2afe60e31599db4d0857fcac3e48ddca6357dedd3b93cc5fc56e72a4b987bbc8

Analysis

max time kernel
148s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

matcha-9dbf9780562444e1-upd2 (1).rar
Size

19.8MB
MD5

aa078c80d48de8b4a9651e4527afc011
SHA1

964d33b6964f89d6f13dba8678f50e86f4aadf56
SHA256

2afe60e31599db4d0857fcac3e48ddca6357dedd3b93cc5fc56e72a4b987bbc8
SHA512

1dbca189c3b59e572aaf9791bb5cd7f8f231e4d236117e4d747243733bf521760b52ef08c7553e7934d0a5878de7e7eb53168e8aa3bd83336eb38f47d9be472a
SSDEEP

393216:2PCSlDkykih2dtIQX6vOE3vva3K6dU5v8kJKfPCSlDkykih2dtIQXS:QN+ik/Io69X5v8kAXN+ik/IH

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
1384	matcha.exe
2920	matcha.exe
2804	matcha.exe
2844	matcha.exe
2672	matcha.exe
2736	matcha.exe
1664	matcha.exe
2064	matcha.exe

Loads dropped DLL 15 IoCs

pid	Process
2188	7zFM.exe
1384	matcha.exe
2920	matcha.exe
2188	7zFM.exe
2804	matcha.exe
2844	matcha.exe
2188	7zFM.exe
2672	matcha.exe
2736	matcha.exe
2188	7zFM.exe
1664	matcha.exe
2064	matcha.exe
1272	Process not Found
1272	Process not Found
1272	Process not Found

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019761-34.dat	upx
behavioral1/memory/2920-36-0x000007FEF6150000-0x000007FEF67B3000-memory.dmp	upx
behavioral1/memory/2844-70-0x000007FEF5AE0000-0x000007FEF6143000-memory.dmp	upx
behavioral1/memory/2736-101-0x000007FEF5470000-0x000007FEF5AD3000-memory.dmp	upx
behavioral1/memory/2064-135-0x000007FEF4E00000-0x000007FEF5463000-memory.dmp	upx

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2188	7zFM.exe
2920	matcha.exe
2844	matcha.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2188	7zFM.exe
Token: 35	2188	7zFM.exe
Token: SeSecurityPrivilege	2188	7zFM.exe
Token: SeSecurityPrivilege	2188	7zFM.exe
Token: SeSecurityPrivilege	2188	7zFM.exe
Token: SeSecurityPrivilege	2188	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2188	7zFM.exe
2188	7zFM.exe
2188	7zFM.exe
2188	7zFM.exe
2188	7zFM.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1384	2188	7zFM.exe	31
PID 2188 wrote to memory of 1384	2188	7zFM.exe	31
PID 2188 wrote to memory of 1384	2188	7zFM.exe	31
PID 1384 wrote to memory of 2920	1384	matcha.exe	32
PID 1384 wrote to memory of 2920	1384	matcha.exe	32
PID 1384 wrote to memory of 2920	1384	matcha.exe	32
PID 2188 wrote to memory of 2804	2188	7zFM.exe	33
PID 2188 wrote to memory of 2804	2188	7zFM.exe	33
PID 2188 wrote to memory of 2804	2188	7zFM.exe	33
PID 2804 wrote to memory of 2844	2804	matcha.exe	34
PID 2804 wrote to memory of 2844	2804	matcha.exe	34
PID 2804 wrote to memory of 2844	2804	matcha.exe	34
PID 2188 wrote to memory of 2672	2188	7zFM.exe	35
PID 2188 wrote to memory of 2672	2188	7zFM.exe	35
PID 2188 wrote to memory of 2672	2188	7zFM.exe	35
PID 2672 wrote to memory of 2736	2672	matcha.exe	36
PID 2672 wrote to memory of 2736	2672	matcha.exe	36
PID 2672 wrote to memory of 2736	2672	matcha.exe	36
PID 2188 wrote to memory of 1664	2188	7zFM.exe	37
PID 2188 wrote to memory of 1664	2188	7zFM.exe	37
PID 2188 wrote to memory of 1664	2188	7zFM.exe	37
PID 1664 wrote to memory of 2064	1664	matcha.exe	38
PID 1664 wrote to memory of 2064	1664	matcha.exe	38
PID 1664 wrote to memory of 2064	1664	matcha.exe	38

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\matcha-9dbf9780562444e1-upd2 (1).rar"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\7zOC882D9C6\matcha.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC882D9C6\matcha.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\7zOC882D9C6\matcha.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC882D9C6\matcha.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2920
- C:\Users\Admin\AppData\Local\Temp\7zOC8827CC6\matcha.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC8827CC6\matcha.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\7zOC8827CC6\matcha.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC8827CC6\matcha.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2844
- C:\Users\Admin\AppData\Local\Temp\7zOC882FEC6\matcha.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC882FEC6\matcha.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\7zOC882FEC6\matcha.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC882FEC6\matcha.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2736
- C:\Users\Admin\AppData\Local\Temp\7zOC88C22D6\matcha.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC88C22D6\matcha.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\7zOC88C22D6\matcha.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC88C22D6\matcha.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI13842\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
\Users\Admin\AppData\Local\Temp\7zOC882D9C6\matcha.exe

Filesize
7.6MB

MD5
0734f6bedc4b869ee82b9d4cccff40b5

SHA1
f85fad7213954af4c1e97fd8ec295edf76882095

SHA256
f126a99a61fbb3ea941e81fce01cd2a2d64080b33789553f94c2c6043f3b470d

SHA512
897794b690ab100abd0116d167e02d70089890b6b3f9091cccdec82e3bb0b1b3a5f7cc3a0ccbf6aff7f86322e09313277f3233e5879350840b0331fa55fc2ba4

Download Submit
memory/2064-135-0x000007FEF4E00000-0x000007FEF5463000-memory.dmp

Filesize
6.4MB

Download
memory/2736-101-0x000007FEF5470000-0x000007FEF5AD3000-memory.dmp

Filesize
6.4MB

Download
memory/2844-70-0x000007FEF5AE0000-0x000007FEF6143000-memory.dmp

Filesize
6.4MB

Download
memory/2920-36-0x000007FEF6150000-0x000007FEF67B3000-memory.dmp

Filesize
6.4MB

Download