Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 06:59
Behavioral task
behavioral1
Sample
45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe
Resource
win10v2004-20240426-en
General
-
Target
45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe
-
Size
20.1MB
-
MD5
7b72bb8284553c8d777c1a64ae06f5ca
-
SHA1
8aad5238aec545849cd4785a56147cef8b07fad4
-
SHA256
45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2
-
SHA512
aa68212a8b810ba9a799a1dda9fd07b2ebecb7eaee26f3abd844f16877d482b8c5712661f51959a20008a57e375bbd2a3e2da80de08ed6d6fa6cc6e84f130217
-
SSDEEP
393216:BLks+O16QIg1ugcnq8PG8dU6XmDGZ8ZZHPx3gZpVYGA9xJRYl:1Nd1ugcn9GL62DGOZZHZkt8
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 940 pppwn_.exe 1892 pppwn_.exe -
Loads dropped DLL 2 IoCs
pid Process 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 1892 pppwn_.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016be2-48.dat pyinstaller -
Kills process with taskkill 2 IoCs
pid Process 2024 taskkill.exe 2968 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2024 taskkill.exe Token: SeDebugPrivilege 2968 taskkill.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2064 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 28 PID 1044 wrote to memory of 2064 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 28 PID 1044 wrote to memory of 2064 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 28 PID 1044 wrote to memory of 2064 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 28 PID 2064 wrote to memory of 2024 2064 cmd.exe 30 PID 2064 wrote to memory of 2024 2064 cmd.exe 30 PID 2064 wrote to memory of 2024 2064 cmd.exe 30 PID 2064 wrote to memory of 2024 2064 cmd.exe 30 PID 1044 wrote to memory of 2204 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 32 PID 1044 wrote to memory of 2204 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 32 PID 1044 wrote to memory of 2204 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 32 PID 1044 wrote to memory of 2204 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 32 PID 2204 wrote to memory of 2968 2204 cmd.exe 34 PID 2204 wrote to memory of 2968 2204 cmd.exe 34 PID 2204 wrote to memory of 2968 2204 cmd.exe 34 PID 2204 wrote to memory of 2968 2204 cmd.exe 34 PID 1044 wrote to memory of 940 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 35 PID 1044 wrote to memory of 940 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 35 PID 1044 wrote to memory of 940 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 35 PID 1044 wrote to memory of 940 1044 45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe 35 PID 940 wrote to memory of 1892 940 pppwn_.exe 37 PID 940 wrote to memory of 1892 940 pppwn_.exe 37 PID 940 wrote to memory of 1892 940 pppwn_.exe 37 PID 940 wrote to memory of 1892 940 pppwn_.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe"C:\Users\Admin\AppData\Local\Temp\45f2d7215b13d44264aa07e4c01374d1cdf9dcd76b43de912062fb6e2ce537e2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /IM pppwn_.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pppwn_.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /IM pppwn_.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pppwn_.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe"C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe" --interface="" --fw=1100 --stage1=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage1\stage1_1100.bin --stage2=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage2\stage2_1100.bin2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe"C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe" --interface="" --fw=1100 --stage1=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage1\stage1_1100.bin --stage2=C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage2\stage2_1100.bin3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.7MB
MD568193b0ed6bb05e7bf70e380852a4e58
SHA1842c0346cfbc140988f00c91b575f9b81de94b26
SHA256d08c8e21a93e60c13ebe30a805f0276e0c8950e4a8af76e6271f1e7264440110
SHA512f15bbbad656b67e3ece46c9fd624e360471c96cadc636b098b85eb7b37d3d0b06ec774dc843262bcdb3524f4d6bd2659965219dc35c156cd7f60e2f48388b441
-
Filesize
8.2MB
MD54495b20ab591002c3dddbe78ad8039aa
SHA14c05606b4caadac43cd87b9edc9618e193b318c1
SHA2561d97f2c2368e6c727d3bfeab62e256fb5ab1cfa877342b03b7c9b7858b121327
SHA512466b911df96f83b3995e6205e45056aa612b177c9ee12f039935c61cdec6cafe1b46a49ae3216e1d0fecee214799b79edf61d58222df9c1e088854d52365b4fa