96686ab00fd704a700ce99225d40e51b21ae044f2978cc4e0873f0a856b4e3c2

General

Target

Galaxy-Fix.6.5.7.rar
Size

20.9MB
MD5

7c1a2b00bd8d556198b09fc796635bd0
SHA1

ca60082d568123c0e9a1af8042edf96e165eb06c
SHA256

96686ab00fd704a700ce99225d40e51b21ae044f2978cc4e0873f0a856b4e3c2
SHA512

758c2b60c709af32b2bbb1bd98d62619c26dcd9995e1f78c401fac525150cbe1fcb59a04384226eccccc31e50223629777a535279de1de019c61fd391286d724
SSDEEP

393216:qnd6VH44nFtVx1r+zbFOlL4eWcu5Wzo4mTs4fC2QY0L+3IbR:qd6VHPnF/LqzbFOJ3jkJR0L+YbR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2436	Swapper_Update5.6.7.exe
2952	Swapper_Update5.6.7.exe
2704	Swapper_Update5.6.7.exe
3024	Swapper_Update5.6.7.exe
2968	Swapper_Update5.6.7.exe
2080	Swapper_Update5.6.7.exe

Loads dropped DLL 12 IoCs

pid	Process
272	7zFM.exe
2436	Swapper_Update5.6.7.exe
2952	Swapper_Update5.6.7.exe
1196	Process not Found
272	7zFM.exe
2704	Swapper_Update5.6.7.exe
3024	Swapper_Update5.6.7.exe
272	7zFM.exe
2968	Swapper_Update5.6.7.exe
2080	Swapper_Update5.6.7.exe
1196	Process not Found
1196	Process not Found

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a4af-56.dat	upx
behavioral1/memory/2952-58-0x000007FEF6480000-0x000007FEF6A68000-memory.dmp	upx
behavioral1/memory/2952-60-0x000007FEF6480000-0x000007FEF6A68000-memory.dmp	upx
behavioral1/memory/2080-178-0x000007FEF5E90000-0x000007FEF6478000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0009000000016cc9-3.dat	pyinstaller

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
272	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
272	7zFM.exe
2952	Swapper_Update5.6.7.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	272	7zFM.exe
Token: 35	272	7zFM.exe
Token: SeSecurityPrivilege	272	7zFM.exe
Token: SeSecurityPrivilege	272	7zFM.exe
Token: SeSecurityPrivilege	272	7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
272	7zFM.exe
272	7zFM.exe
272	7zFM.exe
272	7zFM.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 272 wrote to memory of 2436	272	7zFM.exe	31
PID 272 wrote to memory of 2436	272	7zFM.exe	31
PID 272 wrote to memory of 2436	272	7zFM.exe	31
PID 2436 wrote to memory of 2952	2436	Swapper_Update5.6.7.exe	32
PID 2436 wrote to memory of 2952	2436	Swapper_Update5.6.7.exe	32
PID 2436 wrote to memory of 2952	2436	Swapper_Update5.6.7.exe	32
PID 272 wrote to memory of 2704	272	7zFM.exe	33
PID 272 wrote to memory of 2704	272	7zFM.exe	33
PID 272 wrote to memory of 2704	272	7zFM.exe	33
PID 2704 wrote to memory of 3024	2704	Swapper_Update5.6.7.exe	34
PID 2704 wrote to memory of 3024	2704	Swapper_Update5.6.7.exe	34
PID 2704 wrote to memory of 3024	2704	Swapper_Update5.6.7.exe	34
PID 272 wrote to memory of 2968	272	7zFM.exe	35
PID 272 wrote to memory of 2968	272	7zFM.exe	35
PID 272 wrote to memory of 2968	272	7zFM.exe	35
PID 2968 wrote to memory of 2080	2968	Swapper_Update5.6.7.exe	36
PID 2968 wrote to memory of 2080	2968	Swapper_Update5.6.7.exe	36
PID 2968 wrote to memory of 2080	2968	Swapper_Update5.6.7.exe	36

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Galaxy-Fix.6.5.7.rar"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:272
- C:\Users\Admin\AppData\Local\Temp\7zO0112E4F6\Swapper_Update5.6.7.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0112E4F6\Swapper_Update5.6.7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\7zO0112E4F6\Swapper_Update5.6.7.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0112E4F6\Swapper_Update5.6.7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2952
- C:\Users\Admin\AppData\Local\Temp\7zO011141C7\Swapper_Update5.6.7.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO011141C7\Swapper_Update5.6.7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\7zO011141C7\Swapper_Update5.6.7.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO011141C7\Swapper_Update5.6.7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3024
- C:\Users\Admin\AppData\Local\Temp\7zO0116A5C7\Swapper_Update5.6.7.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0116A5C7\Swapper_Update5.6.7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\7zO0116A5C7\Swapper_Update5.6.7.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0116A5C7\Swapper_Update5.6.7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI24362\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\attrs-24.2.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
\Users\Admin\AppData\Local\Temp\7zO0112E4F6\Swapper_Update5.6.7.exe

Filesize
10.8MB

MD5
e68a29790a252b3855e85b176f04b7b9

SHA1
3864d97f5bad08c6b411bb8f83d6c20ff65b2a3d

SHA256
67c229cbd6349f10b31256081462b7a7a2346ff8300b778985f26748c894416d

SHA512
4b35f728260884c9b398b99654296e856aae4fa7f2d2942b9ccb0183763adf8cd629eb659688680e6826cbd9a298399170a7c8efa206d41b9b3d379d94dc2695

Download Submit
memory/2080-178-0x000007FEF5E90000-0x000007FEF6478000-memory.dmp

Filesize
5.9MB

Download
memory/2952-58-0x000007FEF6480000-0x000007FEF6A68000-memory.dmp

Filesize
5.9MB

Download
memory/2952-60-0x000007FEF6480000-0x000007FEF6A68000-memory.dmp

Filesize
5.9MB

Download

Resubmissions

Analysis

Sharing