495b86d8230276a831f2cef115554dc38a27a97813953a385da2ce3979a32dc0

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0a69399744fb7037c0ddf8ea1ea8660.exe
Size

18.7MB
MD5

e0a69399744fb7037c0ddf8ea1ea8660
SHA1

f258a07441359c5378e7cbc2d7bfb7a3b335d152
SHA256

495b86d8230276a831f2cef115554dc38a27a97813953a385da2ce3979a32dc0
SHA512

ddf7176a9d86b0095e3f4628cb557d8e59bab5d79a57bf9536c589352fcc657add5b0d822e24d31d9b5946541cca3ccf7976b5512facb1e0720b077708ad3cb6
SSDEEP

393216:cf4SpNlrbNFYHcBS3h+N/gc3VWjfny/NjoFbJxpD/Ak2pCcxOz:u4SpNln3YHBx+qfQNjoBpL4FQ

Score

7^/10

pyinstaller

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1904	owo.exe
2956	main.exe
2308	main.exe

Loads dropped DLL 7 IoCs

pid	Process
2032	e0a69399744fb7037c0ddf8ea1ea8660.exe
2032	e0a69399744fb7037c0ddf8ea1ea8660.exe
1068	Process not Found
2032	e0a69399744fb7037c0ddf8ea1ea8660.exe
2468	Process not Found
2956	main.exe
2308	main.exe

Detects Pyinstaller 12 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000c00000001224c-3.dat	pyinstaller
behavioral1/files/0x000c00000001224c-4.dat	pyinstaller
behavioral1/files/0x000c00000001224c-7.dat	pyinstaller
behavioral1/files/0x000c00000001224c-8.dat	pyinstaller
behavioral1/files/0x000c00000001224c-10.dat	pyinstaller
behavioral1/files/0x000c00000001224c-11.dat	pyinstaller
behavioral1/files/0x000d000000014267-12.dat	pyinstaller
behavioral1/files/0x000d000000014267-14.dat	pyinstaller
behavioral1/files/0x000d000000014267-15.dat	pyinstaller
behavioral1/files/0x000d000000014267-16.dat	pyinstaller
behavioral1/files/0x000d000000014267-132.dat	pyinstaller
behavioral1/files/0x000d000000014267-131.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1904	2032	e0a69399744fb7037c0ddf8ea1ea8660.exe	28
PID 2032 wrote to memory of 1904	2032	e0a69399744fb7037c0ddf8ea1ea8660.exe	28
PID 2032 wrote to memory of 1904	2032	e0a69399744fb7037c0ddf8ea1ea8660.exe	28
PID 2032 wrote to memory of 1904	2032	e0a69399744fb7037c0ddf8ea1ea8660.exe	28
PID 2032 wrote to memory of 2956	2032	e0a69399744fb7037c0ddf8ea1ea8660.exe	30
PID 2032 wrote to memory of 2956	2032	e0a69399744fb7037c0ddf8ea1ea8660.exe	30
PID 2032 wrote to memory of 2956	2032	e0a69399744fb7037c0ddf8ea1ea8660.exe	30
PID 2032 wrote to memory of 2956	2032	e0a69399744fb7037c0ddf8ea1ea8660.exe	30
PID 2956 wrote to memory of 2308	2956	main.exe	32
PID 2956 wrote to memory of 2308	2956	main.exe	32
PID 2956 wrote to memory of 2308	2956	main.exe	32

C:\Users\Admin\AppData\Local\Temp\e0a69399744fb7037c0ddf8ea1ea8660.exe
"C:\Users\Admin\AppData\Local\Temp\e0a69399744fb7037c0ddf8ea1ea8660.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\owo.exe
  "C:\Users\Admin\AppData\Local\Temp\owo.exe"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29562\python39.dll

