Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 14:40
Static task
static1
Behavioral task
behavioral1
Sample
aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
Resource
win7-20240221-en
General
-
Target
aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
-
Size
4.5MB
-
MD5
39103d2ddc8be33f1c9ecd4f66631ef1
-
SHA1
9d0f8e138071ba7ef007c4782d1de5c9dbdb39e1
-
SHA256
aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5
-
SHA512
e3314f5af251043193c563969840cb9c18e7942980ed143c50e813473d7c37d3daa2f26e1c26a0a48d38452c9546f953fe66b4e23cd1dc7a59c9eefc5c438e9e
-
SSDEEP
98304:cfUb8pAxsOBSexdGzByOahalkaX7EgPHx8lPw2GiqVGf2s7x9tMOmn:cfU+OsvwoYOau3gosPbk4f/b0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exepythonw.exepid process 2016 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe 2492 pythonw.exe -
Loads dropped DLL 4 IoCs
Processes:
aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exeaaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exepythonw.exepid process 1336 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe 2016 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe 2016 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe 2492 pythonw.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exeaaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exedescription pid process target process PID 1336 wrote to memory of 2016 1336 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe PID 1336 wrote to memory of 2016 1336 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe PID 1336 wrote to memory of 2016 1336 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe PID 1336 wrote to memory of 2016 1336 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe PID 1336 wrote to memory of 2016 1336 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe PID 1336 wrote to memory of 2016 1336 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe PID 1336 wrote to memory of 2016 1336 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe PID 2016 wrote to memory of 2492 2016 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe pythonw.exe PID 2016 wrote to memory of 2492 2016 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe pythonw.exe PID 2016 wrote to memory of 2492 2016 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe pythonw.exe PID 2016 wrote to memory of 2492 2016 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe pythonw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe"C:\Users\Admin\AppData\Local\Temp\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{C61949FA-88B9-41B3-977C-E9EC2373AD1F}\.cr\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe"C:\Windows\Temp\{C61949FA-88B9-41B3-977C-E9EC2373AD1F}\.cr\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1882⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{D9A6594B-1A7A-455C-9EEE-AA94A7209962}\.ba\pythonw.exe"C:\Windows\Temp\{D9A6594B-1A7A-455C-9EEE-AA94A7209962}\.ba\pythonw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\{D9A6594B-1A7A-455C-9EEE-AA94A7209962}\.ba\python310.dllFilesize
4.3MB
MD5ba6483887ff60e3a7c5eebbba62ed060
SHA1964c38a1c2519f7368ef2c94fbba6a24856d3fe3
SHA256198db1aeac214915511a90095b867935d197e419423134fd1f8934e81498e89f
SHA5120cf38a6177676554b74582691548325240d5ebfbb6a562a392a69aea01944038aa82d90017720998d08ee3eb6e517d0a6b367eac2197ffa27deeca4217fb2fad
-
\Windows\Temp\{C61949FA-88B9-41B3-977C-E9EC2373AD1F}\.cr\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exeFilesize
4.4MB
MD5e3635175852f9b41caa9e0b1f7484dbf
SHA1ceab4f1b5ead34586addcd351b9528c2dc5627e1
SHA2565de2f55d796eb45ec0136e33108d3b1fd1220335d061371718b0b42301bb7bd2
SHA512ceba4d44e64c3386aeac70d7ee4f6dc468626f6e7e80fc01a28b07cc28a160d03d8f6ecc36f419b9c8bf6a6c942d4aa53602a26952359c36b39be4bd51428a7f
-
\Windows\Temp\{D9A6594B-1A7A-455C-9EEE-AA94A7209962}\.ba\Tiderip.dllFilesize
1.2MB
MD5a632842bba74492720c9a6f9a8ad231c
SHA1f361debaf17b08174e49ed9a35d99bffb3dc0510
SHA25652b6310d121e91b42a44c24bfd6d1369d1d4388c56260dd4b05ac06225bab8d8
SHA5120f36c56e7ce72860633b76ceb524c8cd3b634c2f672a7106438de4b4a5ea0a828fe1f67680d1414ff92432f70d762262e6c83427bdae794ac16549c38972d0d4
-
\Windows\Temp\{D9A6594B-1A7A-455C-9EEE-AA94A7209962}\.ba\pythonw.exeFilesize
94KB
MD59a4cc0d8e7007f7ef20ca585324e0739
SHA1f3e5a2e477cac4bab85940a2158eed78f2d74441
SHA256040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92
SHA51254636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3
-
memory/2016-15-0x00000000696C0000-0x00000000697F0000-memory.dmpFilesize
1.2MB