78a93880049831bd181b8147d5b9900e31b3cd094f9d5214aa1a0078081eeca5

Analysis

max time kernel
134s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7Xg8ed6ITLcVfSx)M1Zh2'(fk.exe
Size

7.8MB
MD5

6a700c4c6ea5e658afba606711043a17
SHA1

1ab34cc9ad0ff86b76c1c4d40dbaeea56c3562c8
SHA256

78a93880049831bd181b8147d5b9900e31b3cd094f9d5214aa1a0078081eeca5
SHA512

669f1e6171cde2c636a6f39b95e880d406741cffe6e78e9dc1ea60141d862fc4e07e307db597b61593ccb40d0e464b20d002675e5c471ce2fd3ea8cdfb5e3fe1
SSDEEP

196608:oYa2lxmZsgSkzzn8R91/yOSoc0U5IDZQfm0nr+:E2lxU3KLKOSo1UcGe0nr+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1588	LoaderV1.1.exe
2928	Loader.exe

Loads dropped DLL 18 IoCs

pid	Process
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe
1588	LoaderV1.1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
25	raw.githubusercontent.com
26	raw.githubusercontent.com
27	raw.githubusercontent.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com
24	raw.githubusercontent.com
28	raw.githubusercontent.com
29	pastebin.com
30	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	Loader.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 1588	456	7Xg8ed6ITLcVfSx)M1Zh2'(fk.exe	87
PID 456 wrote to memory of 1588	456	7Xg8ed6ITLcVfSx)M1Zh2'(fk.exe	87
PID 1588 wrote to memory of 2928	1588	LoaderV1.1.exe	95
PID 1588 wrote to memory of 2928	1588	LoaderV1.1.exe	95

C:\Users\Admin\AppData\Local\Temp\7Xg8ed6ITLcVfSx)M1Zh2'(fk.exe
"C:\Users\Admin\AppData\Local\Temp\7Xg8ed6ITLcVfSx)M1Zh2'(fk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\LoaderV1.1.exe
  C:\Users\Admin\AppData\Local\Temp\7Xg8ed6ITLcVfSx)M1Zh2'(fk.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    C:\Users\Admin\AppData\Local\Temp\Loader.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cryptolens.Licensing.dll

Filesize
118KB

MD5
26e5cf83f55f1898c074937a98446011

SHA1
1ab0074376609afb384c599b9911f790756ae22f

SHA256
da15030dcc49cdef747ca18bd24884404a9e12cf225e06847a4064302bea90bf

SHA512
f4f6718b41ddde8d3d5e76202c9fc7f2ddb36b97c14509de920371f3ed946be890ed39b289e74da87690cb3513454d0d2f6962e9920bb39f35fd5ed2688ff98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
70KB

MD5
d08977640f51372ed53b3e2e8e56bac4

SHA1
3d0c4ccfdd1bcda9665b211e83b9e3c50e7b5c44

SHA256
cf1955fba276412bb760f060f183e0b5c88151c1dbea3324c7e9c012e1c935f6

SHA512
5a0f770b11fb22a99a384b6d5678ea48b81d8cce527ff6d8c0822d081135763c526feb4b4e6b672c6eab0a2c315ecc556c989a733c11d8de65cee6f741f6cbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
81KB

MD5
e43aed7d6a8bcd9ddfc59c2d1a2c4b02

SHA1
36f367f68fb9868412246725b604b27b5019d747

SHA256
2c2a6a6ba360e38f0c2b5a53b4626f833a3111844d95615ebf35be0e76b1ef7a

SHA512
d92e26eb88db891de389a464f850a8da0a39af8a4d86d9894768cb97182b8351817ce14fe1eb8301b18b80d1d5d8876a48ba66eb7b874c7c3d7b009fcdbc8c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
174KB

MD5
6a2b0f8f50b47d05f96deff7883c1270

SHA1
2b1aeb6fe9a12e0d527b042512fc8890eedb10d8

SHA256
68dad60ff6fb36c88ef1c47d1855517bfe8de0f5ddea0f630b65b622a645d53a

SHA512
a080190d4e7e1abb186776ae6e83dab4b21a77093a88fca59ce1f63c683f549a28d094818a0ee44186ddea2095111f1879008c0d631fc4a8d69dd596ef76ca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\LoaderV1.1.exe

Filesize
10.5MB

MD5
dcc70dc14fc8cac3b36885257fecec6f

SHA1
2401be988be5b82c01d6a4ab89cd958c4086b879

SHA256
d4ba89f1d38f60d144cc11a1d7e566a3f573c2201ed2e884c1d39a668e9327a3

SHA512
33076f1f804dbb55a859957393b76118b92d55e1eb63a38af23278794e4859f33a80cade276b95b4ea06c3b624aa41e26ade487fb12885405625fc5b2eb25975

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\_bz2.pyd

Filesize
83KB

MD5
dd26ed92888de9c57660a7ad631bb916

SHA1
77d479d44d9e04f0a1355569332233459b69a154

SHA256
324268786921ec940cbd4b5e2f71dafd08e578a12e373a715658527e5b211697

SHA512
d693367565005c1b87823e781dc5925146512182c8d8a3a2201e712c88df1c0e66e65ecaec9af22037f0a8f8b3fb3f511ea47cfd5774651d71673fab612d2897

