a1e9d2a0a36f1cb5b3fd09a3e07335f9987549fca015428369043031e2cc67cc

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 16:13

Target

pppwn GUI/PPPwn GUI 1.5.exe
Size

20.1MB
MD5

7b72bb8284553c8d777c1a64ae06f5ca
SHA1

8aad5238aec545849cd4785a56147cef8b07fad4
SHA256

45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2
SHA512

aa68212a8b810ba9a799a1dda9fd07b2ebecb7eaee26f3abd844f16877d482b8c5712661f51959a20008a57e375bbd2a3e2da80de08ed6d6fa6cc6e84f130217
SSDEEP

393216:BLks+O16QIg1ugcnq8PG8dU6XmDGZ8ZZHPx3gZpVYGA9xJRYl:1Nd1ugcn9GL62DGOZZHZkt8

Score

7^/10

pyinstaller

Executes dropped EXE 1 IoCs

Processes:

pppwn_.exe

pid process

1220 pppwn_.exe

pid	process
1220	pppwn_.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe	pyinstaller

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1776 taskkill.exe
432 taskkill.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1776 taskkill.exe
Token: SeDebugPrivilege 432 taskkill.exe

pid	process
1776	taskkill.exe
432	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PPPwn GUI 1.5.execmd.execmd.exe

description	pid	process	target process
PID 4560 wrote to memory of 2416	4560	PPPwn GUI 1.5.exe	cmd.exe
PID 4560 wrote to memory of 2416	4560	PPPwn GUI 1.5.exe	cmd.exe
PID 4560 wrote to memory of 2416	4560	PPPwn GUI 1.5.exe	cmd.exe
PID 2416 wrote to memory of 1776	2416	cmd.exe	taskkill.exe
PID 2416 wrote to memory of 1776	2416	cmd.exe	taskkill.exe
PID 2416 wrote to memory of 1776	2416	cmd.exe	taskkill.exe
PID 4560 wrote to memory of 2988	4560	PPPwn GUI 1.5.exe	cmd.exe
PID 4560 wrote to memory of 2988	4560	PPPwn GUI 1.5.exe	cmd.exe
PID 4560 wrote to memory of 2988	4560	PPPwn GUI 1.5.exe	cmd.exe
PID 2988 wrote to memory of 432	2988	cmd.exe	taskkill.exe
PID 2988 wrote to memory of 432	2988	cmd.exe	taskkill.exe
PID 2988 wrote to memory of 432	2988	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\pppwn GUI\PPPwn GUI 1.5.exe
"C:\Users\Admin\AppData\Local\Temp\pppwn GUI\PPPwn GUI 1.5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /IM pppwn_.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /IM pppwn_.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
"C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe" --interface="Ethernet" --fw=1100 --stage1=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage1\stage1_1100.bin --stage2=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage2\stage2_1100.bin
2⤵
- Executes dropped EXE
PID:1220

C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe
Filesize
8.2MB

MD5
4495b20ab591002c3dddbe78ad8039aa

SHA1
4c05606b4caadac43cd87b9edc9618e193b318c1

SHA256
1d97f2c2368e6c727d3bfeab62e256fb5ab1cfa877342b03b7c9b7858b121327

SHA512
466b911df96f83b3995e6205e45056aa612b177c9ee12f039935c61cdec6cafe1b46a49ae3216e1d0fecee214799b79edf61d58222df9c1e088854d52365b4fa

Download Submit
memory/4560-6-0x0000000007900000-0x000000000790A000-memory.dmp

Filesize
40KB

Download
memory/4560-2-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/4560-3-0x0000000007F00000-0x00000000084A4000-memory.dmp

Filesize
5.6MB

Download
memory/4560-4-0x0000000007950000-0x0000000007E44000-memory.dmp

Filesize
5.0MB

Download
memory/4560-5-0x0000000007E40000-0x0000000007ED2000-memory.dmp

Filesize
584KB

Download
memory/4560-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/4560-7-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4560-8-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4560-50-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/4560-51-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4560-52-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4560-1-0x0000000000C80000-0x0000000002E2A000-memory.dmp

Filesize
33.7MB

Download