Analysis
-
max time kernel
7s -
max time network
8s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-08-2024 10:47
Behavioral task
behavioral1
Sample
Mail Ripper.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Mail Ripper.exe
Resource
win10v2004-20240802-en
General
-
Target
Mail Ripper.exe
-
Size
9.6MB
-
MD5
6a7bb2101f69d3872eacac436347bc43
-
SHA1
209a5d147379c2141d369eed6137160944446bc8
-
SHA256
0c8036aaa2f7e38f82368895fa42394d8306112f2e1b2712bfb09421b2f3007e
-
SHA512
dfc66f561826aa080383b8e63062923b622615390d79d6eecff264a85d90c30ddad9966f29c5932ef0665f9b2fce9539e9802d7b7d001ad2cdf4e008673c4e1b
-
SSDEEP
196608:DDR0MhC+BTX1QFhjwt25HnuC48RmU/3ZlsPvXfHTvN8CJDzB0qfe:nRlAuOHuCtN3ZWXfT7
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
Processes:
Setup.exeSetup.exeMail Ripper .exesvchost.exesvchost.exeMail Ripper .exeexplorer.exepid Process 2944 Setup.exe 2124 Setup.exe 2412 Mail Ripper .exe 2492 svchost.exe 3060 svchost.exe 864 Mail Ripper .exe 5404 explorer.exe -
Loads dropped DLL 4 IoCs
Processes:
Mail Ripper.exeMail Ripper .exeMail Ripper .exepid Process 2476 Mail Ripper.exe 1280 2412 Mail Ripper .exe 864 Mail Ripper .exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Setup.exeSetup.exesvchost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer.exe" svchost.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000016ddf-14.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Mail Ripper.exeSetup.exeSetup.exeMail Ripper .exesvchost.exedescription pid Process procid_target PID 2476 wrote to memory of 2944 2476 Mail Ripper.exe 30 PID 2476 wrote to memory of 2944 2476 Mail Ripper.exe 30 PID 2476 wrote to memory of 2944 2476 Mail Ripper.exe 30 PID 2476 wrote to memory of 2124 2476 Mail Ripper.exe 31 PID 2476 wrote to memory of 2124 2476 Mail Ripper.exe 31 PID 2476 wrote to memory of 2124 2476 Mail Ripper.exe 31 PID 2476 wrote to memory of 2412 2476 Mail Ripper.exe 32 PID 2476 wrote to memory of 2412 2476 Mail Ripper.exe 32 PID 2476 wrote to memory of 2412 2476 Mail Ripper.exe 32 PID 2124 wrote to memory of 2492 2124 Setup.exe 34 PID 2124 wrote to memory of 2492 2124 Setup.exe 34 PID 2124 wrote to memory of 2492 2124 Setup.exe 34 PID 2944 wrote to memory of 3060 2944 Setup.exe 35 PID 2944 wrote to memory of 3060 2944 Setup.exe 35 PID 2944 wrote to memory of 3060 2944 Setup.exe 35 PID 2412 wrote to memory of 864 2412 Mail Ripper .exe 36 PID 2412 wrote to memory of 864 2412 Mail Ripper .exe 36 PID 2412 wrote to memory of 864 2412 Mail Ripper .exe 36 PID 3060 wrote to memory of 5404 3060 svchost.exe 37 PID 3060 wrote to memory of 5404 3060 svchost.exe 37 PID 3060 wrote to memory of 5404 3060 svchost.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mail Ripper.exe"C:\Users\Admin\AppData\Local\Temp\Mail Ripper.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"4⤵
- Executes dropped EXE
PID:5404
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Executes dropped EXE
PID:2492
-
-
-
C:\Users\Admin\AppData\Local\Temp\Mail Ripper .exe"C:\Users\Admin\AppData\Local\Temp\Mail Ripper .exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\Mail Ripper .exe"C:\Users\Admin\AppData\Local\Temp\Mail Ripper .exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356KB
MD5fa0b327abd82686bb9d676a30fa89b46
SHA1a5521f5e8e500f67b183542ffad65b83ebcb186f
SHA256d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d
SHA512ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d
-
Filesize
4.3MB
MD5088904a7f5b53107db42e15827e3af98
SHA11768e7fb1685410e188f663f5b259710f597e543
SHA2563761c232e151e9ceaf6c7d37b68da3df1962e3106e425cc3937d1f60170f3718
SHA512c5edc25fd9a37673f769af1a1fd540b41e68351bc30b44bc83a1d0d4a8fb078888bbb31173a77ef47698631c9816bc05637b499c20d63e3d65457d9aa4bc2c6b
-
Filesize
63KB
MD5d298454882caac154fc9217fc7e90499
SHA111970a2f8b9d1153fbc7fe925a846bd95e07e96f
SHA256badaa2312457f3d08ca1f72287989456f9e62d6b417af6fb9b5e39ca1e8c8100
SHA512e28a4d7c827b5c816503ddba4fee0bc82b16a0acb2eed9c81b20bb1b043d69b89cd3a1cf2beafb27a2471b6172f707d53e3c90568636b0c65e484e051dfde86f
-
Filesize
256KB
MD5c4e4407b5fcf49586ddd5d5573ae4b95
SHA10f60aaaaac09d4f9273207114fcc78c0bfb250eb
SHA2568f1e6eb0269fbe449678ce4863d494fda78bc648f27ad1c129270575efce4f7a
SHA51295a89aae7f135b3355f2f0f751607742d8dfa5dfb04bf86cad0fff99d6c687a18a2f0be30d92a79d004cba49823c73f0208f40bb5e9cff3b26f72d1fe5f3d47b
-
Filesize
9.2MB
MD55ad8ae6018c97e3dda52c6075b23b294
SHA142f05a281007c2fe538fd182cea2d17514f22327
SHA2566ea4bed47d20892e03270ee2b8f73fe79a7366d3b525a7c71f13c9071bbd0576
SHA512ea747c658657fbd026117bdea4b7a0d82f48ff694daa87c57b59e482be10b18621634bf5eef9e58e27f18f0237742abb90a0024bc7f9616711df5776ee56a443