699397f368c56fe08f4002eae2ceb98cc3b5a82151516d6cab2dc5315495a3e2

Analysis

max time kernel
141s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30-09-2024 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uploader.exe
Size

9.1MB
MD5

e2deb4f97fef7226ba5a6963d29ef49f
SHA1

f0c03f217e99ea965711a5f030e2d197fa74b766
SHA256

699397f368c56fe08f4002eae2ceb98cc3b5a82151516d6cab2dc5315495a3e2
SHA512

a11e1c4a4986475184d1e36da9ad51ef564c74fb58ebe92ab971c7fd4c9d5802e87df2c55a934681481481cf482896e79c667f702ed6fc83c1f8905f5160373e
SSDEEP

196608:sxQyqwJ/TLx4hz7DIxynurErvI9pWj04Qc+4o673pNqljxaMDHdm4:UWKTGz7kMurEUWjEZ4dDKfamd

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 17 IoCs

pid	Process
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe
3104	uploader.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/3992-0-0x00007FF7980C0000-0x00007FF79812C000-memory.dmp	upx
behavioral4/files/0x000100000002aaf9-28.dat	upx
behavioral4/memory/3104-32-0x00007FF9671D0000-0x00007FF967895000-memory.dmp	upx
behavioral4/files/0x000100000002aaf6-34.dat	upx
behavioral4/files/0x000100000002aae0-46.dat	upx
behavioral4/files/0x000100000002aadf-45.dat	upx
behavioral4/files/0x000100000002aade-44.dat	upx
behavioral4/files/0x000100000002aadd-43.dat	upx
behavioral4/files/0x000100000002aadc-42.dat	upx
behavioral4/files/0x000100000002aadb-41.dat	upx
behavioral4/files/0x000100000002aada-40.dat	upx
behavioral4/files/0x000200000002aad9-39.dat	upx
behavioral4/files/0x000100000002aafb-38.dat	upx
behavioral4/files/0x000100000002aafa-37.dat	upx
behavioral4/files/0x000100000002aaf7-35.dat	upx
behavioral4/memory/3104-50-0x00007FF97E3B0000-0x00007FF97E3C9000-memory.dmp	upx
behavioral4/memory/3104-52-0x00007FF980FE0000-0x00007FF980FED000-memory.dmp	upx
behavioral4/memory/3104-55-0x00007FF97CF90000-0x00007FF97CFC3000-memory.dmp	upx
behavioral4/memory/3104-60-0x00007FF977F80000-0x00007FF9784A9000-memory.dmp	upx
behavioral4/memory/3104-58-0x00007FF97BF50000-0x00007FF97C01D000-memory.dmp	upx
behavioral4/memory/3104-62-0x00007FF97E2B0000-0x00007FF97E2C4000-memory.dmp	upx
behavioral4/memory/3104-64-0x00007FF97CF80000-0x00007FF97CF8D000-memory.dmp	upx
behavioral4/files/0x000100000002aae7-74.dat	upx
behavioral4/memory/3104-78-0x00007FF978D60000-0x00007FF978E7A000-memory.dmp	upx
behavioral4/memory/3104-79-0x00007FF97BEF0000-0x00007FF97BEFB000-memory.dmp	upx
behavioral4/memory/3104-77-0x00007FF97BEC0000-0x00007FF97BEE7000-memory.dmp	upx
behavioral4/memory/3104-76-0x00007FF9671D0000-0x00007FF967895000-memory.dmp	upx
behavioral4/files/0x000100000002aae6-72.dat	upx
behavioral4/memory/3104-70-0x00007FF97BF00000-0x00007FF97BF2D000-memory.dmp	upx
behavioral4/memory/3104-69-0x00007FF7980C0000-0x00007FF79812C000-memory.dmp	upx
behavioral4/memory/3104-68-0x00007FF97BF30000-0x00007FF97BF4A000-memory.dmp	upx
behavioral4/memory/3992-66-0x00007FF7980C0000-0x00007FF79812C000-memory.dmp	upx
behavioral4/memory/3104-82-0x00007FF97E3B0000-0x00007FF97E3C9000-memory.dmp	upx
behavioral4/memory/3104-83-0x00007FF97CF90000-0x00007FF97CFC3000-memory.dmp	upx
behavioral4/memory/3104-84-0x00007FF97BF50000-0x00007FF97C01D000-memory.dmp	upx
behavioral4/memory/3104-86-0x00007FF977F80000-0x00007FF9784A9000-memory.dmp	upx
behavioral4/memory/3104-89-0x00007FF9671D0000-0x00007FF967895000-memory.dmp	upx
behavioral4/memory/3104-102-0x00007FF97BF00000-0x00007FF97BF2D000-memory.dmp	upx

