10a22d1e474fcf99f281d21e8abe3b4178216de0bab6c1840f788512ee9996d0

Resubmissions

05-12-2024 22:16

241205-16txns1lem 10

05-12-2024 22:14

241205-1534ysvjhs 10

Analysis

max time kernel
1561s
max time network
1563s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pornhub.rar
Size

72.9MB
MD5

b6bc9965c5ad28b959384efaffd03990
SHA1

b59b1e685d9bed2cf6de46dada3fbc68a7153da2
SHA256

10a22d1e474fcf99f281d21e8abe3b4178216de0bab6c1840f788512ee9996d0
SHA512

c47ed4591e3ba6d3d2c8563dd8ca0fce119b29fed0af6fda09c6c11a0e28844a15a88c682fd4cc16ae7e15c52e5749223da88744f2c16db7f9ae74f5f5fd693d
SSDEEP

1572864:yzYZR36b372I++YbdOjEVW7kH1Z9skVoKE4X7FkXm7TkUDYhtv0zE:yU3G36BbdOjEVW7kVZCKE4X7627TBDY7

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1812	source_prepared.exe
2380	source_prepared.exe

Loads dropped DLL 5 IoCs

pid	Process
2512	7zFM.exe
1812	source_prepared.exe
2380	source_prepared.exe
1232	Process not Found
1232	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000020ae0-1274.dat	upx
behavioral1/memory/2380-1276-0x000007FEF5A10000-0x000007FEF5E7E000-memory.dmp	upx

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2512	7zFM.exe
2380	source_prepared.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2512	7zFM.exe
Token: 35	2512	7zFM.exe
Token: SeSecurityPrivilege	2512	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2512	7zFM.exe
2512	7zFM.exe
2512	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1812	2512	7zFM.exe	31
PID 2512 wrote to memory of 1812	2512	7zFM.exe	31
PID 2512 wrote to memory of 1812	2512	7zFM.exe	31
PID 1812 wrote to memory of 2380	1812	source_prepared.exe	32
PID 1812 wrote to memory of 2380	1812	source_prepared.exe	32
PID 1812 wrote to memory of 2380	1812	source_prepared.exe	32

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\pornhub.rar"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\7zO0D9D6BE6\source_prepared.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0D9D6BE6\source_prepared.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\7zO0D9D6BE6\source_prepared.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0D9D6BE6\source_prepared.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI18122\python310.dll

Filesize
1.4MB

MD5
701e2e5d0826f378a53dc5c83164c741

SHA1
62725dbee8546a7c9751679669c4aeb829bcb5a7

SHA256
9db7ebafff20370df1ae6fc5ee98962e03fcfc02ec47abed28802191f6750dd2

SHA512
df30dfba245a64f72bcf8c478d94a9902797493ce25f266fa04a0b67ad7887c8f9253404c0425285342ae771c8a44ae414887447f14d76c696f7902933367f1f

Download Submit
memory/2380-1276-0x000007FEF5A10000-0x000007FEF5E7E000-memory.dmp

Filesize
4.4MB

Download