80c149f71db8d458df8f3c8f4b7b9e064dc70548e7c17d598be550a24edf6748

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

imaminer.exe
Size

67.6MB
MD5

74bb6a253ff9355ef83c571b3249a53b
SHA1

9e01eda2c601ed3cc2f27743f2206b4392d4f176
SHA256

80c149f71db8d458df8f3c8f4b7b9e064dc70548e7c17d598be550a24edf6748
SHA512

bf38591df0cb78e312c9a640766c9fb2ba261a5352442f3e75a0aea122fec1753c975d8fce068c1565a472c5baf9b9b80327fa89931defa807e6c26586fb5a45
SSDEEP

1572864:G/qDDJmIJxUOVYDsUzJZo8bg7v0eqbydQx89Eh3yxpPvcJZTEbc7M:eqDUIB+YUz/x0Gapih3Ivc74c7

Score

7^/10

defense_evasion discovery pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
2948	DASDSADSA.EXE
2796	STUB.EXE
2964	TIC TAC TOE.EXE
584	STUB.EXE
848	TIC TAC TOE.EXE
2192	ransomewrar3.exe
1920	ransomewrar3.exe
1236	Process not Found

Loads dropped DLL 27 IoCs

pid	Process
2748	imaminer.exe
2748	imaminer.exe
2748	imaminer.exe
2028	Process not Found
2796	STUB.EXE
584	STUB.EXE
584	STUB.EXE
584	STUB.EXE
584	STUB.EXE
584	STUB.EXE
584	STUB.EXE
584	STUB.EXE
2964	TIC TAC TOE.EXE
848	TIC TAC TOE.EXE
848	TIC TAC TOE.EXE
848	TIC TAC TOE.EXE
848	TIC TAC TOE.EXE
848	TIC TAC TOE.EXE
848	TIC TAC TOE.EXE
848	TIC TAC TOE.EXE
1920	ransomewrar3.exe
1920	ransomewrar3.exe
1920	ransomewrar3.exe
1920	ransomewrar3.exe
1920	ransomewrar3.exe
1920	ransomewrar3.exe
1920	ransomewrar3.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001c87a-145.dat	upx
behavioral1/memory/584-168-0x000007FEF5CB0000-0x000007FEF6115000-memory.dmp	upx

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ransomewrar3.exe	DASDSADSA.EXE

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0006000000019426-11.dat	pyinstaller
behavioral1/files/0x0006000000019438-84.dat	pyinstaller
behavioral1/files/0x0007000000004e74-260.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imaminer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2256	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2948	2748	imaminer.exe	30
PID 2748 wrote to memory of 2948	2748	imaminer.exe	30
PID 2748 wrote to memory of 2948	2748	imaminer.exe	30
PID 2748 wrote to memory of 2948	2748	imaminer.exe	30
PID 2748 wrote to memory of 2796	2748	imaminer.exe	31
PID 2748 wrote to memory of 2796	2748	imaminer.exe	31
PID 2748 wrote to memory of 2796	2748	imaminer.exe	31
PID 2748 wrote to memory of 2796	2748	imaminer.exe	31
PID 2748 wrote to memory of 2964	2748	imaminer.exe	32
PID 2748 wrote to memory of 2964	2748	imaminer.exe	32
PID 2748 wrote to memory of 2964	2748	imaminer.exe	32
PID 2748 wrote to memory of 2964	2748	imaminer.exe	32
PID 2796 wrote to memory of 584	2796	STUB.EXE	34
PID 2796 wrote to memory of 584	2796	STUB.EXE	34
PID 2796 wrote to memory of 584	2796	STUB.EXE	34
PID 2964 wrote to memory of 848	2964	TIC TAC TOE.EXE	35
PID 2964 wrote to memory of 848	2964	TIC TAC TOE.EXE	35
PID 2964 wrote to memory of 848	2964	TIC TAC TOE.EXE	35
PID 2948 wrote to memory of 2256	2948	DASDSADSA.EXE	36
PID 2948 wrote to memory of 2256	2948	DASDSADSA.EXE	36
PID 2948 wrote to memory of 2256	2948	DASDSADSA.EXE	36
PID 2948 wrote to memory of 2192	2948	DASDSADSA.EXE	38
PID 2948 wrote to memory of 2192	2948	DASDSADSA.EXE	38
PID 2948 wrote to memory of 2192	2948	DASDSADSA.EXE	38
PID 2192 wrote to memory of 1920	2192	ransomewrar3.exe	40
PID 2192 wrote to memory of 1920	2192	ransomewrar3.exe	40
PID 2192 wrote to memory of 1920	2192	ransomewrar3.exe	40