Filesize
1.3MB

MD5
3285207f9c4db09fc62f90ef976c3b39

SHA1
8732fc261460673deb2ea3cb4e581144e47e5a20

SHA256
36bcabb4657f67f27920413cd3a166d5341a74e15e6de449bf3915c70d27125c

SHA512
48865d8f5a038c1213c67d13545904658812aa5f165ed4d9d1a98f5682d9874051bb9a7fd4e11a621afc3eadb9cde196b4739b7da4524b2fed85ff139b66d379

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
1.1MB

MD5
8bd24c122efaed4b39ac8691dca2e8e6

SHA1
3dc27fa6aefb2cd18ff958abaa91dd5c5a9fa46d

SHA256
c159f3b166eb3e6d639a1341c592e5894b57402974d936005682334ef772aaea

SHA512
9b9bf485df11c844e392245ac730808191a02ce244cecfc065f106922893c1e877db90af721573ba45a246f1b1a01ad93fd826aa479194f971eae313e89ec063

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
1.4MB

MD5
46a63271f03e4bac0829652e67844d64

SHA1
53f48a0e3bc32968d5c19856766f7f057f044a8c

SHA256
9f1dac085fd1f6d1c9012ff21f330156317afeecbbccda1ed2b9c77910b6910a

SHA512
4b6915bf57087550cc1d0978a3bd1b12298161f04c632dd9e000e882697d4ec400aa3deac2a97ea58a5044560b90bcde220d0ecd24ba027db28573375469e7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
1.1MB

MD5
ecb849defc3ca21f19bbfddde851344c

SHA1
48e00c37da0a26c18ae6619e449a30c3525c84f7

SHA256
9b50adcd15dbff81a753c16590464f7cf0da6e5f54e7756c969decc5bf137c36

SHA512
bcb688732a5fce0003ae966e7fee0efaf8b2cbd7cd9ac32a807a0c1c0e182fe2cef00caeed4d5ee531e36b56faa87377ebb921879d50470aeca54c5e0b4c0d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\owo.exe

Filesize
461KB

MD5
4f594deef7853eab815437555e309e41

SHA1
4cd21bb52874fe274f5b757360cb14c4f393fbbb

SHA256
6cd38a85564cd365a1eab955b22c85fa0ca6bf5114b048d3f33193a33caa7ba3

SHA512
b6f8e7ac24ed2eb817fe1afe9cf0c61a02e302cbbaf3a2f74efce795ebb9a0f4a1a5bc85da13619f4eec1c9c8a58b9d135f9bf49435d0c64ff70552f2d1d9184

Download Submit
C:\Users\Admin\AppData\Local\Temp\owo.exe

Filesize
684KB

MD5
854f42d308b5276d9c1540973e81da95

SHA1
fdc4c70aa1572e83b6e43434a6612cc22ef64cd6

SHA256
302a289a16ae61b9ab0dcb6d9dcd1fdc1d21b5dad41d149f4f0747ee464c5ce3

SHA512
6e340a2a56799a38275b473b7bd99f2e2791f1351adeb895545db3915d9bddb774ac4b84dc061c725d3392778bdedcc7af74091323386c5d883b9405d3fce6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\owo.exe

Filesize
620KB

MD5
59a974d0e39da8effb42a588b75e8e93

SHA1
2096c9d87671b8d7e5cd2b03f90abb883c9d6093

SHA256
c3c56df3802c190d3848cb6e6a4b899f208efac98b92b9b36cf9f5dc275ac322

SHA512
26606a742a5bc78f42c4b53cf8a5ad0b7882dfebbb96b46180bf6735884c428b605977a18d12cf35addcdd7ec77312a94f65a4f8aac66dea2090b6cb61c85a06

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29562\python39.dll

Filesize
1.4MB

MD5
65f7c58f812b4fd786a0c9cb9f9e5163

SHA1
7aba157ed7049a320fa7513a62beb26f15a52b3e

SHA256
e778c01c8fe8396b2416619e106d3c235b3951ac207c3d66ccdf90d93bb2c36a

SHA512
6f492e0686e6e7d52c3a64d83697f4be5d16c5127b78f21f13dc6b1c311e552d5e0e4a43b41034f2901e17c71604a78f037d847ed95a66e7b3fced1744e25dc2

Download Submit
\Users\Admin\AppData\Local\Temp\main.exe

Filesize
7KB

MD5
dc06cb23525c46f0cf6b4b84bc35adad

SHA1
9b09150d832f8a9ec461b048a3615499bde91505

SHA256
47cf82c31270126dcd5c64cdb230e3b65278906991f125a1a28d4fc8b4bafd5d

SHA512
88975b3949086cf9c0f15921271c96f3dfde6e4a9aa00dc856f12fbd68180474df13292519b38d1c9b12d9ccf113bdf98d7d2976a90e2c309863f8fea22403ce

Download Submit
\Users\Admin\AppData\Local\Temp\main.exe

Filesize
1.2MB

MD5
281bc445da4fe19a4329d2d09999bba4

SHA1
bd48f14fb3987540d8d65faeced3011e5c9d457a

SHA256
1a0e3ac20e0510fe88eef6871432740dca7a1704383899e62a6b9899a11d761e

SHA512
c63bf2acb25ecd7e042fbbdb8909c10b0146881b782fa72b5cd9b67479e1c8c25a2d4d978eb8a422c2168042a6ee60d669b46377958e455df1897fc431a0bdcf

Download Submit
\Users\Admin\AppData\Local\Temp\main.exe

Filesize
1.1MB

MD5
52625d876471038aa244972bd9b5bf0a

SHA1
037f7b8fd2e71b58905eba5a67ac6c243964d2bd

SHA256
60077d00bb0f6483cf8faa100a56895b5d0b14303c73614e563d3aa5eba8f9e8

SHA512
ce413f227892f205730776a9f4fc5bfb994f95faa328f2eff9beb06286d6f47526f0a094b9b660b2df0b13892e9d1fcbcdbaacff57ce2604948dddab83175f5d

Download Submit
\Users\Admin\AppData\Local\Temp\owo.exe

Filesize
495KB

MD5
ba7e6f20648f2d4a8817ed519ac53804

SHA1
5a5953b7ca73eae34baeb34e1b751abcc15a8dd5

SHA256
fd4ef8b80de83806e47ce9ff88dd13810dbdbb70b9ed3e691659fc7b430a3bc5

SHA512
ec4cc9684b2754366c379c8a248f6151d5163d9bac1c7b43fc0361ad7cb6bb0d14707c9679e9757f9710837fb753b8c7b2efbfec042b6c82bfa363ce3f877b76

Download Submit
\Users\Admin\AppData\Local\Temp\owo.exe

Filesize
1.4MB

MD5
9477c6454c3974129b4e84e5190d7689

SHA1
aa6e29b9011630fc3413b9b0b10173b04f823e27

SHA256
820cdf015516e98425b21f30ea2dcd571f24da1a54727c8e3f88b83ee503d6fd

SHA512
40f2447219dc2897ff80eda487060ec5b71c646df2e511941f1ed936829da9f27ed0bcfe93ca1a3a7e22b895a5d3051c0985596442354ee5825086c04028b059

Download Submit
\Users\Admin\AppData\Local\Temp\owo.exe

Filesize
893KB

MD5
c9ee041befd730f91bf32302337d50b1

SHA1
472eb1d9a4a301f70e35ac10709cf6b67b1f500a

SHA256
b1ea59afe12f02ec6547fba6f452b0ac024fb7abc0c1c0f034e42eb1b575d0f2

SHA512
9d5621b09c1a70bb11cd44a03262f5dc39bcfee6a3e3f085e272d2b0d6fe5b002961a2fb4d13fcf60334dbe9a7fee927f0fb8623ece10683690a2ba8f779cd47

Download Submit