15fbb2aca01aa435afdc91636155a56e46ffe3749a00f58c600c6863c576c001

Analysis

max time kernel
60s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
27-04-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

5.3MB
MD5

448ccbb16a4b84ed50457089c4d85c20
SHA1

aedc3ef0636d759dcff01560ad158e10801912c4
SHA256

15fbb2aca01aa435afdc91636155a56e46ffe3749a00f58c600c6863c576c001
SHA512

c9457f0b3fc7840763a22e7bbd9a85bda38e7b89b318ff8435cf2343e72ea3936ad39d55b9060e5945af68198ccf0dec1efb7b3063deaa6aef40245a28257fcd
SSDEEP

98304:baSlkXdBUF2NQV6K1eiTzW14Cmov0GtmfYb6d+2ss0FBNcFlQOyyqg7:ba/tNeRVCIgmAud+/s0FsFPyyn7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

loader.exe

pid process

2812 loader.exe
Loads dropped DLL 9 IoCs

Processes:

loader.exe

pid process

2812 loader.exe
2812 loader.exe
2812 loader.exe
2812 loader.exe
2812 loader.exe
2812 loader.exe
2812 loader.exe
2812 loader.exe
2812 loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

loader.exe

pid	process
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe
2812	loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

loader.exe

description pid process

Token: SeDebugPrivilege 2812 loader.exe

description	pid	process
Token: SeDebugPrivilege	2812	loader.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

loader.exeloader.exe

description	pid	process	target process
PID 740 wrote to memory of 2812	740	loader.exe	loader.exe
PID 740 wrote to memory of 2812	740	loader.exe	loader.exe
PID 2812 wrote to memory of 1196	2812	loader.exe	cmd.exe
PID 2812 wrote to memory of 1196	2812	loader.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\onefile_740_133587316813291803\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start main.exe"
3⤵
PID:1196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\psutil\_psutil_windows.pyd

Filesize
76KB

MD5
ebefbc98d468560b222f2d2d30ebb95c

SHA1
ee267e3a6e5bed1a15055451efcccac327d2bc43

SHA256
67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

SHA512
ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133587316813291803\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133587316813291803\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133587316813291803\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133587316813291803\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133587316813291803\loader.exe

Filesize
8.5MB

MD5
a96b4994900a84ba901d9a6ac12584d5

SHA1
cce0a845a1e776459498cce63c21c0af34c40713

SHA256
6b7e7db37868242586319272d8e80bf51bfeab34e26676f03b49fb99341a6c0d

SHA512
e2cd3673ab018d4d91d61b6dabd1e55c920dbef4c26e658839e71fa88040292cb618eb9a89f3757db91aed806ffdee3ad195990b7362fbf970836751b5cd2930

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133587316813291803\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133587316813291803\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_740_133587316813291803\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit