95c8931e3fa3b1de5d681f34643577af8bceeea242a56d1958d8f7df9a9a0523

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PythonTest.exe
Size

21.1MB
MD5

23653f3c2562ab99614f33be4472efdc
SHA1

05558bab8d59579b3c585ad77ad52a2b688d0b04
SHA256

95c8931e3fa3b1de5d681f34643577af8bceeea242a56d1958d8f7df9a9a0523
SHA512

ca606a50fa6f676dfd931c0de48fc54cfe31e88c621417321f830115f24a0ae02177a10066875bcf119afb2a11d4bac637267659faf44262c7c00fd8542e14af
SSDEEP

393216:u2BFHno9LF5svby2das3mvCR3x2gS6+RRo7Nxir4TUzDFuMJHoZ41zGfTB:u2Tno9L7+Vv38eB2gqCpxYWMxuUQ4Uf1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	python.exe

Loads dropped DLL 2 IoCs

pid	Process
1712	cmd.exe
1808	python.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1712	1892	PythonTest.exe	30
PID 1892 wrote to memory of 1712	1892	PythonTest.exe	30
PID 1892 wrote to memory of 1712	1892	PythonTest.exe	30
PID 1712 wrote to memory of 1808	1712	cmd.exe	32
PID 1712 wrote to memory of 1808	1712	cmd.exe	32
PID 1712 wrote to memory of 1808	1712	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\PythonTest.exe
"C:\Users\Admin\AppData\Local\Temp\PythonTest.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\python.exe
    python Python.py
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\site-packages\idna-3.10.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\site-packages\pip\_vendor\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\site-packages\requests\__version__.py

Filesize
435B

MD5
cf7b49d0b713b70f100f710cfd501ef4

SHA1
c4d5e1c3654e68dbef42e721f0b77cc6cdf50d75

SHA256
1557e09606663509e660f5e93a8843539f05e4451bffe5674936807ac4b5f3b8

SHA512
abfbd374d94df3dad2b9f5d31301e373703f3452f2c10d1ecae5ea4c8802a96129162e125e29bbe39a18f0a7d80841886e9a5e1a2cff51ec5238171aee6f726d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\site-packages\requests\_internal_utils.py

Filesize
1KB

MD5
9dfff48651ad4c1cd36b1229e869d749

SHA1
83a8612a7fe67477b5d61a8c4358d22d5b099f7e

SHA256
9cc4329abe21b37d93a95a3901b0ab99c24486f3d487bc57965bb2ab0b252e24

SHA512
8bc4699bffe4b41b11ff43eef9cf33b668127db9f58d8db0ea6105150b01c7472e2cf6e834a0f45133f33af9a54aebe3b1399ede383109d7d01f59455db61001

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\site-packages\requests\api.py

Filesize
6KB

MD5
ad3e6e647b23b98387ffe0738d965615

SHA1
e2acc6d4ace747f71ed20a4135f6664a93bcd2fa

SHA256
fd96fd39aeedcd5222cd32b016b3e30c463d7a3b66fce9d2444467003c46b10b

SHA512
25ff8f68c8d09ff474bc654580598efc70773ac908613082603f47b6c64dbd394e899b91bce8103277d9669c7c09a1d35c74d67ac0b51af4e1b35dba896a194b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\site-packages\requests\auth.py

Filesize
9KB

MD5
dcbec6f5352f225981ead338d778419e

SHA1
bd96146ba4180f816dbd9c693f0b11ecc21ee214

SHA256
905ef9b6a9cb72d67d31ffe19bd4d9223e1c4169cde6ec51cfca16b31e70991d

SHA512
ae6eee0ccc99712deb2896cd783627e9bc6ab12191c722e70fb2727043aa099e47c14767e9efb8d12b37dcc83f40e2ae1bcdfe7502d8bfd0acf8b044d21bf127

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\site-packages\requests\cookies.py

Filesize
18KB

MD5
003f4e0aabd7cc01b91224d1fb89ee21

SHA1
904a118f4c9b48d637c5cce657018c2486513527

SHA256
6cd8be8aa123e0d3d9d34fa86feac7bf392f39bccdde5129830de0ea9692dd7c

SHA512
9d6025a0698a287bc224ab424fa409bcb4b36c01ef27b9e0a018ad995b66ed3eb429ccad5fc26703b8019366bba37e1037af54dc4d1f339f07820e3b93e2b9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\site-packages\requests\hooks.py

Filesize
733B

MD5
94eb29001b47e2886c00d1e201b8733d

SHA1
6c2aebe642d6471e70534c45e039df709b23435d

SHA256
0a2bb2b221c0dfd57951f702057148c7cdc8ac3a6ec1f37d45c4d482fdbc7ed4

SHA512
15f9f577f2a490427bcffca5c217cb8d544431391942264352679174621cf2db183d293f478083eba592e1aff059cf7f41f24aa1538933990819d4b3e49b48a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\site-packages\requests\sessions.py

