2b46246b77cc81208f045b0ec933f889c273e1c0d3d0af4ba94bd9c821bdde47

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ericx sef/toolbot.exe
Size

82.5MB
MD5

a3439271f6de235c7d368d3c698ada9b
SHA1

5ce0b86e04d5957501399234b56efc102c737a31
SHA256

770051640cb59d368e625c0b1d6b1e66ec93454e3185902ee2d66f1253617503
SHA512

2b992add3c53d7860d9fc536f926d4322b8802c8989fa37a2ba20bc9cfa6c6a6ba305f92f8f55d557b3fc60329eefbc9bd8f401fe9b99f3ddd465b2de20bb925
SSDEEP

1572864:/EnUSsE/ehnUtzYSU3lyhIiWHWkUHmjQtbCmBbOnSR13pyAAXyDuz4H10YA:fSsE/ehUtUrNWkk5gqbT5yANuz4VZA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2580	Authify.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	toolbot.exe
2580	Authify.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2580	2076	toolbot.exe	31
PID 2076 wrote to memory of 2580	2076	toolbot.exe	31
PID 2076 wrote to memory of 2580	2076	toolbot.exe	31

C:\Users\Admin\AppData\Local\Temp\ericx sef\toolbot.exe
"C:\Users\Admin\AppData\Local\Temp\ericx sef\toolbot.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\Authify.exe
  "C:\Users\Admin\AppData\Local\Temp\ericx sef\toolbot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\pywin32\PyNaCl-1.5.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\pywin32\aiohttp\_websocket.c

Filesize
134KB

MD5
4c89134e3fdc106db8e8c8e422e57bae

SHA1
1131b21916aaa819fd9afa01963864dd70bea24c

SHA256
1795758bfff27b03f315c8182a67135a4fc28e9b426546258507ac5f5e2ee1e7

SHA512
d3a3315964925ca428abd6a33903a29caf538c5623327d531335c8cd0e927c356f7d6a0e91ab80aeca9d66f30815c0fbf0860f1b50d1463ad017d5fdfb3361e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\pywin32\cursor-1.3.5-py3.10.egg-info\dependency_links.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\pywin32\pydumpck-1.20.1.dist-info\WHEEL

Filesize
92B

MD5
43136dde7dd276932f6197bb6d676ef4

SHA1
6b13c105452c519ea0b65ac1a975bd5e19c50122

SHA256
189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714

SHA512
e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\pywin32\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\LICENSE

Filesize
11KB

MD5
3b83ef96387f14655fc854ddc3c6bd57

SHA1
2b8b815229aa8a61e483fb4ba0588b8b6c491890

SHA256
cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30

SHA512
98f6b79b778f7b0a15415bd750c3a8a097d650511cb4ec8115188e115c47053fe700f578895c097051c9bc3dfb6197c2b13a15de203273e1a3218884f86e90e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\pywin32\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\LICENSE

Filesize
1023B

MD5
141643e11c48898150daa83802dbc65f

SHA1
0445ed0f69910eeaee036f09a39a13c6e1f37e12

SHA256
86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741

SHA512
ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\pywin32\setuptools\_vendor\typing_extensions-4.12.2.dist-info\WHEEL

Filesize
81B

MD5
24019423ea7c0c2df41c8272a3791e7b

SHA1
aae9ecfb44813b68ca525ba7fa0d988615399c86

SHA256
1196c6921ec87b83e865f450f08d19b8ff5592537f4ef719e83484e546abe33e

SHA512
09ab8e4daa9193cfdee6cf98ccae9db0601f3dcd4944d07bf3ae6fa5bcb9dc0dcafd369de9a650a38d1b46c758db0721eba884446a8a5ad82bb745fd5db5f9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\pywin32\sniffio-1.3.1.dist-info\WHEEL

Filesize
92B

MD5
a227bf38fb17005b3bdb56ccc428b1bb

SHA1
502f95da3089549e19c451737aa262e45c5bc3bc

SHA256
a2241587fe4f9d033413780f762cf4f5608d9b08870cc6867abfde96a0777283

SHA512
a0ba37a0b2f3d4ae1ee2b09bb13ed20912db4e6a009fe9ba9414830ad4fdbf58571e195abbe0d19f5582e2cf958cfb49ffdacd7c5182008699f92a0f5eec6c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\pywin32\tasksio-0.0.0.dist-info\WHEEL

Filesize
92B

MD5
11aa48dbe7e7cc631b11dd66dc493aeb

SHA1
249fdb01ad3e3f71356e33e1897d06f23cfb20c2

SHA256
3aa464174798e461ecb0ca2b16395b4c8ab4ef6be91e917ad1f21003a952f710

SHA512
edd5892c9b2fe1f2439c53d2cd05f4478ec360885054bd06afcf7936f6d066377fee07796dae9ecdf810e3d6100e039cad48f00ad0e3145693d53e844cc5319d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\pywin32\yarl-1.9.4.dist-info\WHEEL

Filesize
102B

MD5
8c2e21cc1c783f0308a0ceccba453d28

SHA1
602f6e8b6400ce24f69ead308e1bb1b5088282e2

SHA256
cabbed795019cf142fb439f3742461e1d3f4d6c3c8c5884b5c85e9942ee8e741

SHA512
2d0ff78e6871826bc22a9a5dbeb1fc1c2f426a58189ab924070d7fb8369bf6befcda558d8a1e4247fe3073ca82dda69610c23e83f22ee964b941e79068c64422

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2076_133702242043710000\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit