1f3ac725f48f2442886bfafab79345396961c4dc15b63b9904c5a6cc0328fb8e

Analysis

max time kernel
20s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYPAL OTp Bypass Tool.zip
Size

78.9MB
MD5

0c9d7d19836ff3aed99feed740cd8d91
SHA1

6f7744bfbef888350b88174f043da4df67af9095
SHA256

1f3ac725f48f2442886bfafab79345396961c4dc15b63b9904c5a6cc0328fb8e
SHA512

3b77352bdc3431ce4b9d821cb7a38d7bb4ede4272a6163d51b99ee80eca8835a91740187c93b8e848a484f5b2ec655d97ab4abfb1a678f8ccbc2d1e7e5aed9ea
SSDEEP

1572864:F/wMAW9nQn1avuG90ouo8OlKbpeROas3RVG3CPtp8MCUB030wPju:pmjGz8gMJaJMJikwPju

Score

7^/10

pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Cracked by CRAX-it v3.0.1.exe

pid	Process
2528	Cracked by CRAX-it v3.0.1.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000500000001a457-66.dat	upx
behavioral1/memory/1636-68-0x000007FEEE7C0000-0x000007FEEEDA8000-memory.dmp	upx

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral1/files/0x0009000000016d3f-16.dat	pyinstaller
behavioral1/files/0x0009000000016d3f-184.dat	pyinstaller

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
432	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	432	7zFM.exe
Token: 35	432	7zFM.exe
Token: SeSecurityPrivilege	432	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid	Process
432	7zFM.exe
432	7zFM.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7zFM.exe

description	pid	Process	procid_target
PID 432 wrote to memory of 2528	432	7zFM.exe	29
PID 432 wrote to memory of 2528	432	7zFM.exe	29
PID 432 wrote to memory of 2528	432	7zFM.exe	29

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PAYPAL OTp Bypass Tool.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\7zO0B1A0E78\Cracked by CRAX-it v3.0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0B1A0E78\Cracked by CRAX-it v3.0.1.exe"
  2⤵
  - Executes dropped EXE
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr
    "C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr" /S
    3⤵
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr
      "C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr" /S
      4⤵
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    PID:2296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr

Filesize
10.8MB

MD5
cef29c1e8a1801491d7435b4e2e0a6c5

SHA1
713333f4aba42f0bb92f5d1aa2a9f04b0a2b9181

SHA256
3d775c0e73de534794d1b34346c272617d098f689a0e573ee90d1f9030269f35

SHA512
b0a65939dfc7d308e2dfd575161b4c8d85746ae32744bf18e61dafd698b40a246bdc5ffda8abbefc89fc4f75b388e3a139f54196112fed68d16a96d1e298d598

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27962\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr

Filesize
6.1MB

MD5
bf45c37bafc4f4b958dc2978d4c7cc6c

SHA1
406be2ea6c81cd7f7dbf50e542756b43951b8f4b

SHA256
89e7a468fc550ef65c739faf788683faec7d350a209173dd7ffd8e3ce57eec8f

SHA512
71172854b1ece01d5c0af37b20e0982338a6050a88f788ec63ffe15c747b1a9ef8ba45b01a8569c8bbbf96fe358cba48b363e6c2e2035906d26f59f8f8c2da81

Download Submit
\Users\Admin\AppData\Local\Temp\nse96F3.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nse96F3.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1636-68-0x000007FEEE7C0000-0x000007FEEEDA8000-memory.dmp

Filesize
5.9MB

Download
memory/2528-11-0x0000000000F20000-0x0000000005726000-memory.dmp

Filesize
72.0MB

Download