Filesize
29KB

MD5
fd6fa1069669812de222d61d2288ff75

SHA1
93881c774ba82ab62ee50d4a56c7b6f64cd81683

SHA256
ca44c8f145864a5b4e7c7d3b1caa25947ee44c11b0e168620556901a67244f0e

SHA512
781e08fb8a5194fb40480509aeacb4bdf84439a99f9501d16e03889bc4d76399b7e0563d8887ed7f948f96c8775d3850880346182431362634cdb5008ac2ac93

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\site-packages\requests\status_codes.py

Filesize
4KB

MD5
a5e303e512b9548db88263894ab73fd7

SHA1
cf59c07d2dfa28475074b8592db1fe8024a02b9b

SHA256
889500780db96da4ddc3ee8f7c3d1e178aa1a48343251248fb268cab1b382c42

SHA512
583146a07fdc94d21093a4025ae133183528f165fd75134c1861a38ffd53f6a76a0ed8189a4938736a1312ccb99b7c7582e4843e656273ad6ef63f2c3710eaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\site-packages\requests\structures.py

Filesize
2KB

MD5
077948910ae6fb44dc6e58d3d25d6aee

SHA1
b5c2c740b9ff7d27a83ac4c80e3ae741aa33b5be

SHA256
f886e6855cf4e92fb968f499b94b6167afba0fd5ce8d1b935c739a6d8d38d573

SHA512
b9256700252d4330095253ff3abaa885cc97967aafb39eeb6720db90ad55f6a9e70d925cdf0b77ca15e9ded6faab571ee2660fd2fdba038dad3247798fc22bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\test\cjkencodings\shift_jis-utf8.txt

Filesize
1KB

MD5
cc34bcc252d8014250b2fbc0a7880ead

SHA1
89a79425e089c311137adcdcf0a11dfa9d8a4e58

SHA256
a6bbfb8ecb911d13581f7713391f8c0ceea1edd41537fdb300bbb4d62dd72e9b

SHA512
c6fb4a793870993a9f1310ce59697397e5334dbb92031ab49a3ecc33c55e84737e626e815754c5ddbe7835b15d3817bf07d2b4c80ea5fd956792b4db96c18c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\test\test_importlib\extension\__init__.py

Filesize
147B

MD5
c3239b95575b0ad63408b8e633f9334d

SHA1
7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

SHA256
6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

SHA512
5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\test\test_importlib\extension\__main__.py

Filesize
62B

MD5
47878c074f37661118db4f3525b2b6cb

SHA1
9671e2ef6e3d9fa96e7450bcee03300f8d395533

SHA256
b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

SHA512
13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lib\test\test_pydoc\__init__.py

Filesize
138B

MD5
4a7dba3770fec2986287b3c790e6ae46

SHA1
8c7a8f21c1bcdb542f4ce798ba7e97f61bee0ea0

SHA256
88db4157a69ee31f959dccbb6fbad3891ba32ad2467fe24858e36c6daccdba4d

SHA512
4596824f4c06b530ef378c88c7b4307b074f922e10e866a1c06d5a86356f88f1dad54c380791d5cfda470918235b6ead9514b49bc99c2371c1b14dc9b6453210

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.bat

Filesize
45B

MD5
ed6703a1bbbf0a717602766e93628921

SHA1
0966a051f605e9ad61ae0f299cb9e7ad0413f53d

SHA256
38cc38db9712ea1658559593e1abdf58efbd700c5c7e1ec93592949de085c554

SHA512
9cd2d22aa5e38f3fe574987b47d3ec21741d405953aa00e77479b14438318a4726c11161af3351c5617289fc9af6f82cbbb43fed1a01ab15733c3e343c7cd03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\python.exe

Filesize
101KB

MD5
c6ed974729d66dc7877bde3e966b460d

SHA1
d61806703f7b6d676bdd654e329c2e82348ac86c

SHA256
62ebc90a2884bb63a0cd67e789cafdd51e771eee043587e2354327b4ccc9bb05

SHA512
a865fda1b619674372871ee44a33d233f6025026295f6db896530bc6282dcc8f1f921c117570be7fce4b833a85dc02716d236a8688338e0bb2def256ed127bdb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\python313.dll

Filesize
5.8MB

MD5
b9de917b925dd246b709bb4233777efd

SHA1
775f258d8b530c6ea9f0dd3d1d0b61c1948c25d2

SHA256
0c0a66505093b6a4bb3475f716bd3d9552095776f6a124709c13b3f9552c7d99

SHA512
f4bf3398f50fdd3ab7e3f02c1f940b4c8b5650ed7af16c626ccd1b934053ba73a35f96da03b349c1eb614bb23e0bc6b5cc58b07b7553a5c93c6d23124f324a33

Download Submit