caabd3afad17cae8fb2ccc4a3c91dcc7424046c013debf5ddd8af5446eadb556

General

Target

incognito/incognito/incognito.exe
Size

38.8MB
MD5

59f8e658cf34334dd88a8f67da31ba85
SHA1

bddb50c2de10bd5a1d06c667e7b9c7cdd68fdd89
SHA256

780329f1842fdde4f7a215ea3c597d5c90e969d538756bb837fa20af17f8947f
SHA512

c56ccdbdd3d803c3763505bef40258a9c9c10f03f92490c21226e39aa628a1a081664d26543db6007f25d1650233d45c37c327e3ba77df95e2ba57680e3deee5
SSDEEP

786432:yPLFXNfh50sQhEwLuDtQPux6F2Bf5aFMR8DoewQW650F:2LFdJ5QhE8uDtquGhMR8DdwQW7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1648	ingognito.exe
2160	byebyefronbypass.exe
2028	ingognito.exe
1756	incognito.exe
1184	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
2904	incognito.exe
2904	incognito.exe
2028	ingognito.exe
2160	byebyefronbypass.exe
1756	incognito.exe
1184	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000500000001c856-184.dat	upx
behavioral3/memory/2028-187-0x000007FEF5C50000-0x000007FEF60BE000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral3/files/0x000700000001211a-5.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	incognito.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1648	2904	incognito.exe	28
PID 2904 wrote to memory of 1648	2904	incognito.exe	28
PID 2904 wrote to memory of 1648	2904	incognito.exe	28
PID 2904 wrote to memory of 1648	2904	incognito.exe	28
PID 2904 wrote to memory of 2160	2904	incognito.exe	29
PID 2904 wrote to memory of 2160	2904	incognito.exe	29
PID 2904 wrote to memory of 2160	2904	incognito.exe	29
PID 2904 wrote to memory of 2160	2904	incognito.exe	29
PID 1648 wrote to memory of 2028	1648	ingognito.exe	31
PID 1648 wrote to memory of 2028	1648	ingognito.exe	31
PID 1648 wrote to memory of 2028	1648	ingognito.exe	31
PID 2160 wrote to memory of 1756	2160	byebyefronbypass.exe	32
PID 2160 wrote to memory of 1756	2160	byebyefronbypass.exe	32
PID 2160 wrote to memory of 1756	2160	byebyefronbypass.exe	32

C:\Users\Admin\AppData\Local\Temp\incognito\incognito\incognito.exe
"C:\Users\Admin\AppData\Local\Temp\incognito\incognito\incognito.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Roaming\ingognito.exe
  "C:\Users\Admin\AppData\Roaming\ingognito.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Roaming\ingognito.exe
    "C:\Users\Admin\AppData\Roaming\ingognito.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2028
- C:\Users\Admin\AppData\Roaming\byebyefronbypass.exe
  "C:\Users\Admin\AppData\Roaming\byebyefronbypass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\onefile_2160_133721361439670000\incognito.exe
    "C:\Users\Admin\AppData\Roaming\byebyefronbypass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16482\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16482\setuptools-65.5.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2160_133721361439670000\incognito.exe

Filesize
30.3MB

MD5
46191afb95c6fa94819ad41a7e8db3d1

SHA1
0a09f7aa968622bb82466fd9ed6d690d601eb620

SHA256
8c22daf73e7b7ab73575bd24761720c0e6c8a7e653805c025a7b01cfd04aa9ad

SHA512
f6b97a30ffe0219a8d1c261d3c5a61a54500525d1fd09ffad759ca26b83cd2975c794662db841b43bf519a80324ba4d3021e866a0eb7ce394b3cedf2d20cefb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2160_133721361439670000\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Roaming\byebyefronbypass.exe

Filesize
17.9MB

MD5
b5128526be8a6b02a0ea3dcb4bef1478

SHA1
18ebaf313817a11509c88b56c21fee3153d2355b

SHA256
cdddb70fc2836d52d8fe97b8bf301ffb9386ca7fe611b5a4b8bc055f9d344cc1

SHA512
05b68778d5c33c6e2b1109d6886a1e859ed8430a7b3a5a7e7c9fe3cfd6699a5b48505502097e61aad9f4b4def7c8b1c2f6ce94cc2cc5ace6be13a22e2520592f

Download Submit
\Users\Admin\AppData\Roaming\ingognito.exe

Filesize
20.9MB

MD5
ce40cec4a18959e35cf5aa672806ef42

SHA1
37242803b5b40b632ae81884a82271511357f6dc

SHA256
75adc3190cf3a65dd8b67e15496f40c5de4483774671bf5c79535b071030d71a

SHA512
d4ea86ac5f5d50c60e6ee045610dba8f6d23b37190800a8eb4cd6f58331134323778d73f3f8191d4b6383d2b86de2cbcef3fbb7bfb67eb08f79763e0b3b72d70

Download Submit
memory/2028-187-0x000007FEF5C50000-0x000007FEF60BE000-memory.dmp

Filesize
4.4MB

Download
memory/2904-0-0x0000000074661000-0x0000000074662000-memory.dmp

Filesize
4KB

Download
memory/2904-1-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/2904-2-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/2904-53-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing