b50bbb4b93fd8ef7a2876b3743dfda6945e9011f406e71b41897244b0b836467

Analysis

max time kernel
125s
max time network
140s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-08-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

353a75d0ad34c89fbdd11ec9cc6f6ea302f5669c5c1326686f7d328e656d1ea5.exe
Size

9.9MB
MD5

62c272b7dac6fd147b572b0030a2c71d
SHA1

f1a035be486143d307acd6e2d638e0fc51b7fcda
SHA256

353a75d0ad34c89fbdd11ec9cc6f6ea302f5669c5c1326686f7d328e656d1ea5
SHA512

7ce9f1919c55b659b396f446da79025c2f313921c5e0b5cbc37933a9e276fba17c68475a0956600a799252e01384f883ee0b8ed991ed7393b03c8c9d0b3ae38f
SSDEEP

196608:6/oQxmgcsgIfIUpY2Q+dWGejXROJg/g6ZAQjyrDfPKMzWe1iEasMv22KWBgVkYTh:6/NmN/IwUDdzejXRPguAFrr6d22PgOYV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
928	nikymetaabootstrapper.exe

Loads dropped DLL 17 IoCs

pid	Process
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe
928	nikymetaabootstrapper.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 928	4264	353a75d0ad34c89fbdd11ec9cc6f6ea302f5669c5c1326686f7d328e656d1ea5.exe	74
PID 4264 wrote to memory of 928	4264	353a75d0ad34c89fbdd11ec9cc6f6ea302f5669c5c1326686f7d328e656d1ea5.exe	74

C:\Users\Admin\AppData\Local\Temp\353a75d0ad34c89fbdd11ec9cc6f6ea302f5669c5c1326686f7d328e656d1ea5.exe
"C:\Users\Admin\AppData\Local\Temp\353a75d0ad34c89fbdd11ec9cc6f6ea302f5669c5c1326686f7d328e656d1ea5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\onefile_4264_133677861155171014\nikymetaabootstrapper.exe
  C:\Users\Admin\AppData\Local\Temp\353a75d0ad34c89fbdd11ec9cc6f6ea302f5669c5c1326686f7d328e656d1ea5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_multiprocessing.pyd

Filesize
33KB

MD5
a9a0588711147e01eed59be23c7944a9

SHA1
122494f75e8bb083ddb6545740c4fae1f83970c9

SHA256
7581edea33c1db0a49b8361e51e6291688601640e57d75909fb2007b2104fa4c

SHA512
6b580f5c53000db5954deb5b2400c14cb07f5f8bbcfc069b58c2481719a0f22f0d40854ca640ef8425c498fbae98c9de156b5cc04b168577f0da0c6b13846a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4264_133677861155171014\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4264_133677861155171014\nikymetaabootstrapper.exe

Filesize
11.5MB

MD5
9685ce38e37784006a3d0cdbd9a8c362

SHA1
646c88acef4e469ff057c9126a3b6548ecad4153

SHA256
504a38e16ff3631ab2a60d0928b161d4af6b88040e154b274cfa08911b2d1db6

SHA512
9e186a4c0c65db75de770b4c512bbe87a446e56d384d8ada72dcb60e8a65778f02d7c21bf600eaf8cfc1bb12c11e6df7bd579bb25576f1171e42592e0581ca9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4264_133677861155171014\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_brotli.pyd

Filesize
801KB

MD5
ee3d454883556a68920caaedefbc1f83

SHA1
45b4d62a6e7db022e52c6159eef17e9d58bec858

SHA256
791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1

SHA512
e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
memory/928-68-0x000001DB4DC70000-0x000001DB4DC71000-memory.dmp

Filesize
4KB

Download
memory/928-70-0x00007FF6C6FD0000-0x00007FF6C7B84000-memory.dmp

Filesize
11.7MB

Download
memory/928-71-0x00007FF6C6FD0000-0x00007FF6C7B84000-memory.dmp

Filesize
11.7MB

Download
memory/4264-69-0x00007FF7F8D80000-0x00007FF7F979D000-memory.dmp

Filesize
10.1MB

Download
memory/4264-84-0x00007FF7F8D80000-0x00007FF7F979D000-memory.dmp

Filesize
10.1MB

Download