53a48df43414b3ea7e0b61def5c565dec6ccd5debd90fbd7215f89ce5172d693

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

8.5MB
MD5

fe88600b4e98eb0ac949ae43af0de141
SHA1

24a14608b7c38f7e74d5c74f7c0f59032a99151e
SHA256

53a48df43414b3ea7e0b61def5c565dec6ccd5debd90fbd7215f89ce5172d693
SHA512

1c226bf339abd6be436243b783813ab6abc615ff5da3afb5ac948536ba86d1a7f5ae3f889c9f20271bad1d03ddd3b5e5db5ecf6b18f65483ae367406ec7293ff
SSDEEP

196608:0qwvWk0XhJZNKbDTRv7fjS1PNFHQ1bl+XWf882sjqB0dI/r:20xRKDRzfWLx6l3f8+g

Score

7^/10

pyinstaller

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

stub.exestub.exe

pid	Process
2868	stub.exe
3024	stub.exe
1360

Loads dropped DLL 4 IoCs

Processes:

test.exestub.exestub.exe

pid	Process
1356	test.exe
2868	stub.exe
3024	stub.exe
1360

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral1/files/0x000b00000001225c-3.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

test.exestub.exe

description	pid	Process	procid_target
PID 1356 wrote to memory of 2868	1356	test.exe	29
PID 1356 wrote to memory of 2868	1356	test.exe	29
PID 1356 wrote to memory of 2868	1356	test.exe	29
PID 2868 wrote to memory of 3024	2868	stub.exe	30
PID 2868 wrote to memory of 3024	2868	stub.exe	30
PID 2868 wrote to memory of 3024	2868	stub.exe	30

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\stub.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\stub.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28682\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
\Users\Admin\AppData\Local\Temp\stub.exe

Filesize
8.3MB

MD5
2abbfb25196ba45ccc85c32898b8d50d

SHA1
eb6299f7ed55934543244088b6a9144927e49a19

SHA256
de7384b0fe1a8564d9ca22fcd0e9e7ee8ec3d09a86b017c54d0db51131a8b576

SHA512
f97aef78229990a59744a62490d4443c56ef18fdb3b783cb0f7cad31ce31d74fd94fbd7f854180c7f8cae067678a02c1f869f1e39c2fe592409687ecbbd50113

Download Submit