Analysis

  • max time kernel
    842s
  • max time network
    844s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 15:09

General

  • Target

    42c15f08acda9e26c6745c3d12418280c49a3524846a547e3125a665cb4e5d2b.exe

  • Size

    30.0MB

  • MD5

    349e15ac0a603a0198659ad8573e033f

  • SHA1

    91c49904770bf51c2d9aa9b22f8edde391e5493f

  • SHA256

    42c15f08acda9e26c6745c3d12418280c49a3524846a547e3125a665cb4e5d2b

  • SHA512

    9ee0c8f6eecf70b89cdb42c1c78c4a4fc371daa46c66a18f26d97b999afc3bf1dc2c2e1358fb5817a2ada3281afa697fb0253dfa80ffd64445b22941aabc0a92

  • SSDEEP

    786432:ZUEGU80F8WWxUdUd1LRphkcNAFphEstWGlso5EYWviu:UU80F8WWxUUddReFphEwZd5Ediu

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 48 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42c15f08acda9e26c6745c3d12418280c49a3524846a547e3125a665cb4e5d2b.exe
    "C:\Users\Admin\AppData\Local\Temp\42c15f08acda9e26c6745c3d12418280c49a3524846a547e3125a665cb4e5d2b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\AppData\Local\Temp\42c15f08acda9e26c6745c3d12418280c49a3524846a547e3125a665cb4e5d2b.exe
      "C:\Users\Admin\AppData\Local\Temp\42c15f08acda9e26c6745c3d12418280c49a3524846a547e3125a665cb4e5d2b.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2280
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im explorer.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Cipher\_raw_ecb.pyd

    Filesize

    15KB

    MD5

    c1ddb7b7f3dbaef782f3ee5711931de6

    SHA1

    d29124ff932c897bc7c3194a79e041ad27c689e4

    SHA256

    74228811d3819961f71884ed260b307c14b02c6b02ac92a2c071d97b47563ba6

    SHA512

    cec734d0e3c980ee311c6c389c7e3e50ffe9b89da5d6877f5923d5292d554110eed8db5a4fcd0917e3e383e95babc63774aea6a1600f282393be0a1ca0a8b407

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Cipher\_raw_ofb.pyd

    Filesize

    17KB

    MD5

    5ef7a903d2291c2391aa83f2b2533ea3

    SHA1

    5135be3e9aaaceb97b76a778261f6714c5ebf23d

    SHA256

    d51b4ed18db979d97f11a6e85c2ec0ef65bac27934290b42415418135faca86d

    SHA512

    704eab366a07e5d0408ae247bf99f860d947917c7dcd5de7be764f2d9bc7550ac585d9040fd8f6f5945c142b8e38b05be53bb8193c1c74b5306ab70f29f27bd4

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Hash\_BLAKE2s.pyd

    Filesize

    18KB

    MD5

    fd241ead786a879b4af8d3faca842455

    SHA1

    e6a169335fd9f34a30703098c3e84b2d916cc95e

    SHA256

    7c4eac4e01091535766a082fb180de7f77df08d03b355083ec95ee93a34cb695

    SHA512

    203ff0a9ea35282a3d2371db2e20a8796d3a01f37ed8b059d263214794dfc8d597e0bbec93c8d8aa4ca5b8509cf30f1461f1569742d503dbc6db41c1770b5592

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Hash\_MD5.pyd

    Filesize

    19KB

    MD5

    5b1e25cdfcb63debb456bd59dc76c7b3

    SHA1

    efb6409d54794f8ee9fa06a39d3b89a13533bdbf

    SHA256

    bd8aa7946200537e2a46b218e66a35ff3554b7b2653da50d8e6c38c4c2f8b80e

    SHA512

    5f8440f6600ed6b3a37a8f78c658aa34df8b4b8c9bb4a5ad447087159143301c26bb7ce4c1a0d405d5a102bffbdf37090c061d619034430373d979bd0e271697

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Hash\_SHA1.pyd

    Filesize

    22KB

    MD5

    5e8702748b97a46db48c3dda2a4065d4

    SHA1

    cca78c5a6d148a8eab213577a3f9bf28d93be9d8

    SHA256

    5fca2988f685181ae23ffc3734b57e105b659d50c9e7c481d41b05207b3e5677

    SHA512

    5b2dc6a60f28e35773dfee2310c2baf015e847205b89589759e994fa279243c0ec77bca61600ef49a8f47085b13465fe2396ca61f8386f4dd047b4ac094ba004

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Hash\_ghash_portable.pyd

    Filesize

    17KB

    MD5

    d23cfae93483748e1438efae158877c8

    SHA1

    78ea655409ed7af53c8b4912f9fbfc5257b93e48

    SHA256

    c25ce41452ffac72065505a6a3af09eab538488d780d8b5530a96e60228e36c7

    SHA512

    29f87624eb70964533cfbd20bc085c1a50adc0e6903056a1fb429724e6de6d5ff2172c41b6c44cc268c69a75c7529f36db5a63c28742d864966b0ea39da07bf8

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Util\_cpuid_c.pyd

    Filesize

    15KB

    MD5

    a07b66efcf5c94a18238455b94f71a31

    SHA1

    3e1afa175007734e8f4305cecaf73001775ab35b

    SHA256

    03acd6e5bd41ea79a544846f2b986f2fbca89ffa2a32fe2ba9a7637e74982487

    SHA512

    80216851d7b5151206d51029aa21b572c222f4532f8b49b7f755bd94d1419f0d2041f5b11ce9e31a329c885e5ce6a661f06294946123a90eea0173917020076b

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Util\_strxor.pyd

    Filesize

    15KB

    MD5

    ef446a532424a64cab28f96ea88b5053

    SHA1

    8474b8c617f891c521e1df8c8daae9983af406db

    SHA256

    da1a10f2c1b86f4ab7814ccdfc1778d216654dbd1e945919bfb77049c724c04c

    SHA512

    12eb32e9089b7644ede93b93c5382e919f93bbe5f04688995ade6e16971390ea78991302df20d6ae6dfe9dab9ce99cbbf8bda86144c92bb902587455bae4f016

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\MSVCP140.dll

    Filesize

    426KB

    MD5

    0a0042fe544c91cd57bc2f7ef40bb974

    SHA1

    8bf31f44ba3e47b8b186c3d8cc219a4d2f67da63

    SHA256

    4190f0a1306257ced4975448794e1d42be312e334ffccfb4910a4a39cde9df57

    SHA512

    c4c56c06cd40213ebdcead6a256510b44beefc3a18d7f84efebcd05bac7bb1b942f97b7f7798420ca8ff0c1592f32301d751554fb63125b4703feadfced2f6be

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\MSVCP140_1.dll

    Filesize

    28KB

    MD5

    7f71f19f30be3942ee0efddc145d459e

    SHA1

    863048cf8a9692bf43317326c5aa918389546282

    SHA256

    b8cafc52b903ed0824882365b0a0d438460260b4ddf2487849eb3bd2241f7e8d

    SHA512

    4fdfbc7524445eb443e189f64d9732c5c28ace689c9556b67c8f3647ba7f18b02521deeae4fb8138f5f550ee34efdb2ab2b6ffea3a43d184a26bdfce700b2dd5

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\PyQt5\QtGui.pyd

    Filesize

    1.9MB

    MD5

    18d04794162f1a74d0ecc976e2a83401

    SHA1

    80e218d09340cd6e184b61af58f2b653befb3d4c

    SHA256

    cec60d4882a55057fcf4f50d03c27932363348f511dac2d80c5fb4db1ea16198

    SHA512

    c2822914bd13d53fbe97d991e92f99377e5e1172465b3f95a4cf968d3a4e3009bf7f3c348d65d4ea227a53aeff8525ea35c5fce919566a8ef6fa842cb428e500

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\PyQt5\QtWidgets.pyd

    Filesize

    3.7MB

    MD5

    830dcf2394bd0422395bacd7713e3590

    SHA1

    fa723c1fd742fe8b3b4d8d7476abe3c977f76438

    SHA256

    110d29dffdb5ce78a750da40f6c29a39f2cbccbd979c7ef2ae49ff876e1ed396

    SHA512

    09406e6dc5aa9db243ed137dbca13c7df432b36353425bfc37b8e01bb86d1dedd5a76176826bed909852d5d3d1f077590e28e775b0ad336db7a3ad871a4b8f3c

