7a77090a08a808821e1536b3e62a9cc7b51ecdaeb7032c3768387054ccfe01f6

Resubmissions

20/04/2024, 09:30 UTC

240420-lghqsaeb4t 7

20/04/2024, 09:24 UTC

240420-ldceladd77 7

20/04/2024, 09:23 UTC

240420-lclxmsea21 7

Analysis

max time kernel
95s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 09:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vacuum.exe
Size

19.4MB
MD5

2266c7c3998d203663eceebfcdf5b489
SHA1

e30ef90317492965c5516fd7a6e3e5c7452524d6
SHA256

dba2a3cfc126aeb845acc92e919843d899cc24fde3895622308584b39ba77d9c
SHA512

88d3916f216fc8eb120cd6cfa43561bb5bd067a532c157a84eec263c38874b58cfcbb84e9247650f09e2f7feaa6d61be5e14cad48cdba1a9fb30ea8320a47fc3
SSDEEP

393216:aoQ0M8qdBLGUW/hSoI2IobkqJHR2tWQrdCp8dx/uaAxJodQ3RInEropazY3BqKxj:xQ78S6bRI2Bbk8R2txZpAxJTCErup3Bl

Score

7^/10

pyinstaller

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1120	caqqwe1.exe
4360	caqqwe1.exe

Loads dropped DLL 17 IoCs

pid	Process
5012	vacuum.exe
5012	vacuum.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe
4360	caqqwe1.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral5/files/0x000700000002326c-27.dat	pyinstaller

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 5012	5008	vacuum.exe	91
PID 5008 wrote to memory of 5012	5008	vacuum.exe	91
PID 5012 wrote to memory of 4000	5012	vacuum.exe	92
PID 5012 wrote to memory of 4000	5012	vacuum.exe	92
PID 4000 wrote to memory of 1120	4000	cmd.exe	94
PID 4000 wrote to memory of 1120	4000	cmd.exe	94
PID 1120 wrote to memory of 4360	1120	caqqwe1.exe	95
PID 1120 wrote to memory of 4360	1120	caqqwe1.exe	95

C:\Users\Admin\AppData\Local\Temp\vacuum.exe
"C:\Users\Admin\AppData\Local\Temp\vacuum.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\vacuum.exe
  "C:\Users\Admin\AppData\Local\Temp\vacuum.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start /min /b caqqwe1.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\caqqwe1.exe
      caqqwe1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\caqqwe1.exe
        
        caqqwe1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:5068

Network

DNS

vacuumbot-c2.ibroomba.evil

caqqwe1.exe

Remote address:

8.8.8.8:53

Request

vacuumbot-c2.ibroomba.evil

IN A

Response
DNS

82.90.14.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.90.14.23.in-addr.arpa

IN PTR

Response

82.90.14.23.in-addr.arpa

IN PTR

a23-14-90-82deploystaticakamaitechnologiescom
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR
DNS

91.90.14.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.90.14.23.in-addr.arpa

IN PTR

Response

91.90.14.23.in-addr.arpa

IN PTR

a23-14-90-91deploystaticakamaitechnologiescom

142.250.187.202:443

92 B
40 B
2
1
23.14.90.91:80

8.8.8.8:53

vacuumbot-c2.ibroomba.evil

dns

caqqwe1.exe

72 B
147 B
1
1

DNS Request

vacuumbot-c2.ibroomba.evil
8.8.8.8:53

82.90.14.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

82.90.14.23.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

4.159.190.20.in-addr.arpa

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

146 B
147 B
2
1

DNS Request

133.211.185.52.in-addr.arpa

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

28.118.140.52.in-addr.arpa

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

91.90.14.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

91.90.14.23.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI11202\_queue.pyd

Filesize
26KB

MD5
bb3535a61e265d9ea56521b805de1e30

SHA1
b892b71da975fc3d179987d8fa6890f0febe4c17

SHA256
cd8e05021d6b17e2e43af604c1a760f5b71b32cb556d07c0ce0ffe341c35a186

SHA512
5577e7878601505c6aab3838471459d4bedd346f752149bf70a274e048a42b23b71e1d64230bb2e6a1bba115ce360b205e99ddde85a18974c643b003f50d91aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11202\_ssl.pyd

Filesize
152KB

MD5
e1b3495e82d7e3c6baea5c17533940eb

SHA1
465f0c9de0e778b36cfa4780f92bf2b42691e22a

SHA256
1a4c3b75a0a641260d6457e9007f11ba9d3233494b2847e6d8368da7349053e1

SHA512
8060a462d345632e64d173371864f214455bdb37462a264d18d98e0755642d6966fc7502c21db04b804240758b42ad79b4b136cdae5ec578101b66cf4aafb912

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11202\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11202\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
117KB

MD5
494f5b9adc1cfb7fdb919c9b1af346e1

SHA1
4a5fddd47812d19948585390f76d5435c4220e6b

SHA256
ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051

SHA512
2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11202\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_bz2.pyd