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\_hashlib.pyd

Filesize
64KB

MD5
d19cb5ca144ae1fd29b6395b0225cf40

SHA1
5b9ec6e656261ce179dfcfd5c6a3cfe07c2dfeb4

SHA256
f95ec2562a3c70fb1a6e44d72f4223ce3c7a0f0038159d09dce629f59591d5aa

SHA512
9ac3a8a4dbdb09be3760e7ccb11269f82a47b24c03d10d289bcdded9a43e57d3cd656f8d060d66b810382ecac3a62f101f83ea626b58cd0b5a3cca25b67b1519

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\_lzma.pyd

Filesize
156KB

MD5
8cfbafe65d6e38dde8e2e8006b66bb3e

SHA1
cb63addd102e47c777d55753c00c29c547e2243c

SHA256
6d548db0ab73291f82cf0f4ca9ec0c81460185319c8965e829faeacae19444ff

SHA512
fa021615d5c080aadcd5b84fd221900054eb763a7af8638f70cf6cd49bd92773074f1ac6884f3ce1d8a15d59439f554381377faee4842ed5beb13ff3e1b510f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\_queue.pyd

Filesize
31KB

MD5
7d91dd8e5f1dbc3058ea399f5f31c1e6

SHA1
b983653b9f2df66e721ece95f086c2f933d303fc

SHA256
76bba42b1392dc57a867aef385b990fa302a4f1dcf453705ac119c9c98a36e8d

SHA512
b8e7369da79255a4bb2ed91ba0c313b4578ee45c94e6bc74582fc14f8b2984ed8fcda0434a5bd3b72ea704e6e8fd8cbf1901f325e774475e4f28961483d6c7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\_wmi.pyd

Filesize
36KB

MD5
bed7b0ced98fa065a9b8fe62e328713f

SHA1
e329ebca2df8889b78ce666e3fb909b4690d2daa

SHA256
5818679010bb536a3d463eeee8ce203e880a8cd1c06bf1cb6c416ab0dc024d94

SHA512
c95f7bb6ca9afba50bf0727e971dff7326ce0e23a4bfa44d62f2ed67ed5fede1b018519dbfa0ed3091d485ed0ace68b52dd0bb2921c9c1e3bc1fa875cd3d2366

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\charset_normalizer\md.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\charset_normalizer\md__mypyc.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\python312.dll

Filesize
6.6MB

MD5
cae8fa4e7cb32da83acf655c2c39d9e1

SHA1
7a0055588a2d232be8c56791642cb0f5abbc71f8

SHA256
8ad53c67c2b4db4387d5f72ee2a3ca80c40af444b22bf41a6cfda2225a27bb93

SHA512
db2190da2c35bceed0ef91d7553ff0dea442286490145c3d0e89db59ba1299b0851e601cc324b5f7fd026414fc73755e8eff2ef5fb5eeb1c54a9e13e7c66dd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\select.pyd

Filesize
30KB

MD5
79ce1ae3a23dff6ed5fc66e6416600cd

SHA1
6204374d99144b0a26fd1d61940ff4f0d17c2212

SHA256
678e09ad44be42fa9bc9c7a18c25dbe995a59b6c36a13eecc09c0f02a647b6f0

SHA512
a4e48696788798a7d061c0ef620d40187850741c2bec357db0e37a2dd94d3a50f9f55ba75dc4d95e50946cbab78b84ba1fc42d51fd498640a231321566613daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\unicodedata.pyd

Filesize
1.1MB

MD5
b848e259fabaf32b4b3c980a0a12488d

SHA1
da2e864e18521c86c7d8968db74bb2b28e4c23e2

SHA256
c65073b65f107e471c9be3c699fb11f774e9a07581f41229582f7b2154b6fc3c

SHA512
4c6953504d1401fe0c74435bceebc5ec7bf8991fd42b659867a3529cee5cc64da54f1ab404e88160e747887a7409098f1a85a546bc40f12f0dde0025408f9e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\vcruntime140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_456_133708242096340658\zstandard\backend_c.pyd

Filesize
508KB

MD5
0fc69d380fadbd787403e03a1539a24a

SHA1
77f067f6d50f1ec97dfed6fae31a9b801632ef17

SHA256
641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc

SHA512
e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0

Download Submit
memory/2928-75-0x00007FFAC51A3000-0x00007FFAC51A5000-memory.dmp

Filesize
8KB

Download
memory/2928-76-0x000002410CEC0000-0x000002410CED6000-memory.dmp

Filesize
88KB

Download
memory/2928-77-0x000002410D250000-0x000002410D26C000-memory.dmp

Filesize
112KB

Download
memory/2928-78-0x000002410D280000-0x000002410D286000-memory.dmp

Filesize
24KB

Download
memory/2928-80-0x000002410D370000-0x000002410D394000-memory.dmp

Filesize
144KB

Download
memory/2928-81-0x00007FFAC51A0000-0x00007FFAC5C61000-memory.dmp

Filesize
10.8MB

Download
memory/2928-82-0x00007FFAC51A3000-0x00007FFAC51A5000-memory.dmp

Filesize
8KB

Download
memory/2928-83-0x00007FFAC51A0000-0x00007FFAC5C61000-memory.dmp

Filesize
10.8MB

Download
memory/2928-85-0x00007FFAC51A0000-0x00007FFAC5C61000-memory.dmp

Filesize
10.8MB

Download