0b567424e8497a4c1a3f427f3b397a391596f211f685e2d3cab19221d76564d6

Analysis

max time kernel
21s
max time network
21s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_FreeCCs.scr
Size

11.5MB
MD5

b80e343c5eb7f423ba4e1a9c03f202f2
SHA1

d423d73a0796240f9dcdcf128f62f89b0431cbab
SHA256

0b567424e8497a4c1a3f427f3b397a391596f211f685e2d3cab19221d76564d6
SHA512

a13f2f40d95f4b09b9a714ad722deb03260148fc47f01783c46b1c6483ed5ea4c95414d226337449a8174c551fc82199c823d1e7b20d1fdcbe455bd5135ea9ca
SSDEEP

196608:fqwEg/oJJ3FEsI3kXJeV1UhbL9sSC+GQw0RCBNukSjnvl59VroGGReov:wgmJVEsXXJMGdLg0GuhhoFt

Score

7^/10

pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2956	Exelav.exe
2268	Exelav.exe

Loads dropped DLL 3 IoCs

pid	Process
2116	_FreeCCs.scr
2956	Exelav.exe
2268	Exelav.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000500000001c863-59.dat	upx
behavioral2/memory/2268-61-0x000007FEF5C80000-0x000007FEF6268000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000600000001958e-9.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2956	2116	_FreeCCs.scr	30
PID 2116 wrote to memory of 2956	2116	_FreeCCs.scr	30
PID 2116 wrote to memory of 2956	2116	_FreeCCs.scr	30
PID 2956 wrote to memory of 2268	2956	Exelav.exe	31
PID 2956 wrote to memory of 2268	2956	Exelav.exe	31
PID 2956 wrote to memory of 2268	2956	Exelav.exe	31

C:\Users\Admin\AppData\Local\Temp\_FreeCCs.scr
"C:\Users\Admin\AppData\Local\Temp\_FreeCCs.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Exelav.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Exelav.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Exelav.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Exelav.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Exelav.exe

Filesize
11.0MB

MD5
8b4b5aee0c2feeada135b1f8262a8acd

SHA1
887a5e298fdaf32587480414ec43e23c028d691e

SHA256
e35bddd29b1198caa586a32bddbcc90acccc8df2ea721b81c5252db58f659b21

SHA512
3e72d9905a5618c20a073a1e590d0701b8cbd410ef6711291e847a0433469c96a6cec5f3aed95cdb29d987bfef31582ec3b99fa2fa354b1b3db5b74692ff8300

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29562\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
memory/2116-4-0x0000000002080000-0x0000000002090000-memory.dmp

Filesize
64KB

Download
memory/2268-61-0x000007FEF5C80000-0x000007FEF6268000-memory.dmp

Filesize
5.9MB

Download