Analysis
-
max time kernel
81s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-03-2024 19:34
Behavioral task
behavioral1
Sample
aware2.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aware2.0.exe
Resource
win10v2004-20240226-en
General
-
Target
aware2.0.exe
-
Size
17.0MB
-
MD5
97cb8b3a2607a6ff9839e76ed7841ab7
-
SHA1
4cbb14b7d67aa40588c552d0372ed413925937a5
-
SHA256
e8ea10c3d64051d884a5814f499af8d7fdcff0d28baecb8d032763e301fb0e86
-
SHA512
ad083b6bab60ba7fa1f1eae42da932f36fc8b617c143c7794aae5fa2972b4928c53f40fc7d3faa6248c312ee703776dea3984c013cf22cb152c63a9fa1941609
-
SSDEEP
393216:LdG13d6KculSiTNZnyByA2AkUWzhDhQ5CEDcZkyPs6:hgcuYiT+XXQtgCEDcZky/
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2936 AWARE PRIVATE.EXE 2524 MAPE2.EXE 2624 AWARE_PRIVATE.EXE 2844 MAP.EXE 656 MAPE2.EXE 1328 Process not Found -
Loads dropped DLL 19 IoCs
pid Process 1916 aware2.0.exe 1916 aware2.0.exe 1916 aware2.0.exe 2936 AWARE PRIVATE.EXE 2936 AWARE PRIVATE.EXE 2452 Process not Found 2524 MAPE2.EXE 656 MAPE2.EXE 656 MAPE2.EXE 656 MAPE2.EXE 656 MAPE2.EXE 656 MAPE2.EXE 656 MAPE2.EXE 656 MAPE2.EXE 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe -
resource yara_rule behavioral1/files/0x002f000000015c73-22.dat themida behavioral1/files/0x002f000000015c73-24.dat themida behavioral1/files/0x002f000000015c73-36.dat themida behavioral1/memory/2624-107-0x000000013F900000-0x0000000140A5A000-memory.dmp themida -
Detects Pyinstaller 4 IoCs
resource yara_rule behavioral1/files/0x000c000000015c16-11.dat pyinstaller behavioral1/files/0x000c000000015c16-14.dat pyinstaller behavioral1/files/0x000c000000015c16-88.dat pyinstaller behavioral1/files/0x000c000000015c16-89.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2196 2844 WerFault.exe 31 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2936 1916 aware2.0.exe 28 PID 1916 wrote to memory of 2936 1916 aware2.0.exe 28 PID 1916 wrote to memory of 2936 1916 aware2.0.exe 28 PID 1916 wrote to memory of 2936 1916 aware2.0.exe 28 PID 1916 wrote to memory of 2524 1916 aware2.0.exe 29 PID 1916 wrote to memory of 2524 1916 aware2.0.exe 29 PID 1916 wrote to memory of 2524 1916 aware2.0.exe 29 PID 1916 wrote to memory of 2524 1916 aware2.0.exe 29 PID 2936 wrote to memory of 2624 2936 AWARE PRIVATE.EXE 30 PID 2936 wrote to memory of 2624 2936 AWARE PRIVATE.EXE 30 PID 2936 wrote to memory of 2624 2936 AWARE PRIVATE.EXE 30 PID 2936 wrote to memory of 2624 2936 AWARE PRIVATE.EXE 30 PID 2936 wrote to memory of 2844 2936 AWARE PRIVATE.EXE 31 PID 2936 wrote to memory of 2844 2936 AWARE PRIVATE.EXE 31 PID 2936 wrote to memory of 2844 2936 AWARE PRIVATE.EXE 31 PID 2936 wrote to memory of 2844 2936 AWARE PRIVATE.EXE 31 PID 2524 wrote to memory of 656 2524 MAPE2.EXE 33 PID 2524 wrote to memory of 656 2524 MAPE2.EXE 33 PID 2524 wrote to memory of 656 2524 MAPE2.EXE 33 PID 2844 wrote to memory of 2196 2844 MAP.EXE 34 PID 2844 wrote to memory of 2196 2844 MAP.EXE 34 PID 2844 wrote to memory of 2196 2844 MAP.EXE 34 PID 2844 wrote to memory of 2196 2844 MAP.EXE 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\aware2.0.exe"C:\Users\Admin\AppData\Local\Temp\aware2.0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\AWARE PRIVATE.EXE"C:\Users\Admin\AppData\Local\Temp\AWARE PRIVATE.