9abbee10fe330e17e3a13ef414e36aca1f86eac6cbe7a400abd7f321049b254a

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main2.exe
Size

16.2MB
MD5

ae9d50dc273f154d4fdbe423718650cf
SHA1

7b784cbbd73bfe05f9f13c0131fdde36a6dbd8a1
SHA256

9abbee10fe330e17e3a13ef414e36aca1f86eac6cbe7a400abd7f321049b254a
SHA512

b6df313e53c66dd780a492578d2b819277f380da97e2a4a399817bcd8f5b15eda8551de343baddd9051452428dc2ff106b346e31485a90786074f83dbb7298c5
SSDEEP

393216:knNT13lgp6awg3GPml5NEJrhvq0R1OD17u2+DWXtA1U:q5Blgd2Nhvq0zOhV

Score

7^/10

discovery pyinstaller

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

built.exeMSUpdate.exeMSUpdate.exe

pid	Process
2788	built.exe
2700	MSUpdate.exe
2296	MSUpdate.exe
1212

Loads dropped DLL 5 IoCs

Processes:

main2.exebuilt.exeMSUpdate.exe

pid	Process
2828	main2.exe
2788	built.exe
2828	main2.exe
2296	MSUpdate.exe
1212

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 9 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
1644	tasklist.exe
1872	tasklist.exe
1312	tasklist.exe
2588	tasklist.exe
2720	tasklist.exe
2388	tasklist.exe
2120	tasklist.exe
2668	tasklist.exe
2744	tasklist.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral1/files/0x0008000000015dc3-22.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

main2.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main2.exe

Delays execution with timeout.exe 8 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
2288	timeout.exe
1248	timeout.exe
1592	timeout.exe
2632	timeout.exe
1984	timeout.exe
1228	timeout.exe
1696	timeout.exe
2564	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

built.exe

pid	Process
2788	built.exe
2788	built.exe
2788	built.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

built.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	Process
Token: SeDebugPrivilege	2788	built.exe
Token: SeDebugPrivilege	2120	tasklist.exe
Token: SeDebugPrivilege	2668	tasklist.exe
Token: SeDebugPrivilege	1644	tasklist.exe
Token: SeDebugPrivilege	1872	tasklist.exe
Token: SeDebugPrivilege	2744	tasklist.exe
Token: SeDebugPrivilege	2588	tasklist.exe
Token: SeDebugPrivilege	2720	tasklist.exe
Token: SeDebugPrivilege	2388	tasklist.exe
Token: SeDebugPrivilege	1312	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

