9e07f1698a5121a3ad7379c3296671ee44e4dd414d5ba15d8d9fa68786504a2e

Analysis

max time kernel
1794s
max time network
1146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r6sfarm.exe
Size

65.5MB
MD5

d05eeda22575ac3012030aeca06db3eb
SHA1

e19bb59d10d6728683c41b72b65c9aba7583bdbc
SHA256

ece00254e59b2462de78e7858751e5b4fbeadb166510ef413cb730743d3f82ba
SHA512

b9ddd7ad80e1c22f95bc663869518b20c7fc244f5187c7766a7e9b5b0a66a62b561614baed8887dd04459f3d6bf7c612535261f151728e4abffe4d9d28dd87ce
SSDEEP

1572864:Yjo8S1ril7h9rW1LrKiqm2T17nD0C2aDPDfJ2zO2xWeiBmc:YHSBM7h9QLfqmY1DnDPDMzO2xUgc

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 40 IoCs

pid	Process
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe
4664	r6sfarm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4664	5028	r6sfarm.exe	88
PID 5028 wrote to memory of 4664	5028	r6sfarm.exe	88
PID 4664 wrote to memory of 3132	4664	r6sfarm.exe	89
PID 4664 wrote to memory of 3132	4664	r6sfarm.exe	89

C:\Users\Admin\AppData\Local\Temp\r6sfarm.exe
"C:\Users\Admin\AppData\Local\Temp\r6sfarm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\r6sfarm.exe
  "C:\Users\Admin\AppData\Local\Temp\r6sfarm.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI50282\PIL\_imaging.cp311-win_amd64.pyd

Filesize
2.3MB

MD5
61e3529342c607a50aef953632b04b71

SHA1
ff5caaef380d454e95641554a69c50b3a5f6ac3a

SHA256
d85afbdcef2a9e5975367859f28ff2c4a37afc5dac3879bcd755f230bc217060

SHA512
91ea39402fd108f20d00485eefd1fd4d5e62e8554e920b24c899d744699a8fa23cc39f3449ef6810898093574cc04e5363867e04887fb898d9485c105ec43fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\_hashlib.pyd

Filesize
63KB

MD5
1524882af71247adecf5815a4e55366a

SHA1
e25014c793c53503bdff9af046140edda329d01b

SHA256
6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327

SHA512
5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\_queue.pyd

Filesize
31KB

MD5
8bbed19359892f8c95c802c6ad7598e9

SHA1
773fca164965241f63170e7a1f3a8fa17f73ea18

SHA256
4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065

SHA512
22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\_socket.pyd

Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\_tkinter.pyd

Filesize
62KB

MD5
89f47cd630f7dfa63268fbc52d04f9e9

SHA1
0cc250df4c2f44d8ca8820756f9f05df1e893e28

SHA256
8e4cab61b3838f9545b5d1e0b287f18c22d360b8e6a8daca4178cc69df78f83d

SHA512
bd2406ea0d5396df0153ac22ce55ca49615291ead6419a96e99007ac85059054a718c4f98942e0adb23da85899f145504b79772866d683a9a686fde6ade784e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\base_library.zip

Filesize
1.8MB

MD5
bbbf46529c77f766ef219f4c146e6ef5

SHA1
de07c922c7f4ba08bc1a62cf3fabddecc64f877e

SHA256
734e277712e823fca86ca75bf5d4f85a21893208e683c4ab407be10c3b9052dc

SHA512
3371a3a806dac2cfec59cc42937b348af67e190a8d575efc6a81ec3d8b215f8a0cb94010142f9d02c8881040a2d6b8364d124f85285d9b3b04f36226fb4fae66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\cv2\__init__.py

Filesize
6KB

MD5
eab99b31f1fd18e46e6e081ba3b5c06e

SHA1
9ca76b1097d58ef9c652aebfbeff32bfec17b25b

SHA256
b05b8000c71987cd4df824c1ed134b7fcd34617665e437b1aaec128f93d7f1c3

SHA512
7c4ea4a28f7876249b503155187bd59bcd9cf18a80264c8892e59e9fd7f3d461c91afc4c3c177dba48e1dfdd0feb5705b54b504f7daa886a2a0b72fddd1e80fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\libcrypto-3.dll

Filesize
4.9MB

MD5
7a6a8c2a8c379b111cdceb66b18d687d

SHA1
f3b8a4c731fa0145f224112f91f046fddf642794

SHA256
8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b

SHA512
f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy.libs\libopenblas64__v0.3.23-293-gc2f4bdbb-gcc_10_3_0-65e29aac85b9409a6008e2dc84b1cc09.dll

Filesize
36.4MB

MD5
3ae3db22fccddb9042717ee1e0bde78a

SHA1
cadc97f2a29628fe6b3ccb1327c36689aabb291c

SHA256
ec0e0fd2c2b0e41cd8fbd1c91d5185c6f00c3d1849cac73106f2d5a31a01e7a9

SHA512
cfbd9229f49d3064ec8ce470a9881e2b6b789e7cc6557621df40e646d0b0bb6647f19ecc228f5e9f935825eee835f3c44a4d88b48c1fb00753bf89f71ad9870d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy\core\_multiarray_tests.cp311-win_amd64.pyd

Filesize
63KB

MD5
2b5e26de9d30a8400244b157cc2ebe9b

SHA1
d908aa8749217b8ef7e147653029e61f39540a93

SHA256
09caf8d9423a7fae9e1caf09dc26035ba7c3ea42d8894692e85a1310b6300513

SHA512
53f2fc20b493bf5a3b06ff7c0f11e4c8be0d5cd66f9eac7bdc1181825f7631a776a092d031434e2e6d7ba0ba4ff78aec7409080d32221938afb191fb88ede6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy\core\_multiarray_umath.cp311-win_amd64.pyd

Filesize
2.7MB

MD5
3ddceaa5e94a301f6647146df669f855

SHA1
8741ca73f8e342cd59f4f474ccbb5b8b223f92b8

SHA256
c8c812c71b9d28b4b75d4c292a61411c5a4c73361a0d66fa09b001aabafa64fc

SHA512
6407ca74fead355cc0e1e9be2655146a8422c4037d398fb1e68bd2c56436801b2345ef8159b6a2209ed0b88b963092373e55432d994b5605468b34dc8cbc1c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy\fft\_pocketfft_internal.cp311-win_amd64.pyd

Filesize
107KB

MD5
e18f17f17775a17ccdd2084953da0e9c

SHA1
2d293b81c9009669f748c3a2765ccdbe87a318e9

SHA256
fcead54ade263e75f3eca52652aabd07abe71933cc6dd52c6a9ae6bc990fa611

SHA512
654268c2f347a99bf47bbdfb0f80a2153f169ca1488dc3174c40783df07c669a0b5619dbb01030982126c310b1ebb97f44dc1a6075388bc7c3f35ac8764b745b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy\linalg\_umath_linalg.cp311-win_amd64.pyd

Filesize
104KB

MD5
7888817fb543bf896d54a796bf074baa

SHA1
a745ecbd4e4bb106f229cac5bc9b5a0e71976700

SHA256
e9ae6732f55efd2e446b84ef056d3953b66b0d62a35d533efa909c9b87d4323c

SHA512
3c38ee35d4d12ff6cf2c40442d6de18edfbb24d059eaf37e5f532f1239a390349a1d419f63937def2c1e4bd48df395b2a6b9a4b1680694cffdcfb940748726e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy\random\_bounded_integers.cp311-win_amd64.pyd

Filesize
251KB

MD5
20e48c1a5274279c7c59ac53409db992

SHA1
743bb492d06bb84116088d44601c6eea4ec7899f

SHA256
2d70cb076a036e5a846d35c16cd77c03912517cc30b3e53a2e0fce264776ae05

SHA512
f84f8158dbfb0a636175bba1f1cceaf5b353e9cf9514c0c400b50b49f3f9026d0bfe63c1aff440f19e12a0c9a491f3f22f29684ec4488993c436dfdd77f989e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy\random\_common.cp311-win_amd64.pyd

Filesize
171KB

MD5
a0180fedef6502d6dce244f16adf47d3

SHA1
173afb44a3c8d0973e6966506779ae96c678997b

SHA256
63ae4651882862dd0a2941d49d32366265caf9a1565046ffe5d37d8844b49207

SHA512
ea47c7fe0f1652aee22a23f7371613386a3810d037d53b188dbb69607d6f5cffe78076d20b6c057aba2fb39404f5b8d251c0322c72476ba624e34908f56efd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy\random\_mt19937.cp311-win_amd64.pyd

