78ccd648e38911593ca795723175309fa27f58cc174cd8e6ce435fb2862f69a7

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Log checker.exe
Size

16.0MB
MD5

7bbfb8d2359f13dab444803e9a0fd5e0
SHA1

bd5896b6d3e1576567db303de9c1d6ae35a86b2d
SHA256

9855b51749951297120268dcef92442bddc39c8374c2e8edbe4e80fcddc09966
SHA512

150d66304c01d000d74f550c34ba475422a028171df160962faa60391b49d59a39533aeb9a4affc4de44f3a1f2ba0e622cf1d1e92d0b6dc72c47179b387a568c
SSDEEP

393216:zlPiKyPxsHjFofQo5xHSdX30GVrSVSJ3QJIIg++462:zlKlZ6mYsx0rVrdJ3qgw62

Score

7^/10

pyinstaller

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2136	creal.exe
2384	creal.exe

Loads dropped DLL 3 IoCs

pid	Process
3056	Log checker.exe
2136	creal.exe
2384	creal.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000d00000001226c-5.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2136	3056	Log checker.exe	28
PID 3056 wrote to memory of 2136	3056	Log checker.exe	28
PID 3056 wrote to memory of 2136	3056	Log checker.exe	28
PID 2136 wrote to memory of 2384	2136	creal.exe	29
PID 2136 wrote to memory of 2384	2136	creal.exe	29
PID 2136 wrote to memory of 2384	2136	creal.exe	29

C:\Users\Admin\AppData\Local\Temp\Log checker.exe
"C:\Users\Admin\AppData\Local\Temp\Log checker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\creal.exe
  "C:\Users\Admin\AppData\Local\Temp\creal.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\creal.exe
    "C:\Users\Admin\AppData\Local\Temp\creal.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI21362\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
\Users\Admin\AppData\Local\Temp\creal.exe

Filesize
16.2MB

MD5
f1ff8286a79c2448162494964947121a

SHA1
351ee4e12a653277c3ab9bbd0298d07995b4fe9e

SHA256
0fe01e43fa1cf10cd81ae3502bfae0f18935787f2b43c9a40f76d896c3384f55

SHA512
dbb80fc9fe67ae7bd0c0fc23ae7af042810d8f7fa0e0c7fa379aa7a37d45c80f1d58fd4500c955d2b33278b90c60685b175ed5eb70063e2534051e5ad2a6d3e5

Download Submit
memory/3056-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x00000000011A0000-0x00000000021A2000-memory.dmp

Filesize
16.0MB

Download
memory/3056-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/3056-9-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download