ad55d24fac5d5589bf1736d5e6c91382588c5b033028221d043ee348a1530351

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Electron_V3.rar
Size

9.2MB
MD5

fbe283fc15dc57ad0f25d72dedb8a5b9
SHA1

beb76515f083d88672b823f3e2ef9b836454a557
SHA256

ad55d24fac5d5589bf1736d5e6c91382588c5b033028221d043ee348a1530351
SHA512

cea048ea437ee03a99ec3b8845bd8b9c08ffef1d37267ad691ed0b1825f9540a1395debcd9ec5c306f9f22e372feb876e77a418b524d0b41d8e08b2da7cc8223
SSDEEP

196608:our/N03RNWweQm1VNd4i+8ti++GKEJ6LS2cerBvRJIsRi:1rALWweQInd4hZ++GKEJb2pvXIsk

Score

7^/10

pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1468	ElectronV3.exe
2032	ElectronV3.exe

Loads dropped DLL 5 IoCs

pid	Process
2632	7zFM.exe
1468	ElectronV3.exe
2032	ElectronV3.exe
1192	Process not Found
1192	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019c2b-89.dat	upx
behavioral1/memory/2032-91-0x000007FEF53F0000-0x000007FEF5855000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0031000000018649-35.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2632	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2632	7zFM.exe
Token: 35	2632	7zFM.exe
Token: SeSecurityPrivilege	2632	7zFM.exe
Token: SeSecurityPrivilege	2632	7zFM.exe
Token: SeSecurityPrivilege	2632	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2632	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2632	1896	cmd.exe	29
PID 1896 wrote to memory of 2632	1896	cmd.exe	29
PID 1896 wrote to memory of 2632	1896	cmd.exe	29
PID 2632 wrote to memory of 1468	2632	7zFM.exe	34
PID 2632 wrote to memory of 1468	2632	7zFM.exe	34
PID 2632 wrote to memory of 1468	2632	7zFM.exe	34
PID 1468 wrote to memory of 2032	1468	ElectronV3.exe	35
PID 1468 wrote to memory of 2032	1468	ElectronV3.exe	35
PID 1468 wrote to memory of 2032	1468	ElectronV3.exe	35

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Electron_V3.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Electron_V3.rar"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\7zO84A51337\ElectronV3.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO84A51337\ElectronV3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\7zO84A51337\ElectronV3.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO84A51337\ElectronV3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2032

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO84A51337\ElectronV3.exe

Filesize
19.3MB

MD5
6c58afddbf1cfb6508ae8850cce5ff83

SHA1
e65d692de987d61b8e0da027ebba7fedce36388a

SHA256
d969b54cbe96cf4b85769e4786950fc1ed1efcc089ae52d95f7d2e2b40fb5528

SHA512
4bd32e870ea38c8af1d6bc3ee3cf09c242eb5537cd69f225a6da057abf0260d08807b035648f594a6d29c407e4b6948d6478aa41244ba40a0044ccb560b0e84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14682\python310.dll

Filesize
1.4MB

MD5
90d5b8ba675bbb23f01048712813c746

SHA1
f2906160f9fc2fa719fea7d37e145156742ea8a7

SHA256
3a7d497d779ff13082835834a1512b0c11185dd499ab86be830858e7f8aaeb3e

SHA512
872c2bf56c3fe180d9b4fb835a92e1dc188822e9d9183aab34b305408bb82fba1ead04711e8ad2bef1534e86cd49f2445d728851206d7899c1a7a83e5a62058e

Download Submit
memory/2032-91-0x000007FEF53F0000-0x000007FEF5855000-memory.dmp

Filesize
4.4MB

Download