main2.exeMSUpdate.exebuilt.execmd.exe

description	pid	Process	procid_target
PID 2828 wrote to memory of 2788	2828	main2.exe	62
PID 2828 wrote to memory of 2788	2828	main2.exe	62
PID 2828 wrote to memory of 2788	2828	main2.exe	62
PID 2828 wrote to memory of 2788	2828	main2.exe	62
PID 2828 wrote to memory of 2700	2828	main2.exe	31
PID 2828 wrote to memory of 2700	2828	main2.exe	31
PID 2828 wrote to memory of 2700	2828	main2.exe	31
PID 2828 wrote to memory of 2700	2828	main2.exe	31
PID 2700 wrote to memory of 2296	2700	MSUpdate.exe	32
PID 2700 wrote to memory of 2296	2700	MSUpdate.exe	32
PID 2700 wrote to memory of 2296	2700	MSUpdate.exe	32
PID 2788 wrote to memory of 1624	2788	built.exe	33
PID 2788 wrote to memory of 1624	2788	built.exe	33
PID 2788 wrote to memory of 1624	2788	built.exe	33
PID 1624 wrote to memory of 2464	1624	cmd.exe	35
PID 1624 wrote to memory of 2464	1624	cmd.exe	35
PID 1624 wrote to memory of 2464	1624	cmd.exe	35
PID 1624 wrote to memory of 2120	1624	cmd.exe	36
PID 1624 wrote to memory of 2120	1624	cmd.exe	36
PID 1624 wrote to memory of 2120	1624	cmd.exe	36
PID 1624 wrote to memory of 2380	1624	cmd.exe	37
PID 1624 wrote to memory of 2380	1624	cmd.exe	37
PID 1624 wrote to memory of 2380	1624	cmd.exe	37
PID 1624 wrote to memory of 2564	1624	cmd.exe	39
PID 1624 wrote to memory of 2564	1624	cmd.exe	39
PID 1624 wrote to memory of 2564	1624	cmd.exe	39
PID 1624 wrote to memory of 2668	1624	cmd.exe	40
PID 1624 wrote to memory of 2668	1624	cmd.exe	40
PID 1624 wrote to memory of 2668	1624	cmd.exe	40
PID 1624 wrote to memory of 996	1624	cmd.exe	41
PID 1624 wrote to memory of 996	1624	cmd.exe	41
PID 1624 wrote to memory of 996	1624	cmd.exe	41
PID 1624 wrote to memory of 2288	1624	cmd.exe	42
PID 1624 wrote to memory of 2288	1624	cmd.exe	42
PID 1624 wrote to memory of 2288	1624	cmd.exe	42
PID 1624 wrote to memory of 1644	1624	cmd.exe	43
PID 1624 wrote to memory of 1644	1624	cmd.exe	43
PID 1624 wrote to memory of 1644	1624	cmd.exe	43
PID 1624 wrote to memory of 892	1624	cmd.exe	44
PID 1624 wrote to memory of 892	1624	cmd.exe	44
PID 1624 wrote to memory of 892	1624	cmd.exe	44
PID 1624 wrote to memory of 1248	1624	cmd.exe	45
PID 1624 wrote to memory of 1248	1624	cmd.exe	45
PID 1624 wrote to memory of 1248	1624	cmd.exe	45
PID 1624 wrote to memory of 1872	1624	cmd.exe	46
PID 1624 wrote to memory of 1872	1624	cmd.exe	46
PID 1624 wrote to memory of 1872	1624	cmd.exe	46
PID 1624 wrote to memory of 2848	1624	cmd.exe	47
PID 1624 wrote to memory of 2848	1624	cmd.exe	47
PID 1624 wrote to memory of 2848	1624	cmd.exe	47
PID 1624 wrote to memory of 1592	1624	cmd.exe	48
PID 1624 wrote to memory of 1592	1624	cmd.exe	48
PID 1624 wrote to memory of 1592	1624	cmd.exe	48
PID 1624 wrote to memory of 2744	1624	cmd.exe	49
PID 1624 wrote to memory of 2744	1624	cmd.exe	49
PID 1624 wrote to memory of 2744	1624	cmd.exe	49
PID 1624 wrote to memory of 2856	1624	cmd.exe	50
PID 1624 wrote to memory of 2856	1624	cmd.exe	50
PID 1624 wrote to memory of 2856	1624	cmd.exe	50
PID 1624 wrote to memory of 2632	1624	cmd.exe	51
PID 1624 wrote to memory of 2632	1624	cmd.exe	51
PID 1624 wrote to memory of 2632	1624	cmd.exe	51
PID 1624 wrote to memory of 2588	1624	cmd.exe	52
PID 1624 wrote to memory of 2588	1624	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\main2.exe
"C:\Users\Admin\AppData\Local\Temp\main2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Roaming\built.exe
  "C:\Users\Admin\AppData\Roaming\built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp819E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp819E.tmp.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2464
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2788"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2120
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:2380
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2564
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2788"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2668
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:996
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2288
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2788"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:892
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1248
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2788"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1872
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:2848
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1592
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2788"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2744
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:2856
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2632
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2788"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2588
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:1244
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1984
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2788"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2720
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:2664
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1228
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2788"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2388
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:2760
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1696
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2788"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1312
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:2788
- C:\Users\Admin\AppData\Roaming\MSUpdate.exe
  "C:\Users\Admin\AppData\Roaming\MSUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Roaming\MSUpdate.exe
    "C:\Users\Admin\AppData\Roaming\MSUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27002\python312.dll

Filesize
6.6MB

MD5
b243d61f4248909bc721674d70a633de

SHA1
1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc

SHA256
93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7

SHA512
10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp819E.tmp.bat

Filesize
290B

MD5
dd1782c253b8b9d06e77b2eec69e8f38

SHA1
1cedeb0bbddde5a944491f33246da8c055eab80d

SHA256
8ae6fdc2a4bc392268af993a4bae02551dc9607ea75a231e734f66951470df89

SHA512
321204f8be37a1d6f95bf935972463b66781dff4342962c4d6e41ab1d525ce33656beb46044d740ff0dbe572699316b36d3e6a587f8eacf8fd6ccdfde976ff3e

Download Submit
C:\Users\Admin\AppData\Roaming\built.exe

Filesize
5.6MB

MD5
f35cdc0465a904ce77c84c4fd66d6edf

SHA1
525e4b813714957bbef1e58340989737cf60c5f7

SHA256
d1be6e751bc79cf1162fabaf182547e7ea13d8ba8f414dd652a2075768d47a15

SHA512
19e8b9ff7fa78a616e3653b36011791a9cab871b3023e27d25f2b81e10d87c66c8273d5ba867e2aeb803591d793e57a87307f02fbafd882650a5fa6edcdc1837

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
\Users\Admin\AppData\Roaming\MSUpdate.exe

Filesize
10.5MB

MD5
79d19e7b20c0a9f3ac172041dcf84c97

SHA1
2e8a9c7d1aac017c1fabae50677e5bedea55c16d

SHA256
6080208516fa0312f72202ff528cf3ae055fcec32049191c8b4043bdb52bf072

SHA512
1d3fa42566c332501300da43e462a68341f9fc5aa5328d1b57cbb947e9b3e3eaa86d3368f52e82e3294fff63dc53587fda070967fa9a533dc4f9497a71e72e35

Download Submit
memory/2788-15-0x0000000000040000-0x00000000005E2000-memory.dmp

Filesize
5.6MB

Download
memory/2828-5-0x000000000B640000-0x000000000C66E000-memory.dmp

Filesize
16.2MB

Download
memory/2828-8-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-7-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-6-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-0-0x0000000001960000-0x0000000002990000-memory.dmp

Filesize
16.2MB

Download
memory/2828-4-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-103-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-30-0x0000000000150000-0x000000000118A000-memory.dmp

Filesize
16.2MB

Download
memory/2828-3-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/2828-2-0x0000000001960000-0x0000000002990000-memory.dmp

Filesize
16.2MB

Download