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\AWARE_PRIVATE.EXE"C:\Users\Admin\AppData\Local\Temp\AWARE_PRIVATE.EXE"3⤵
- Executes dropped EXE
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\MAP.EXE"C:\Users\Admin\AppData\Local\Temp\MAP.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 5924⤵
- Loads dropped DLL
- Program crash
PID:2196
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MAPE2.EXE"C:\Users\Admin\AppData\Local\Temp\MAPE2.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\MAPE2.EXE"C:\Users\Admin\AppData\Local\Temp\MAPE2.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:656
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:1960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5c2d08aaa6690a327c27077a68f3372ba
SHA19bb49c28525818a52fadd4fe3219d95f27bce57b
SHA256464c7e45a45182089f7246c6cf4376eea799d746cc91f2f539d0dad97366376d
SHA512f573246d67b703a7d05bef7e71ab1f2971b3dcbe0f1a787f57062920addade5a10d8bd16f1d2982a0136ac8f99531bd760ae30de51da072811b75fe9b7356693
-
Filesize
1.7MB
MD5d34c5b0916aaf3cdf98e0bac8fe0e546
SHA191ac4e64db62f63423608c3cb1acf328c7c58ba4
SHA25610484ebed2529c739a8a8283ca442ff40703da76b02f906b2e82d359083f1945
SHA5128b262216520d08026e6c499794c81de917f5ab22caddf50d037781bedf24cf2cbd43c0d55b722c8ceb6a1630b5b120766724f23614569d7b27d0c3bb956182ba
-
Filesize
576KB
MD5a04b9778c2180e879d64a04d4e293084
SHA1d86a95402cc6150b6e87298b0975ba8688fd474f
SHA256ceafa52df50875dc3afacbbdba220c780c4bcb719b25754b36dc3d11f6ad136d
SHA512d3e0368b229ff57860017b4638a5b7462427a0c650d5bac49e72013cf4ab6c485e30575960e056a038b7f498109fd298f360bc8d39ecf16d1a379bcba3cf2fcd
-
Filesize
11KB
MD522d149842b1fb73ae68dba7226fc0e44
SHA18cc1bdaa6263ae95084060515b616075c34c7543
SHA2567c048755ac81badf221d8cdd63cbcd18c18acfe638f051f0c47d5f6ab4c29e55
SHA51286f34869c3105e28907376d6e76377dc8af8e9ff5365632dc631b74dbe9132254b4a3fba5555d2e4fb062ddeb041c4124971ea9ff2c066bb9619fe559e0034d5
-
Filesize
576KB
MD5ff028dd93f02f3f1d81d456203de94ba
SHA10fea1ebed7a96cadcf9e6d04440b6ed866fbabda
SHA2564994648a8cfd833a83fdc31c4f0a3fdfd09ae36903fbe5e93340498caaf6a835
SHA5129194640afabe031e0ee3b8d1f047459e4e82c36283c3a0f46391aed311875a24e943a67a8c96207f0f64f969b3002040fd8b0d67a6483cdf0e3d97610f772a07
-
Filesize
7.2MB
MD5f2bb3db0f38b2d5190f10a01ca1b45af
SHA11bdbbf85b09fe6c3e8883ba81fbd8cd12f3ddb79
SHA25621b4731a53c01819d503508e39fa6b79571f799412c9be68ad977fbbd38ea4bc
SHA5120ab9a004f470412ac32eb68d9eae6c2e855f5016ef84c1cc6e9f7fd8c7238f7906b33500ab56f87c866ad9c0f8b6f91eabf7deec2999b1e6a1ef4248cb2d318f
-
Filesize
21KB
MD52554060f26e548a089cab427990aacdf
