f5b86b39ea504f53057e39de577fa8f3ec35cd89341604914aa01c1bb80fe771

Analysis

max time kernel
10s
max time network
15s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image logger/Imagelogger.png.exe
Size

7.8MB
MD5

94f4491e716e038069a1a47802c6ccb1
SHA1

9415709b1b9d8148ec22dd8d03d3e0ddc75e7ad1
SHA256

c426c4c9652f014060f3a4c6f700c2abc27190402a81126cf9a11ca6d5bf7bdb
SHA512

19a7b17d1e38ab68f6f63d3478d2154f5ee13acfb278eb00f7496e4248adac3b1e68ab1f7aa308ba056e259e936dd5fc38373c6bbea142279f8e4dc9ddf54037
SSDEEP

196608:33G7tP2OF024LBHAn6xQTRPR4UV5Eyj8Fy6:AtuOnyA51PjEyj8Fy6

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

GrabberSetup.exeGrabberSetup.exe

pid process

2604 GrabberSetup.exe
2532 GrabberSetup.exe
1192
Loads dropped DLL 4 IoCs

Processes:

Imagelogger.png.exeGrabberSetup.exeGrabberSetup.exe

pid process

2256 Imagelogger.png.exe
2604 GrabberSetup.exe
2532 GrabberSetup.exe
1192

pid	process
2604	GrabberSetup.exe
2532	GrabberSetup.exe
1192

pid	process
2256	Imagelogger.png.exe
2604	GrabberSetup.exe
2532	GrabberSetup.exe
1192

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI26042\python311.dll	upx
behavioral1/memory/2532-36-0x000007FEF5890000-0x000007FEF5E79000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Imagelogger.png.exeGrabberSetup.exe

description	pid	process	target process
PID 2256 wrote to memory of 2604	2256	Imagelogger.png.exe	GrabberSetup.exe
PID 2256 wrote to memory of 2604	2256	Imagelogger.png.exe	GrabberSetup.exe
PID 2256 wrote to memory of 2604	2256	Imagelogger.png.exe	GrabberSetup.exe
PID 2604 wrote to memory of 2532	2604	GrabberSetup.exe	GrabberSetup.exe
PID 2604 wrote to memory of 2532	2604	GrabberSetup.exe	GrabberSetup.exe
PID 2604 wrote to memory of 2532	2604	GrabberSetup.exe	GrabberSetup.exe

C:\Users\Admin\AppData\Local\Temp\Image logger\Imagelogger.png.exe
"C:\Users\Admin\AppData\Local\Temp\Image logger\Imagelogger.png.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\GrabberSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\GrabberSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\GrabberSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\GrabberSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI26042\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\GrabberSetup.exe

Filesize
23.0MB

MD5
9d9c14703478e03361974673efa1f72e

SHA1
96440e4c8ce1e9289fb813b6d187e32a3661a73b

SHA256
589eb4c483686c5fc04d2b1f2fce6a0fffecba29ccb8e052dc99f3a8781b318e

SHA512
8c6028aa949e727428ae2292e3b60aa05b69dea4ea14d8acf17f6b8d7b90a264d64f8111f9ddddfa35d0cb3c658952ce9099ea303c93292fbb7cce4679dee9bb

Download Submit
memory/2256-4-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2532-36-0x000007FEF5890000-0x000007FEF5E79000-memory.dmp

Filesize
5.9MB

Download