b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5.exe
Size

8.5MB
MD5

e90780d3da495c8ac3e0d31fa5e0af52
SHA1

f04a55edf97af3a26bfad64f33d9a9a2e0d732f8
SHA256

b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5
SHA512

a2b6502891b69141af5085bc9d6316657118eaf9e75c86689f2ff61d2f19a2ed97115d3e96fdb26591ccdbf6020152709c2f9eb407c787d7580bbe8abbff537e
SSDEEP

196608:93GDA2c4s3H5D5ySAhHj6glb97gNhR6xAnUmEK8Fccr9mq0jvK:L2twkHrpUt6ezEK8/MqovK

Score

7^/10

discovery pyinstaller

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1484	18922.exe
2760	360Safe.exe
2788	18922.exe
1224	Process not Found

Loads dropped DLL 10 IoCs

pid	Process
2096	b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5.exe
1484	18922.exe
2788	18922.exe
2788	18922.exe
2788	18922.exe
2788	18922.exe
2788	18922.exe
2788	18922.exe
2788	18922.exe
1224	Process not Found

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000001868b-8.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360Safe.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 1484	2096	b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5.exe	31
PID 2096 wrote to memory of 1484	2096	b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5.exe	31
PID 2096 wrote to memory of 1484	2096	b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5.exe	31
PID 2096 wrote to memory of 2760	2096	b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5.exe	32
PID 2096 wrote to memory of 2760	2096	b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5.exe	32
PID 2096 wrote to memory of 2760	2096	b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5.exe	32
PID 2096 wrote to memory of 2760	2096	b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5.exe	32
PID 1484 wrote to memory of 2788	1484	18922.exe	33
PID 1484 wrote to memory of 2788	1484	18922.exe	33
PID 1484 wrote to memory of 2788	1484	18922.exe	33

C:\Users\Admin\AppData\Local\Temp\b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5.exe
"C:\Users\Admin\AppData\Local\Temp\b5f13b165130351b69e94586a8ed864262664a930496b412b80d9c3cf51ec1c5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096
- C:\windows\temp\18922.exe
  "C:\windows\temp\18922.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\windows\temp\18922.exe
    "C:\windows\temp\18922.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2788
- C:\windows\temp\360Safe.exe
  "C:\windows\temp\360Safe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI14842\python312.dll

Filesize
6.7MB

MD5
550288a078dffc3430c08da888e70810

SHA1
01b1d31f37fb3fd81d893cc5e4a258e976f5884f

SHA256
789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d

SHA512
7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14842\ucrtbase.dll

Filesize
1.1MB

MD5
05f2140c1a8a139f2e9866aa2c3166f1

SHA1
9170cff11f3b91f552ac09a186a3bae7ea7cda25

SHA256
048d4c5a51e45777ba15facdaddbf7702594a2268e8de1768ab0f5f4e4d7e733

SHA512
bdc7daf31fa9261967cab58c928fe5146b53c96f9b7c702ae8ee761b2652702d9f34dabf4252b7b580311d6dd4d2914ea7721296bebcea3344006eaa0f99f2ed

Download Submit
C:\Windows\Temp\18922.exe

Filesize
7.8MB

MD5
eaf60985c9d82577ca7e618d2b7ae9cf

SHA1
bf3d1095af8e4cb98ddbf89ae00209a6b055656c

SHA256
e228046a67266978e2c064cac310ba4e2e824de1a476759645ba4e67e86aeb32

SHA512
d30125983df95695efc55770e045059e1db690dc8b4a8e3e397cdbf603c70966f16e28c36ad16e5745d642b2ee68f54fe1ff27f9d224d601ac33de5c83a8146a

Download Submit
C:\Windows\Temp\360Safe.exe

Filesize
1.2MB

MD5
347ee5203fe1241e0b99990ee25977a1

SHA1
af188d36d1ca10ed2c1678626f48e437f88557fd

SHA256
a795dae40459d041e1a9ac9b1a0970fe8cd010ecd2d66d42caf8d607570b0a8e

SHA512
26ea4a5a9d5c9d2b60febb795c92b1078a17891d9d41d4fcf9717088772e990a8132f31785bcdaf9ac70b423e0fda0ab19eeb4c8c059b6c0cdb20cf54820f3a7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14842\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
a855f5ffc6690c1bd1706d1dae6251a2

SHA1
075f84148285a2b61808d3094c8e1fe35466d59f

SHA256
98b4b6a29374e68a383bd6e4b58cd76223335d38d2586c5a494466444811b75c

SHA512
35ee703d27e15e192a847f86c22ad613880e1e53296a1bc0ae2249b2a777a0bfe3695fd609278281e8b3e5621534a242c3d3a7bda48c7ab23e513b59ceeb889d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14842\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
18a078bf6941f50fc3158b749441b9ce

SHA1
279e944990b2fb184a6d09e3e62f574751e2e9a7

SHA256
637e9a34044c366b9b004e62ee15aa4875e344a5a6b7634c803a40d95883d7cc

SHA512
bc45590aaa25264e2c9640f5a9a357d6b0cf88e9027fcf70fcad666a50cc309378ce9a49e0d02cdf299b2631b724e863e31061090d6ae7893db048afa6fb6943

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14842\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
8a52d5f941f257c581e856811586b887

SHA1
a510353c67126ec00d13a3f4c0b2e494394a2949

SHA256
6ce59c2de64b6195695e8754636cbe283a7af3ddb78acf32c3879d7d09aba4b1

SHA512
39bad27e61d9a694740556c8290739780ebd7cfdd1f909b85a37ef5c55bc3bd8f439cb6e26d77715649bb04ae701a02fc789535f0d23a5db9ca4a981a38fcb8e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
cb6102cdcd530e82f9a7f2579dd5be22

SHA1
8f1881ba356c8d7497580fc5efe2681200632cae

SHA256
f5c82a141bdc7929bb3d6d4196c0e8501f4a894fd65a435f8134c073134461ac

SHA512
bc9129d58c05991f4567d2ce64e5d5a5ecaa876503ee0644ac61b67fea4b794251cd0f1d1631ef63e8f530a0db074684cde9f35d852ddcb50a9b02d641a63d59

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
7f0a0a190aea88884088bd09d36a2c4b

SHA1
f8d3039deda1f7fc025f4e4cbbc3010cba3762b3

SHA256
a202f21169cc103c019019d3cbc05c3549a8dbac6eed0ecb4e5281e36f028a26

SHA512
5f75ad8016ee9649cd565e27930f951cfc7b40b468ca7a5792578301ff2a16825ca2a98103ba8f4e6d8feb761655be1d8c24fa9e1d539bec6c3a5b3a04f8e9b6

Download Submit