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 3104	3992	uploader.exe	79
PID 3992 wrote to memory of 3104	3992	uploader.exe	79

C:\Users\Admin\AppData\Local\Temp\uploader.exe
"C:\Users\Admin\AppData\Local\Temp\uploader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\uploader.exe
  "C:\Users\Admin\AppData\Local\Temp\uploader.exe"
  2⤵
  - Loads dropped DLL
  PID:3104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI39922\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\_bz2.pyd

Filesize
48KB

MD5
9da23eb807a43a954d40048b53a98e6f

SHA1
e639bd9a27409fc72f36b4ec3383eeecdacb9dc5

SHA256
02d0d3c0163f69a7e6713742ab98e73321c5298976089fe9a03b6d91d3293ebb

SHA512
c8d164c8d4722dcd04f13aa11307fddd655e73fd03b15c8056b34252bce925ca679b48032313b8587369500d03574213da20e513c3b4c155099a84de9ac0bba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
27004b1f01511fd6743ee5535de8f570

SHA1
b97baa60d6c335670b8a923fa7e6411c8e602e55

SHA256
d2d3e9d9e5855a003e3d8c7502a9814191cf2b77b99ba67777ac170440dfdccf

SHA512
bdcd7a9b9bea5a16186d1a4e097253008d5ecd37a8d8652ec21b034abafbc7e5ff9ca838c5c4cb5618d87b1aceda09e920878c403abafafa867e2d679d4d98d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\_decimal.pyd

Filesize
107KB

MD5
c67548fec576c79aa4c7d829ebbcb8fd

SHA1
3c1dd3daf407257ded9717dadcf017fdd8a2c07c

SHA256
31c2c5200f59969c7078a5a913067dfcdf326cb0d43754e38893239774286fab

SHA512
696d76f6baf739aa2a0d1d057df6d3f8cba1008c0528c8060bb3808a775393bf5e61578154e0d1bd0f3162195b108fbe51daf005d29d368447b5c8fe844a338b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\_hashlib.pyd

Filesize
35KB

MD5
121f21e4c072b1307ec96e26dbb54f48

SHA1
fd7ffeb22377db68bd6abce8ea526afa14faad0f

SHA256
8dac9aa352bfcb960501682d412a9eeebea5d1cdde3771ba9b70a0ae2e08e883

SHA512
bec606d0b9c4cabc263a4eda3b8cd403e2486a4e3369fe99117386c4d1969248c54d762b465ab5bdf87fdcc7a08bf90aa873064c65063db8cd4dc437e7e1e6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\_lzma.pyd

Filesize
86KB

MD5
24a598b2caa17caee2e24d2bb97b445d

SHA1
262f07406e170284fea0c1e41093bfe1c4a25eab

SHA256
af4ae25b17c7cf23d06e1f37fdefe903a840073266d4314e410a4acec2af6270

SHA512
7bdf0a599c488436c118523a67ab154a37ffc5aab0ecec95c463bd068d1121b197c0ebb91dc7db3cf2a3db913abaffd0a60aedb373c0e670c63cd8d85f716f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\_queue.pyd

Filesize
26KB

MD5
52e8135f08c61f94b536d1a1c787bf23

SHA1
6ea0d2bd42d3293273b27ea5fb64abef3361ba3f

SHA256
fdcd6416bcbaddc8d0e3b029d2c5f621956066cb95c5fa06c948e7eec25152b8

SHA512
06e75181a0831d1493ecc28a02f2f52fd30c1b53a4053e94a974b577ace6cdc912f1cb7223059cdacecf5fabfff1f2fff2955b1ba8f54ce5b15b7a6eec77c452

