Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 05:05

General

  • Target

    806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe

  • Size

    13.2MB

  • MD5

    56c671ca2f1c447d9626235f396c870a

  • SHA1

    3bc86393d8b3f0e20e8b49466c48c0a54a03fd61

  • SHA256

    806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a

  • SHA512

    44e253da47ec0aa276cbe2abdf4186e9634eb81176a8a9263b48eda3f44346179a380c4b76c157c14740dcb3675dd91ffbf16a7f60accdaedaa58b74a2d313e6

  • SSDEEP

    393216:e0qJtXxO7qhaKNDJCvTV7D3OwjdAjLnDUFXoQcnU:e/t2KNJC137dAjEFSU

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe
    "C:\Users\Admin\AppData\Local\Temp\806b687095169d4ee65405782ba8527ec7f2fcd6918e3da7fa4417377e0cad3a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\build_4.exe

    Filesize

    13.1MB

    MD5

    5a5d6ad84a7462708c1f4d51ad7ee9cb

    SHA1

    de68d6b39aef7dcd49216308110d7b1be4cbf649

    SHA256

    64863ef0c89a91f133ac968f1774e39c0c7fa5c69beb825b3db5e55c4ba60987

    SHA512

    0cd56d1e7cc34bd56acebd94ee9370ec7aee90b7f86ea6234a6147480d84c4581a5fac85ce73b0cd00a7f7df5e830e4c4dca597ad037a32e84b769b369b50e22

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs

    Filesize

    183B

    MD5

    5894fc443d20e14cf58c39182e36b005

    SHA1

    b499cc3083b0f78dcba99f371e03b1fba280f9f0

    SHA256

    b2771d1657dde2b930007d61ff633919560d9aa7a0a07d9671c962721ed6d88d

    SHA512

    f4d8459a7d81f8c7bb4c6ccdef7404032117b9423fb63613d0ad8918453f8078c2ae308ad1167cd7f7b7a409a5807307712b38f3616f6d15c394efd44a65109c

  • C:\Users\Admin\AppData\Local\Temp\_MEI19882\python312.dll

    Filesize

    5.6MB

    MD5

    0eac9fa387647c388fab4239bfe5a0b5

    SHA1

    fafb679a58b8d85b50af18a4c0a7402fa890ee39

    SHA256

    65900b1bc22af5bb974385f7f2a8742ffd12860010cbe0aedb62ff5598998414

    SHA512

    70042322b98681c73f83f05e03f61a8ad985944cf07633653706c9b87be738e6698099f40328058ee80d4063f8e85aba7c674c3af079cf082376fb1dc9005e86