Analysis

  • max time kernel
    7s
  • max time network
    8s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 10:47

General

  • Target

    Mail Ripper.exe

  • Size

    9.6MB

  • MD5

    6a7bb2101f69d3872eacac436347bc43

  • SHA1

    209a5d147379c2141d369eed6137160944446bc8

  • SHA256

    0c8036aaa2f7e38f82368895fa42394d8306112f2e1b2712bfb09421b2f3007e

  • SHA512

    dfc66f561826aa080383b8e63062923b622615390d79d6eecff264a85d90c30ddad9966f29c5932ef0665f9b2fce9539e9802d7b7d001ad2cdf4e008673c4e1b

  • SSDEEP

    196608:DDR0MhC+BTX1QFhjwt25HnuC48RmU/3ZlsPvXfHTvN8CJDzB0qfe:nRlAuOHuCtN3ZWXfT7

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mail Ripper.exe
    "C:\Users\Admin\AppData\Local\Temp\Mail Ripper.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Executes dropped EXE
          PID:5404
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:2492
    • C:\Users\Admin\AppData\Local\Temp\Mail Ripper .exe
      "C:\Users\Admin\AppData\Local\Temp\Mail Ripper .exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Users\Admin\AppData\Local\Temp\Mail Ripper .exe
        "C:\Users\Admin\AppData\Local\Temp\Mail Ripper .exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe

    Filesize

    356KB

    MD5

    fa0b327abd82686bb9d676a30fa89b46

    SHA1

    a5521f5e8e500f67b183542ffad65b83ebcb186f

    SHA256

    d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d

    SHA512

    ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d

  • C:\Users\Admin\AppData\Local\Temp\_MEI24122\python39.dll

    Filesize

    4.3MB

    MD5

    088904a7f5b53107db42e15827e3af98

    SHA1

    1768e7fb1685410e188f663f5b259710f597e543

    SHA256

    3761c232e151e9ceaf6c7d37b68da3df1962e3106e425cc3937d1f60170f3718

    SHA512

    c5edc25fd9a37673f769af1a1fd540b41e68351bc30b44bc83a1d0d4a8fb078888bbb31173a77ef47698631c9816bc05637b499c20d63e3d65457d9aa4bc2c6b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

    Filesize

    63KB

    MD5

    d298454882caac154fc9217fc7e90499

    SHA1

    11970a2f8b9d1153fbc7fe925a846bd95e07e96f

    SHA256

    badaa2312457f3d08ca1f72287989456f9e62d6b417af6fb9b5e39ca1e8c8100

    SHA512

    e28a4d7c827b5c816503ddba4fee0bc82b16a0acb2eed9c81b20bb1b043d69b89cd3a1cf2beafb27a2471b6172f707d53e3c90568636b0c65e484e051dfde86f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

    Filesize

    256KB

    MD5

    c4e4407b5fcf49586ddd5d5573ae4b95

    SHA1

    0f60aaaaac09d4f9273207114fcc78c0bfb250eb

    SHA256

    8f1e6eb0269fbe449678ce4863d494fda78bc648f27ad1c129270575efce4f7a

    SHA512

    95a89aae7f135b3355f2f0f751607742d8dfa5dfb04bf86cad0fff99d6c687a18a2f0be30d92a79d004cba49823c73f0208f40bb5e9cff3b26f72d1fe5f3d47b

  • \Users\Admin\AppData\Local\Temp\Mail Ripper .exe

    Filesize

    9.2MB

    MD5

    5ad8ae6018c97e3dda52c6075b23b294

    SHA1

    42f05a281007c2fe538fd182cea2d17514f22327

    SHA256

    6ea4bed47d20892e03270ee2b8f73fe79a7366d3b525a7c71f13c9071bbd0576

    SHA512

    ea747c658657fbd026117bdea4b7a0d82f48ff694daa87c57b59e482be10b18621634bf5eef9e58e27f18f0237742abb90a0024bc7f9616711df5776ee56a443

  • memory/2124-50-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

    Filesize

    9.6MB

  • memory/2476-0-0x000007FEF5C2E000-0x000007FEF5C2F000-memory.dmp

    Filesize

    4KB

  • memory/2476-47-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

    Filesize

    9.6MB