SHA18cc7a44a16d6b0a6b7ed444e68990ff296d712fe
SHA2565ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044
SHA512fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506
-
Filesize
4.3MB
MD55cd203d356a77646856341a0c9135fc6
SHA1a1f4ac5cc2f5ecb075b3d0129e620784814a48f7
SHA256a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a
SHA512390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
Filesize
2.2MB
MD5277ee19cc5e402211546ae5f2b07a307
SHA14c3b84d84139e396ee5b92ed116cc3a2a2fad4bc
SHA256ce19597244699ef4b65ba2da3df3e5b9920ab85101adf3757bbbab920ee9deb9
SHA512d07fb8b9a6ba0e95422de456a983d0af6a66865ccf11d14c9aeeca4c683e9fb71ea98b6d0edb670be3005a00e9fbdf7f5132fd2c2e2d695bebe64850069bfe69
-
Filesize
1.8MB
MD513ac2390339b8facb6bd1d5cf3262d31
SHA1cc20a27cb627e96e2a553f2904e3406279485d9f
SHA256aaf69eb05c14641ec182946ecfc1906825694c77a58b083befa8a63219342fc5
SHA512a99e26029bc708faccbe51a4f93699661bb47e5561c0b1da6a90207a783004221046f7a9a5d84a83cd6c67f0edfc602f19521c4f6dc451d2628d641a94719787
-
Filesize
640KB
MD5b6425862c96d9fdc4e77552b8653af56
SHA1aabcb60ced3751e63bc12a8bfff498c7cefa8bf4
SHA256f21c013d3ed2a885f6686ef7a3479aa22740b1cb63c8d6ed59086c279c097bd9
SHA5124b391a0501e4ed633ea265c4b8fe26f59147997f1cccc36574bc61c467a729c75dab25a57eadc7da289713cb00031b273a7f0df4bfffa9b31f083893a5fa45a3
-
Filesize
256KB
MD526d210e6716e56ea8b85e511ec39a4a8
SHA19695a78028e982233552f17467f0791c957a5db0
SHA2560cc3b538ebabf9052669bfd0179565915cbdc24e218f9d3e8e1bb030a41f9d85
SHA5127e4236fcb538cddb0af9cdd25abb78b121090467cae977192e45aab74062fc07067b9c12b311a01af4019a960fc5a541ddb0a0f8688e6323a8e9902ddd0fe997
-
Filesize
640KB
MD580c4e23561036bc80c06aad874411b83
SHA13ec34cd39f2d168fda5df884e9d20d701c97a30e
SHA256c8ce22172b33fb82ac58cac6c53d5a62623c353dd4571d443c97a52e96148fe7
SHA512aba62afe9e4562256d30bc3b813769954a19dc9eda8a07b565fa850974868d134899af24c973dd0e51a769506f4e5708b20f728672e007cf9cfce2eae7b5628c
-
Filesize
958KB
MD5036456c63d096433a7fe0ac3e2346022
SHA1c2bd9a39aecca6d8c86621b8c58a6b98256e9409
SHA2564a3162c1ef9c198b7ca9129a3e1f99c4128cef5046ec4dab86d87a1879f36514
SHA512b4eb64b5fc335747ae9e14f0e900bf3d504bce6586203b818618a0a5ddf8b3e08a64a4eb29eabb09c656f206a7ff28740e941c816018ae8b98de0951d25afa9e
-
Filesize
21KB
MD5bcb8b9f6606d4094270b6d9b2ed92139
SHA1bd55e985db649eadcb444857beed397362a2ba7b
SHA256fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118
SHA512869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9
-
Filesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
Filesize
21KB
MD520ddf543a1abe7aee845de1ec1d3aa8e
SHA10eaf5de57369e1db7f275a2fffd2d2c9e5af65bf
SHA256d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8
SHA51296dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd
-
Filesize
21KB
MD54380d56a3b83ca19ea269747c9b8302b
SHA10c4427f6f0f367d180d37fc10ecbe6534ef6469c
SHA256a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a
SHA5121c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4