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\_socket.pyd

Filesize
44KB

MD5
886d68f020a8a2232fbcb8ab431ff9f8

SHA1
65db84d574e9e38281475cb6d86acb94c74ce5b9

SHA256
199c490b67f4364a78c6ba7df595e13e483e110345d067bf57b3826d3bf06715

SHA512
bb33bb67ee0204817282373f72a2666aa32e8e47a717e443247bd493853f804949bb59ae3b4a213fcad306d1ced123cd1377e05df3e353400120928597ed34da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\_ssl.pyd

Filesize
66KB

MD5
e5353f0aa2c35efd5b4a1a0805a6978c

SHA1
d92f1066fe79dc1a1afe7ca3c0b9e803aced7e9f

SHA256
908a3938b962132f3f4429badad0e26a8b138de192a060ca1c1067e2b2ce128a

SHA512
11c632e69c982a77053fefb22e764dfdb30f6d10abe6c88e2512aa7daf26a0ef59dcc109d262cdb58875f2fba46312027b6e180dc7f0fa24ddc02b78a55c0c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\base_library.zip

Filesize
1.3MB

MD5
605cf0c0ef63fe301e94cbc073a503b8

SHA1
12589064c85195249a53656ea9a8ce6d1ae13ae6

SHA256
730a7bc70fdc6f06751d8f96604a5106563e0954602b0413f086956dbd3e9d5c

SHA512
9432476968b6dd04f9f6dd63987f7ce7693392f0d7b8f82d1f7a56e937607c016ec12d58c8fab32446ef1f2de55a0216767614eaae6f487a2bfc545ff4c78e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
9KB

MD5
e4fad9ff1b85862a6afaca2495d9f019

SHA1
0e47d7c5d4de3a1d7e3bb31bd47ea22cc4ddeac4

SHA256
e5d362766e9806e7e64709de7e0cff40e03123d821c3f30cac5bac1360e08c18

SHA512
706fb033fc2079b0aabe969bc51ccb6ffaaf1863daf0e4a83d6f13adc0fedab61cee2b63efb40f033aea22bf96886834d36f50af36e6e25b455e941c1676a30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
39KB

MD5
5c643741418d74c743ca128ff3f50646

SHA1
0b499a3228865a985d86c1199d14614096efd8a0

SHA256
2d86563fdfdc39894a53a293810744915192f3b3f40a47526551e66cdb9cb35c

SHA512
45d02b854557d8f9c25ca8136fa6d3daed24275cc77b1c98038752daed4318bd081c889ff1f4fa8a28e734c9167f477350a8fa863f61729c30c76e7a91d61a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\libcrypto-3.dll

Filesize
1.6MB

MD5
63eb76eccfe70cff3a3935c0f7e8ba0f

SHA1
a8dd05dce28b79047e18633aee5f7e68b2f89a36

SHA256
785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e

SHA512
8da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\libssl-3.dll

Filesize
222KB

MD5
7e87c34b39f3a8c332df6e15fd83160b

SHA1
db712b55f23d8e946c2d91cbbeb7c9a78a92b484

SHA256
41448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601

SHA512
eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\python3.dll

Filesize
66KB

MD5
8dbe9bbf7118f4862e02cd2aaf43f1ab

SHA1
935bc8c5cea4502d0facf0c49c5f2b9c138608ed

SHA256
29f173e0147390a99f541ba0c0231fdd7dfbca84d0e2e561ef352bf1ec72f5db

SHA512
938f8387dcc356012ac4a952d371664700b110f7111fcc24f5df7d79791ae95bad0dbaf77d2d6c86c820bfd48a6bdbe8858b7e7ae1a77df88e596556c7135ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\python312.dll

Filesize
1.7MB

MD5
ca67f0baf3cc3b7dbb545cda57ba3d81

SHA1
5b4e36aef877307af8a8f78f3054d068d1a9ce89

SHA256
f804ed205e82003da6021ee6d2270733ca00992816e7e89ba13617c96dd0fba3

SHA512
a9f07dd02714c3efba436326425d443969018ace7ebd7cc33c39d43e3d45480a4fcd4c46c09ad132b4f273888f13e9f598de257130429fcb2519c000e4fab6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\select.pyd

