002BA000-memory.dmp

      Filesize

      40KB

    • memory/2844-170-0x0000000074A00000-0x00000000750EE000-memory.dmp

      Filesize

      6.9MB

    • memory/2844-171-0x0000000004530000-0x0000000004570000-memory.dmp

      Filesize

      256KB

    • memory/2844-172-0x0000000074A00000-0x00000000750EE000-memory.dmp

      Filesize

      6.9MB