a495b85839d5632aab568ff0a41aeeceb0c949bffe99980d097a28027c454fdc

General

Target

mainmenunotFUD.exe
Size

16.2MB
MD5

72e3eb7e641fd4c32335ed5201683d9a
SHA1

f63651ae7a673b5b459796aebaf5b7f0c76c0687
SHA256

a495b85839d5632aab568ff0a41aeeceb0c949bffe99980d097a28027c454fdc
SHA512

d4428cd7224ac5382cd7c9761230905ea027126a4717fcd58e646721029c2c327ed7580d0d1b2ac16c444db3d40969a4ec718694960e24e2229113c45a978e8d
SSDEEP

393216:z1Mn5D38U+pzCq+hqavItKM+0myAZGwCH+DKp3n:z1M5DD+pzz4DAt+yq5CkM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1268	anti.exe
1976	MSUpdate.exe
1536	MSUpdate.exe
1196	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
2620	mainmenunotFUD.exe
1268	anti.exe
1536	MSUpdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2112	tasklist.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000001955c-12.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1268	anti.exe
1268	anti.exe
1268	anti.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	anti.exe
Token: SeDebugPrivilege	2112	tasklist.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 1268	2620	mainmenunotFUD.exe	30
PID 2620 wrote to memory of 1268	2620	mainmenunotFUD.exe	30
PID 2620 wrote to memory of 1268	2620	mainmenunotFUD.exe	30
PID 2620 wrote to memory of 1976	2620	mainmenunotFUD.exe	31
PID 2620 wrote to memory of 1976	2620	mainmenunotFUD.exe	31
PID 2620 wrote to memory of 1976	2620	mainmenunotFUD.exe	31
PID 1976 wrote to memory of 1536	1976	MSUpdate.exe	33
PID 1976 wrote to memory of 1536	1976	MSUpdate.exe	33
PID 1976 wrote to memory of 1536	1976	MSUpdate.exe	33
PID 1268 wrote to memory of 2376	1268	anti.exe	35
PID 1268 wrote to memory of 2376	1268	anti.exe	35
PID 1268 wrote to memory of 2376	1268	anti.exe	35
PID 2376 wrote to memory of 2088	2376	cmd.exe	37
PID 2376 wrote to memory of 2088	2376	cmd.exe	37
PID 2376 wrote to memory of 2088	2376	cmd.exe	37
PID 2376 wrote to memory of 2112	2376	cmd.exe	38
PID 2376 wrote to memory of 2112	2376	cmd.exe	38
PID 2376 wrote to memory of 2112	2376	cmd.exe	38
PID 2376 wrote to memory of 1804	2376	cmd.exe	39
PID 2376 wrote to memory of 1804	2376	cmd.exe	39
PID 2376 wrote to memory of 1804	2376	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\mainmenunotFUD.exe
"C:\Users\Admin\AppData\Local\Temp\mainmenunotFUD.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Roaming\anti.exe
  "C:\Users\Admin\AppData\Roaming\anti.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEAAD.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpEAAD.tmp.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2088
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 1268"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2112
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:1804
- C:\Users\Admin\AppData\Roaming\MSUpdate.exe
  "C:\Users\Admin\AppData\Roaming\MSUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Roaming\MSUpdate.exe
    "C:\Users\Admin\AppData\Roaming\MSUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI19762\python312.dll

Filesize
6.6MB

MD5
b243d61f4248909bc721674d70a633de

SHA1
1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc

SHA256
93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7

SHA512
10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAAD.tmp.bat

Filesize
286B

MD5
3a5d031b46b7626eadeb537a6673e3ad

SHA1
408f14dd2eb86740eb8bdc3515107b458d166de2

SHA256
658fa8a423d09a494795092b0afc12176bd68df16e81fadd0b5f326caaeeb6f9

SHA512
710de628eb64fb866cb42f98fb268a22cf9a72892672daa550b12d2665b1a399d16276bf692adaaa85507dda80469baf0edb4cfc36d03ba84dc4f9d0cc7782bb

Download Submit
C:\Users\Admin\AppData\Roaming\MSUpdate.exe

Filesize
10.5MB

MD5
79d19e7b20c0a9f3ac172041dcf84c97

SHA1
2e8a9c7d1aac017c1fabae50677e5bedea55c16d

SHA256
6080208516fa0312f72202ff528cf3ae055fcec32049191c8b4043bdb52bf072

SHA512
1d3fa42566c332501300da43e462a68341f9fc5aa5328d1b57cbb947e9b3e3eaa86d3368f52e82e3294fff63dc53587fda070967fa9a533dc4f9497a71e72e35

Download Submit
C:\Users\Admin\AppData\Roaming\anti.exe

Filesize
5.6MB

MD5
c027262ab1e2e60254c9134f00cbb497

SHA1
b272fdf3cac37018c22dc0d10d4bb2572610e0c2

SHA256
ee36c37f0e65d44cfd7a31fcfc1d6ca8ad78038c0aabed1f5ea0d7c19bb8dc65

SHA512
296ce05a6df8f69e99d011f7b2f13dfc49839b457e1d15b48d4bee0f6a322eac0d3d4c853ac13fd72ce82fe17e7b047073735f99721df780d6cb75bce2b2e83d

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/1268-142-0x0000000001330000-0x00000000018D2000-memory.dmp

Filesize
5.6MB

Download
memory/1268-245-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/1268-401-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/1268-970-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2620-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/2620-1-0x0000000001210000-0x000000000223E000-memory.dmp

Filesize
16.2MB

Download

Analysis

Sharing