Filesize
25KB

MD5
6c123b56f3a37c129eff6fc816868b25

SHA1
ac6b6e3bdc53870ba044a38b9ae9a067b70e7641

SHA256
99687f9b1648ac684dfb7937c75e3e50dc16704abd4c4c19601c40ec6971c5ee

SHA512
b840871278a6cc32d5ab0cc6d9c129da0ba2d08b93c3c6c000e3989fe1ab8b09ed82ca547a1057690f52f22e44b203f424e2ccd9655be82a1094547a94ddc3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39922\unicodedata.pyd

Filesize
296KB

MD5
3d5cb46d212da9843d199f6989b37cd5

SHA1
ce5e427d49ea1adba9c941140f3502c969b6819e

SHA256
50a55bc145b1f43e5125ef0b09e508946221d02d5fea1b7550a43d8c8c41c970

SHA512
c52014c96578db4c7f97878a13ca8c2a4574cc6671689bb554382ad0e593eb87fac55961c7c11ef82b04627fb851ac44848bac9ec91fca0afaa965e4f1f24aa5

Download Submit
memory/3104-60-0x00007FF977F80000-0x00007FF9784A9000-memory.dmp

Filesize
5.2MB

Download
memory/3104-70-0x00007FF97BF00000-0x00007FF97BF2D000-memory.dmp

Filesize
180KB

Download
memory/3104-59-0x000002A050970000-0x000002A050E99000-memory.dmp

Filesize
5.2MB

Download
memory/3104-102-0x00007FF97BF00000-0x00007FF97BF2D000-memory.dmp

Filesize
180KB

Download
memory/3104-58-0x00007FF97BF50000-0x00007FF97C01D000-memory.dmp

Filesize
820KB

Download
memory/3104-62-0x00007FF97E2B0000-0x00007FF97E2C4000-memory.dmp

Filesize
80KB

Download
memory/3104-64-0x00007FF97CF80000-0x00007FF97CF8D000-memory.dmp

Filesize
52KB

Download
memory/3104-52-0x00007FF980FE0000-0x00007FF980FED000-memory.dmp

Filesize
52KB

Download
memory/3104-78-0x00007FF978D60000-0x00007FF978E7A000-memory.dmp

Filesize
1.1MB

Download
memory/3104-79-0x00007FF97BEF0000-0x00007FF97BEFB000-memory.dmp

Filesize
44KB

Download
memory/3104-77-0x00007FF97BEC0000-0x00007FF97BEE7000-memory.dmp

Filesize
156KB

Download
memory/3104-76-0x00007FF9671D0000-0x00007FF967895000-memory.dmp

Filesize
6.8MB

Download
memory/3104-50-0x00007FF97E3B0000-0x00007FF97E3C9000-memory.dmp

Filesize
100KB

Download
memory/3104-55-0x00007FF97CF90000-0x00007FF97CFC3000-memory.dmp

Filesize
204KB

Download
memory/3104-69-0x00007FF7980C0000-0x00007FF79812C000-memory.dmp

Filesize
432KB

Download
memory/3104-68-0x00007FF97BF30000-0x00007FF97BF4A000-memory.dmp

Filesize
104KB

Download
memory/3104-89-0x00007FF9671D0000-0x00007FF967895000-memory.dmp

Filesize
6.8MB

Download
memory/3104-32-0x00007FF9671D0000-0x00007FF967895000-memory.dmp

Filesize
6.8MB

Download
memory/3104-82-0x00007FF97E3B0000-0x00007FF97E3C9000-memory.dmp

Filesize
100KB

Download
memory/3104-83-0x00007FF97CF90000-0x00007FF97CFC3000-memory.dmp

Filesize
204KB

Download
memory/3104-84-0x00007FF97BF50000-0x00007FF97C01D000-memory.dmp

Filesize
820KB

Download
memory/3104-85-0x000002A050970000-0x000002A050E99000-memory.dmp

Filesize
5.2MB

Download
memory/3104-86-0x00007FF977F80000-0x00007FF9784A9000-memory.dmp

Filesize
5.2MB

Download
memory/3992-66-0x00007FF7980C0000-0x00007FF79812C000-memory.dmp

Filesize
432KB

Download
memory/3992-0-0x00007FF7980C0000-0x00007FF79812C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads