d989111f600dc5837ebeb1b21c61b101e5bb4c814b82853cdeb1f71722d371fa

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

%%EKjp(LNhJNwcSvE[&N6RVSGj6DUVmyHvW0KS;ua}(Z3()#%xjz)&dwt8!d-WivxDjpB9km{w#[K9B=)77_m@WSLDeG$.jpg.exe
Size

11.3MB
MD5

72049d7eaee465534cd12e5d10feb00a
SHA1

de32b95447e9eb39890060b1009afeded3fd057c
SHA256

8d5a5ce35aa44311752bb0dca781c3618f4ef904a5f603891d0ddbb45a035014
SHA512

4e98e0079af1da81c47b4c8c1f62d3e05c003eac1a2f3948a37be492aa4a7aba61352bf5da3ecc688af181efce2f0728434e61a2808b99e112827142583b9a24
SSDEEP

196608:sqw1S3tU5FbqOjlPOH6/B5ppJ6AGCwnabJge/Vspg0pi5HSOQjLAoQiA9K0mZ1dF:aFbqOtm6VpJTbGe/zR5yLPAoQius5cqJ

Score

7^/10

pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

stub.exestub.exe

pid process

2280 stub.exe
904 stub.exe
1136
Loads dropped DLL 4 IoCs

Processes:

%%EKjp(LNhJNwcSvE[&N6RVSGj6DUVmyHvW0KS;ua}(Z3()#%xjz)&dwt8!d-WivxDjpB9km{w#[K9B=)77_m@WSLDeG$.jpg.exestub.exestub.exe

pid process

2352 %%EKjp(LNhJNwcSvE[&N6RVSGj6DUVmyHvW0KS;ua}(Z3()#%xjz)&dwt8!d-WivxDjpB9km{w#[K9B=)77_m@WSLDeG$.jpg.exe
2280 stub.exe
904 stub.exe
1136

pid	process
2280	stub.exe
904	stub.exe
1136

pid	process
2352	%%EKjp(LNhJNwcSvE[&N6RVSGj6DUVmyHvW0KS;ua}(Z3()#%xjz)&dwt8!d-WivxDjpB9km{w#[K9B=)77_m@WSLDeG$.jpg.exe
2280	stub.exe
904	stub.exe
1136

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI22802\python311.dll	upx
behavioral1/memory/904-61-0x000007FEF5DA0000-0x000007FEF6388000-memory.dmp	upx
behavioral1/memory/904-63-0x000007FEF5DA0000-0x000007FEF6388000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stub.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

%%EKjp(LNhJNwcSvE[&N6RVSGj6DUVmyHvW0KS;ua}(Z3()#%xjz)&dwt8!d-WivxDjpB9km{w#[K9B=)77_m@WSLDeG$.jpg.exestub.exe

description	pid	process	target process
PID 2352 wrote to memory of 2280	2352	%%EKjp(LNhJNwcSvE[&N6RVSGj6DUVmyHvW0KS;ua}(Z3()#%xjz)&dwt8!d-WivxDjpB9km{w#[K9B=)77_m@WSLDeG$.jpg.exe	stub.exe
PID 2352 wrote to memory of 2280	2352	%%EKjp(LNhJNwcSvE[&N6RVSGj6DUVmyHvW0KS;ua}(Z3()#%xjz)&dwt8!d-WivxDjpB9km{w#[K9B=)77_m@WSLDeG$.jpg.exe	stub.exe
PID 2352 wrote to memory of 2280	2352	%%EKjp(LNhJNwcSvE[&N6RVSGj6DUVmyHvW0KS;ua}(Z3()#%xjz)&dwt8!d-WivxDjpB9km{w#[K9B=)77_m@WSLDeG$.jpg.exe	stub.exe
PID 2280 wrote to memory of 904	2280	stub.exe	stub.exe
PID 2280 wrote to memory of 904	2280	stub.exe	stub.exe
PID 2280 wrote to memory of 904	2280	stub.exe	stub.exe

C:\Users\Admin\AppData\Local\Temp\%%EKjp(LNhJNwcSvE[&N6RVSGj6DUVmyHvW0KS;ua}(Z3()#%xjz)&dwt8!d-WivxDjpB9km{w#[K9B=)77_m@WSLDeG$.jpg.exe
"C:\Users\Admin\AppData\Local\Temp\%%EKjp(LNhJNwcSvE[&N6RVSGj6DUVmyHvW0KS;ua}(Z3()#%xjz)&dwt8!d-WivxDjpB9km{w#[K9B=)77_m@WSLDeG$.jpg.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\stub.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\stub.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\stub.exe

Filesize
10.9MB

MD5
f2325513cec3a9a2ae5c3613b7c8604a

SHA1
51f54f9a39edada9fab81e630ac62b04f74427b9

SHA256
9f21637ec3141fb9d107cb73af85b5079435b0dc1acb5b0fa989fb03916f87cb

SHA512
ad1985865cb31081c3fbf24c57ce2cfa4b3b31b9db3cfde45e25b252162c25a31dabe464fdcbe96042d6ee3e3508e937bec838f6a8a91cbeddbdd45479afa17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22802\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
memory/904-61-0x000007FEF5DA0000-0x000007FEF6388000-memory.dmp

Filesize
5.9MB

Download
memory/904-63-0x000007FEF5DA0000-0x000007FEF6388000-memory.dmp

Filesize
5.9MB

Download
memory/2352-4-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download