C:\Users\Admin\AppData\Local\Temp\imaminer.exe
"C:\Users\Admin\AppData\Local\Temp\imaminer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\DASDSADSA.EXE
  "C:\Users\Admin\AppData\Local\Temp\DASDSADSA.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAbgBlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAaQBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAYgB5ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\ransomewrar3.exe
    "C:\Windows\ransomewrar3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\ransomewrar3.exe
      "C:\Windows\ransomewrar3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1920
- C:\Users\Admin\AppData\Local\Temp\STUB.EXE
  "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\STUB.EXE
    "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:584
- C:\Users\Admin\AppData\Local\Temp\TIC TAC TOE.EXE
  "C:\Users\Admin\AppData\Local\Temp\TIC TAC TOE.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\TIC TAC TOE.EXE
    "C:\Users\Admin\AppData\Local\Temp\TIC TAC TOE.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\STUB.EXE

Filesize
10.2MB

MD5
97af7a82e4d2e078a95f6f8d2832f1b4

SHA1
d02457ee5205cd5974ba1143983877d9ea7465e9

SHA256
63aa419adeb4a806620f305ff2fb716a4dbced408b911e4d243b5e9c1526856d

SHA512
3eb61a5b69d2713d8989b68fae75b4fb08df70932512cf6288bfb5fe62778eeb586ee17f4a71c5f04380534a7d6fbf4bfa05ef530ef0f328d7ed5ef69990a3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21922\cryptography-43.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\python310.dll

Filesize
1.4MB

MD5
90d5b8ba675bbb23f01048712813c746

SHA1
f2906160f9fc2fa719fea7d37e145156742ea8a7

SHA256
3a7d497d779ff13082835834a1512b0c11185dd499ab86be830858e7f8aaeb3e

SHA512
872c2bf56c3fe180d9b4fb835a92e1dc188822e9d9183aab34b305408bb82fba1ead04711e8ad2bef1534e86cd49f2445d728851206d7899c1a7a83e5a62058e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29642\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Windows\ransomewrar3.exe

Filesize
30.5MB

MD5
e9aaec106102b96782f3d229c1573baa

SHA1
5ddce6a790b0e30ef2c8f54a6144cfe8b10bdac8

SHA256
ffef8aa6f9e15781b0314f1cf3d300003c1a584c5b71fca835f354cf00c6001d

SHA512
2ebb4eafdc43012088ee7327a0ea3c8188862cd2625f6f6fba06cf253e76e3d9d28c3b7c0c47a93a92836e296a159023d9de04c5332b0f90951694834e4b4ca1

Download Submit
\Users\Admin\AppData\Local\Temp\DASDSADSA.EXE

Filesize
30.5MB

MD5
01584d18d95106ff1d0ac750fb9bbbfc

SHA1
39fb3f7c489717000acc31029266a6b838fd447d

SHA256
5101236e73c03f2bbd85895c9edf62da063ae2fa9468fbee71c3812ea9fe8a6e

SHA512
8ab027be1d2e9fec558088c5a8b05eed359d6b3e4bd1d0c2cdba806f968e73193bc38da38888d98074533e473d82e5f8de3f12d02e2b44b032da5141008b7f93

Download Submit
\Users\Admin\AppData\Local\Temp\TIC TAC TOE.EXE

Filesize
26.8MB

MD5
7f2195fa2ff273a876cc1283c3925fb0

SHA1
8f4f5a08680e16babe78a2de08ce7bf3bdb5e13d

SHA256
f9d357cd159fc735af4fe88a8fc647e2f68b721496f0ec86a115265796e42f31

SHA512
b877ac516fa82867fcbf6d429b21dc69e4837153ce1f6e7532c7c7e764d7d1266a0355c182b3e0ab1057f5b90770bfb60aaa883c409dbcbcd0af1b6c7245a321

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27962\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27962\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27962\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27962\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
memory/584-168-0x000007FEF5CB0000-0x000007FEF6115000-memory.dmp

Filesize
4.4MB

Download
memory/2256-256-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2256-255-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2948-241-0x0000000000BF0000-0x0000000002A7A000-memory.dmp

Filesize
30.5MB

Download