Overview

overview

8

Static

static

3

A Installe...up.exe

windows7-x64

7

A Installe...up.exe

windows10-2004-x64

4

A Installe...er.bat

windows7-x64

1

A Installe...er.bat

windows10-2004-x64

1

A Installe...er.bat

windows7-x64

1

A Installe...er.bat

windows10-2004-x64

1

A Installe...at.exe

windows7-x64

1

A Installe...at.exe

windows10-2004-x64

6

A Installe...79.exe

windows7-x64

8

A Installe...79.exe

windows10-2004-x64

8

NPFInstall.exe

windows7-x64

4

NPFInstall.exe

windows10-2004-x64

4

x64/NPFInstall.exe

windows7-x64

4

x64/NPFInstall.exe

windows10-2004-x64

4

A Installe...64.exe

windows7-x64

4

A Installe...64.exe

windows10-2004-x64

4

GoldHEN-beta.zip

windows7-x64

1

GoldHEN-beta.zip

windows10-2004-x64

1

GoldHEN-be...en.bin

windows7-x64

3

GoldHEN-be...en.bin

windows10-2004-x64

3

pppwn GUI/....5.exe

windows7-x64

7

pppwn GUI/....5.exe

windows10-2004-x64

7

pppwn.pyc

windows7-x64

3

pppwn.pyc

windows10-2004-x64

3

pppwn GUI/...on.zip

windows7-x64

1

pppwn GUI/...on.zip

windows10-2004-x64

1

Unpacked/p...r2.dll

windows7-x64

1

Unpacked/p...r2.dll

windows10-2004-x64

1

Unpacked/p....5.exe

windows7-x64

7

Unpacked/p....5.exe

windows10-2004-x64

1

Unpacked/p...n_.exe

windows7-x64

7

Unpacked/p...n_.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pppwn GUI/PPPwn GUI 1.5.exe

  • Size

    20.1MB

  • MD5

    7b72bb8284553c8d777c1a64ae06f5ca

  • SHA1

    8aad5238aec545849cd4785a56147cef8b07fad4

  • SHA256

    45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2

  • SHA512

    aa68212a8b810ba9a799a1dda9fd07b2ebecb7eaee26f3abd844f16877d482b8c5712661f51959a20008a57e375bbd2a3e2da80de08ed6d6fa6cc6e84f130217

  • SSDEEP

    393216:BLks+O16QIg1ugcnq8PG8dU6XmDGZ8ZZHPx3gZpVYGA9xJRYl:1Nd1ugcn9GL62DGOZZHZkt8

Score
7/10
pyinstaller

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pppwn GUI\PPPwn GUI 1.5.exe
    "C:\Users\Admin\AppData\Local\Temp\pppwn GUI\PPPwn GUI 1.5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C taskkill /IM pppwn_.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /IM pppwn_.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2356
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C taskkill /IM pppwn_.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /IM pppwn_.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2544
    • C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
      "C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe" --interface="" --fw=1100 --stage1=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage1\stage1_1100.bin --stage2=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage2\stage2_1100.bin
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
        "C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe" --interface="" --fw=1100 --stage1=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage1\stage1_1100.bin --stage2=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage2\stage2_1100.bin
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI16202\python311.dll
    Filesize

    4.7MB

    MD5

    68193b0ed6bb05e7bf70e380852a4e58

    SHA1

    842c0346cfbc140988f00c91b575f9b81de94b26

    SHA256

    d08c8e21a93e60c13ebe30a805f0276e0c8950e4a8af76e6271f1e7264440110

    SHA512

    f15bbbad656b67e3ece46c9fd624e360471c96cadc636b098b85eb7b37d3d0b06ec774dc843262bcdb3524f4d6bd2659965219dc35c156cd7f60e2f48388b441

    Download Submit
  • \Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
    Filesize

    8.2MB

    MD5

    4495b20ab591002c3dddbe78ad8039aa

    SHA1

    4c05606b4caadac43cd87b9edc9618e193b318c1

    SHA256

    1d97f2c2368e6c727d3bfeab62e256fb5ab1cfa877342b03b7c9b7858b121327

    SHA512

    466b911df96f83b3995e6205e45056aa612b177c9ee12f039935c61cdec6cafe1b46a49ae3216e1d0fecee214799b79edf61d58222df9c1e088854d52365b4fa

    Download Submit
  • memory/2864-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2864-1-0x0000000000820000-0x00000000029CA000-memory.dmp
    Filesize

    33.7MB

    Download
  • memory/2864-2-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2864-3-0x0000000006F70000-0x0000000007464000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2864-4-0x0000000074A20000-0x000000007510E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2864-5-0x0000000074A20000-0x000000007510E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2864-47-0x0000000074A2E000-0x0000000074A2F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2864-48-0x0000000074A20000-0x000000007510E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2864-49-0x0000000074A20000-0x000000007510E000-memory.dmp
    Filesize

    6.9MB

    Download