Filesize
78KB

MD5
10b1525361440923f3ef04b141cf3f1c

SHA1
b814868694a2a83ced84660b8af0c353f66f6d24

SHA256
2b2920ef7a211e053296aac9965ac569433be0843ea6ba403ab5c9e23604ada5

SHA512
d3d438926b4786df86eed7439e215754967ab0abb544a8782947e78adb8d5be86255e3d067cb0bdb63332173e2bc4d0042642a0093a5ba6851f6ef8fd470e7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_decimal.pyd

Filesize
244KB

MD5
625d593ba82433b041414ca89e4b6f50

SHA1
bb31b6fa9f1b61d1d6f23be39981de8a28c4678a

SHA256
b8b19b84493f1501056cbd25c2dcd72e502d454043fbc5d77b93437b3f69819b

SHA512
fe84fd43b6d6a83d7f70d5d5c930e490ef2152a0b8a2f67f063021eec342e0cb57cb3afa4407a0132a079e870c5cf38d0bf93f681d2b5361e6711c6db31d295b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_hashlib.pyd

Filesize
57KB

MD5
97b37cfd6b49ee97523d97cd067d36e6

SHA1
a8094bdeb30e85a7955f6102b3a0bde495ceba61

SHA256
b0d44ecec14cd64d562281604e9f2e31213bdc24833479f49924c4750f928f96

SHA512
737c72b5391c01a44f2e94d5746757872af22c5b280034bbd1ad7be55e3d962fc724b47d28949706a31f0511519e20f25256a2c2fa1501be1437f3807016609a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_lzma.pyd

Filesize
149KB

MD5
cddacf71702e25d930a952eb57772771

SHA1
3d383a5f36858f5808645b5d5d5190e2fc7d01d4

SHA256
8abf48bdd1e24cb5405aaa7529b63f0a83b080a98dd86223ae615ef8fb74f46a

SHA512
9d05fd1b9f00083ed2f27518a26913eeccfe0e4cf1819f6a1d880f7a2d03f5946a7674716ff72a867a777fd54bfb897a482f47252b372085c1a92d3f80137d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_socket.pyd

Filesize
73KB

MD5
dd1d1c2d2f5f1ffebf169b814d5b7ee7

SHA1
3af5882535c263e1ed7e3ca8f89f904ad6c1960d

SHA256
8515f2e5ec194bc43e3a8b7e924b4e9e09e0adb2fdecb9c8930b0ac20807544a

SHA512
857e7bf0dfc9e42315b3c0a29cd83518be8966689a257c456685db859b42bfb2e44570b5f055adb3295a61c9201df99504cb7cd30ce98b9866c2435df6eb17bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\base_library.zip

Filesize
857KB

MD5
4be939938320504927755ab629d45651

SHA1
0fd416e6e78393e377491ec50bc0e4f161145e7a

SHA256
d421ec9920edf6261d970ffbdb4357360851bd76a66dbd7410ea2afe5eaabd47

SHA512
736e2ca9caa54128c5376140876b12306aeab8afe8186ae2ab8f3c7b27659395fe27bbe63150b97a36956e0e56b17a096f0468cf86ac96df08c03233bd331df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\python310.dll

Filesize
4.2MB

MD5
c98916b26adeb981be257033ff149b47

SHA1
de60fa540ac696ec0bdecfe8848424ac0bc57763

SHA256
217835a7afe449a9f835efe19ffd36e9191c9eca66826df8e813b4ccce2aebbc

SHA512
d09e5e18496239d739a677b0a5777388e22aad93a37b3a2f935d6028d618606e8d26dc3f6a483d46390a4f478ecf1b44a77ab9d7fb9b9432fbe75d2f6e180a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\select.pyd

Filesize
25KB

MD5
e790a9ff2175e6985cd96235d575e7a1

SHA1
171a32ba7c2820fcf524f7e51945b5922768cd2d

SHA256
122be1167bf1315af6f784ff0c96beda96d740b87f24771cf59bd1522158a5a2

SHA512
0f471afb3ff10aa56eee4374221d76604dca4d93be1e0718ebddad2fd71f0d715f5b5df131411f8433978d6be553badee69a43e0be8fe30dc7b72ec0f64c2089

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\unicodedata.pyd

Filesize
1.1MB

MD5
32860cb4f785e434e8292d51add03da9

SHA1
5e9878604ef4c2488a8a0775f9281c66015c3832

SHA256
6bd9381806be2c2ee608cdcf3f6379086918c5f7a9494f81f9d7699e2e8e3c01

SHA512
1c3fc8bbc638e84955000bf567551afd5a74734d3c20fac53dfe969bdd88180bb4615bf6918df9dd7529e220ba6c1a89580dd53733f372ee87b077c1f5aca30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\caqqwe1.exe

Filesize
6.2MB

MD5
dd513d950efe1ae66531647aaffd5d7e

SHA1
a7b7ee391d0acab452e673618688d0c9fe5f36ed

SHA256
7017b44f8a6881899232c1dd6a292324a7aa87077982153c4843a2d085f4621e

SHA512
632dfa44f037d26906cfad39af2b3970aad722f604c492fde4e0b5dfcaeaecb5eedd8cfcff40cecc744fe42634d71f864b865a311a3d0967e4cc9c7124ea8bf7

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.