Filesize
74KB

MD5
fbb184e5bc6bdea4c6cefb12dfac77dc

SHA1
bdfbee75cbc3f6d8d43841bc2c305a8ed67032bf

SHA256
181d7c82f2e454b7aba516d0a8e104fbc52f8be6e0b23dd0ff124048ee028c60

SHA512
ff3a343d6dfb120b384ceba348b889a65950d7f2b9b7531f6f3fe17b899152311a782ca0e151a2557ac5f823867024dfe9f92f203cd65c3a28405b374228681d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy\random\_pcg64.cp311-win_amd64.pyd

Filesize
81KB

MD5
c408a9cc83f9ee205fa011816aa9112e

SHA1
03d5189b3ab12fc66f474bf183038a04e7838766

SHA256
522eae4ded33825521f453ec5bc7b1302169b63241287e9f5566c71419105456

SHA512
70d053d6e32f3c75edcd4760b6965e8762d5044de60285fef51e181c59df15bc391dedd49b8e8d849d97fe420aca412029edb8c4f85ae6644074cef39fce3486

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy\random\_philox.cp311-win_amd64.pyd

Filesize
68KB

MD5
bc9d9eacbc3d1bfef21eaf5fa041f472

SHA1
f988d9bb1d333c81b2ac1c4a9132082493643272

SHA256
f43f15ce68013d2ee6dce012bd724a69a61cabd41a9d84305add772d48c70609

SHA512
bfbffa0696d16fc891f91122925a3a747f09380cd58c2a80bdd5ed0d6b42ba5d8db77b466c64413fc9f80319c3d0eb35ee708e719447c3414b69b00cbe35c6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy\random\bit_generator.cp311-win_amd64.pyd

Filesize
160KB

MD5
33e5ac078ed5d359102c6243efe8b0c4

SHA1
2e20663096334698d8b7d014f80b66ccb9d8c537

SHA256
4705c57b1dc6671b1aebd74982135f218a390e287d408dcdfa3b668130c09f42

SHA512
ebcbdb712e8660e23026f4b4c6b3046f585ec284b2cf4b1262843159d501d2100c39ccbc280e22787a45c3cc285f07bb3e7130b61d4bb2866d40c7301aab3fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\numpy\random\mtrand.cp311-win_amd64.pyd

Filesize
583KB

MD5
01c3709e0ca12723e6376b39572795e1

SHA1
cc924887296e7c82c2a619128a0a8006a8e717e1

SHA256
36c707e442dbc4c509c7514645e8e3fe95d88bea227bae33fb979b4b84ce0dee

SHA512
991f9b07e9daf70f14fab6ee7fc5930c35ee12081367210b7a48f9ef69aba3c76eafd27457c6e9c39834b8546dc068ca30d8bd48278e6809cd9bb8b271c8ef0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\pyexpat.pyd

Filesize
194KB

MD5
cdcf0e74a32ad7dfeda859a0ce4fcb20

SHA1
c72b42a59ba5d83e8d481c6f05b917871b415f25

SHA256
91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197

SHA512
c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\python3.DLL

Filesize
65KB

MD5
0e105f62fdd1ff4157560fe38512220b

SHA1
99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c

SHA256
803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423

SHA512
59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\tcl86t.dll

Filesize
1.8MB

MD5
ac6cd2fb2cd91780db186b8d6e447b7c

SHA1
b387b9b6ca5f0a2b70028ab2147789c4fe24ef7a

SHA256
a91781fe13548b89817462b00058a75fb0b607ec8ce99d265719ced573ade7b6

SHA512
45b24ca07a44d8d90e5efeded2697a37f000b39d305fe63a67292fdd237de3f8efd5e85b139b5702faa695f9f27f12f24ac497e005e2f3c24c141d7cd85305b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\tk86t.dll

Filesize
1.5MB

MD5
499fa3dea045af56ee5356c0ce7d6ce2

SHA1
0444b7d4ecd25491245824c17b84916ee5b39f74

SHA256
20139f4c327711baf18289584fa0c8112f7bb3ba55475bded21f3d107672ed94

SHA512
d776749effa241ba1415b28d2fcff1d64ed903569a8c4e56dfddd672a53b2f44119734b1959b72a9b3f4060bb2c67b7dea959cc2d4a8e9f781f17009c6840fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50282\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
memory/4664-1103-0x00007FFE6E910000-0x00007FFE709C6000-memory.dmp

Filesize
32.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads