6eb7320a34161360d781e2e2249e16e65fccb3103e75ba76824a8ba3805484c3

Analysis

max time kernel
17s
max time network
19s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Electron_V3.rar
Size

10.5MB
MD5

a9d373d0f6a5ec54c04fdebd34885662
SHA1

ffef9e06cb2777cb27a0b9f40802fb7cf336d411
SHA256

6eb7320a34161360d781e2e2249e16e65fccb3103e75ba76824a8ba3805484c3
SHA512

dc6785ba0dcb94193b10018f7b7fe2ba4bee21f80f0809fe24d3da90576b3d9c330aa47498c49b28b02a27a9a5f9d64e8316ba269d37396c69e056b53a5dcbf6
SSDEEP

196608:jEd140AbCOegrSk2JPJPglbX0Sw86zUuDddv7qEI0mlYPxQWyHScKoG:jmGNuhPg9X9FhedvWJ0mlYPsSroG

Score

7^/10

pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2144	ElectronV3.exe
592	ElectronV3.exe

Loads dropped DLL 5 IoCs

pid	Process
2640	7zFM.exe
2144	ElectronV3.exe
592	ElectronV3.exe
1352	Process not Found
1352	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000194ea-80.dat	upx
behavioral1/memory/592-82-0x000007FEF5970000-0x000007FEF5F58000-memory.dmp	upx

Detects Pyinstaller 8 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000d000000014698-30.dat	pyinstaller
behavioral1/files/0x000d000000014698-29.dat	pyinstaller
behavioral1/files/0x000d000000014698-27.dat	pyinstaller
behavioral1/files/0x000d000000014698-31.dat	pyinstaller
behavioral1/files/0x000d000000014698-78.dat	pyinstaller
behavioral1/files/0x000d000000014698-79.dat	pyinstaller
behavioral1/files/0x000d000000014698-83.dat	pyinstaller
behavioral1/files/0x000d000000014698-84.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2640	7zFM.exe
Token: 35	2640	7zFM.exe
Token: SeSecurityPrivilege	2640	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2640	7zFM.exe
2640	7zFM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2640	2904	cmd.exe	29
PID 2904 wrote to memory of 2640	2904	cmd.exe	29
PID 2904 wrote to memory of 2640	2904	cmd.exe	29
PID 2640 wrote to memory of 2144	2640	7zFM.exe	30
PID 2640 wrote to memory of 2144	2640	7zFM.exe	30
PID 2640 wrote to memory of 2144	2640	7zFM.exe	30
PID 2144 wrote to memory of 592	2144	ElectronV3.exe	31
PID 2144 wrote to memory of 592	2144	ElectronV3.exe	31
PID 2144 wrote to memory of 592	2144	ElectronV3.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Electron_V3.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Electron_V3.rar"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe

Filesize
27.2MB

MD5
9e3f23b916549ea573237d97662617a1

SHA1
241d233ce244525da7284260d522f6d5318c1a98

SHA256
bda2e6e70a961d3f2eef8a685d11d91f89abe5e8119eb7d32ed303bc778df8b6

SHA512
94bc664d688799b7e77a392058d587926badbccfae4961314597195768baea0b246ef568b0f621fe3265e85cb7076927061470ffa63cf9b3a4b67e5dcd239c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe

Filesize
30.7MB

MD5
6d774623b1d536dbf72945e0fea0f06c

SHA1
438a91155b76f81f9f63b27f078fd1a7417f107e

SHA256
e32372a6d129f51ffe6ecec854858552c3a4e238426782b0e3e32be21e9f14a0

SHA512
ba64912dc0c47f14dac095fdf41b73d0d3d00cc26c34fe995879a05d144c7b539a2b0ec169deead18a73518f8ffd47381a78305929cfbcd3537168934f9e23d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe

Filesize
30.4MB

MD5
ce24b9f8b1018d90e0db1b8021793553

SHA1
1ade559e902458eac24517c6f95f9a9a8ad7b368

SHA256
23b54c5ab1a4e9ff1387bb1ae6a04589e67e3611a11fbe2563fb87a7c46850ec

SHA512
fcbd36bdc98a907eda2a85509475fdc3c7a216314c0af3ed50e371192ff26bc0c8682ad03b1a9bde056d4c78762fd51bbc98ec8c3d02f001280cb437a2fa168f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe

Filesize
28.8MB

MD5
876aea91e411c8382f1b2e13f4a0d364

SHA1
460f03cbf2ca951dd1850e75d6dc114b7ab08214

SHA256
d5404393f9b3c24ae2c421497a60cf6ce1901c737e9a7c76da4bee1c61c4b3dc

SHA512
5618455e392a55626c28132530df8151b62b2854b597e235d11c5c0287c0c5049216b8cbe4d3d09c85664a0e20e1d8b0dfc1592fbdab24baf17941acfa354fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe

Filesize
30.6MB

MD5
ecf6e45cc2bc776979e5feaf34a889e8

SHA1
d38481197a1b490a4fd5d53a48c01b27dca972e2

SHA256
6ea97bbd98372dbf23a4bc0bf882466787a71a934a77f693be47efa180ae4c07

SHA512
07098ee6c1fa2470fe481477da0e7eec929fb98115f1f307bdd79ed26f7a8fc1f654d5ff7f3b7591b145acd9adb6fbf0f0d78a88dc2b6eb93942d9c1517ab106

Download Submit
\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe

Filesize
30.1MB

MD5
19085d0ea3480ef68d82c3b901c6c7d8

SHA1
0b7457c7afb20b139d7862ab4f485480893cb4ae

SHA256
fd1ef07d37076f96402646a67c80df434340c4d0264e384ef0986871adf2989b

SHA512
7d47d94150124d7142515937bccf9835f7e4ea6c8560fbd6cffa03d1e393a4d2bb5df823222b1b9aaaeb5c7f57ef20a9b3e64640939e453164202c46666015c5

Download Submit
\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe

Filesize
22.6MB

MD5
b39b1ae43bdaf8f262689e0d42856a65

SHA1
dd82c17f8dd4988788eaf61dee9793974c77d604

SHA256
01961e9b5f770b52bec2ed53548ce734fd8b687318f7805cc3fb579a6ff493ec

SHA512
6b83e9361b74371e41f572c8685c6ff2cf050a261be963c922b0d2af447e915591ce2d5efdfccefcbeb2ffcbb9b7cf9579200e88b7c6067ba1281f4f172c6bd3

Download Submit
\Users\Admin\AppData\Local\Temp\7zO05A17C86\ElectronV3.exe

Filesize
22.4MB

MD5
4d1087b22f3a32f6e12cda8366cc6def

SHA1
c2095122fc764cfe32dcc0ec73efc63c96785f1a

SHA256
72061dd2618962432b245d841e590782773cf98ba3e55f3a38fed07dcf501853

SHA512
4692d643b08255e471434a0261ac3c37a487c03a44dde49a2678fc87235beb4f5c515adc6b4582b573f416cb5e2bc5fdccbac5226659d0e1cc855096d21f3e48

Download Submit
memory/592-82-0x000007FEF5970000-0x000007FEF5F58000-memory.dmp

Filesize
5.9MB

Download