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\PyQt5\sip.cp38-win32.pyd

    Filesize

    101KB

    MD5

    4952b091603b9325e4f4bbdfb4ca2fd1

    SHA1

    a74a50b124c1e913cdd9868d65a46701faed2397

    SHA256

    73c7c27b42273e2c5e8f18ca65f7a212aeac3ed4afd631eb11e231cedfe58b74

    SHA512

    cbee59fbdfe9db26b1e40d31ac4f8ca7e276bf61d926ad4829520e6b63c43e7ad28c9f9742274d829231fbc11f1eff5ae900393da39dd204333adb19dc38630f

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\Qt5Core.dll

    Filesize

    5.1MB

    MD5

    7d180286e9c071c7bc3a6bc2ace792ac

    SHA1

    f5947d69aeaacc8a378721f3750b049cc41dddef

    SHA256

    4f8dc460162407cfccb1be6ef9cce45c4449de838aeffa3fd33378f01a3f9cc4

    SHA512

    9b30d5dd48e736da770e71622b79da294829621565cfc4d995ca31c8cfbbbe2d577677f4240e0ff2d995deeeb5f894018412596c141e8360dd77bf12596ce167

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\Qt5Gui.dll

    Filesize

    5.6MB

    MD5

    5b0f3d5b1b29b5e650375093c7afa243

    SHA1

    1920cbc98bd46a3a72bcfb45caefcfa2649a92e6

    SHA256

    80016776efea2b2a838c3ffa4c82e5f146baff68c36073c0c34668809d1c4297

    SHA512

    9db9a90ab5a1a768e079cf9b10f1da868ac7dae774e90e139ee047c9c8fb43cc5b3e01ae3724ea74efd64409eeeafbcda4f04da3e86265575a3831a4fc69cc8c

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\Qt5Widgets.dll

    Filesize

    4.3MB

    MD5

    da70580648a398ab1c5336ee9ec631ca

    SHA1

    fa67a8a2d7f7930a45974dcb7a12e56914bf0a57

    SHA256

    600285754e7eee7239b9d252dbed5c9d2c9c4c432751b8953dcb2e8b45e0408a

    SHA512

    83d85df1717a5b1dd5b31f5ab33e73d1442027a719af7fdcd20d578598f436d63e7cf58287cbe34dbee8d5b0464a68dfd471d8ec6a95a3168eb8639864a7adfc

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\VCRUNTIME140.dll

    Filesize

    74KB

    MD5

    5f9d90d666620944943b0d6d1cca1945

    SHA1

    08ead2b72a4701349430d18d4a06d9343f777fa6

    SHA256

    9ec4afad505e0a3dad760fa5b59c66606ae54dd043c16914cf56d7006e46d375

    SHA512

    be7a2c9dae85e425a280af552dbd7efd84373f780fa8472bab9a5ff29376c3a82d9dfa1fef32c6cf7f45ba6e389de90e090cb579eebff12dcfe12e6f3e7764d1

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\_bz2.pyd

    Filesize

    77KB

    MD5

    18cd8755e6d4559840d07467df26af34

    SHA1

    a88ac5c278242308e44a96c01d45663b0b930395

    SHA256

    82a85187faf8786216c82ac1c4ccf32c8839048e242025ed4e7a1e3ab870255f

    SHA512

    8d5b4afdc836145443ce2502b52ef350d7f6017aba609d40ec1aafd2cbccb515debc0b04aa6001c690e537f33ca45151134586c32845924aa5afccccc35a82ba

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\_ctypes.pyd

    Filesize

    114KB

    MD5

    76816a27c925f301f9776ffd76e6f6d4

    SHA1

    f9d3992c2ec5998436c24b8ef1dbd50072b7b89d

    SHA256

    3a94a3525b0531524aabc7f8fc9f1253894cd612a9823d9cdd5070ab81b9d329

    SHA512

    f79fb8513a786c59f1b6dabbe9cfddb930b7def19316451cf75efa5aa5fe0d46f6ee04870c7dcc2d64818c34f7abe5662a8ad8c3ee4490b02c7182051deed3c8

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\_socket.pyd

    Filesize

    68KB

    MD5

    e7ad342af27ef2b62c6fba44a2456fba

    SHA1

    192bc00a74319fc30bd75c4448a126ccef7f110d

    SHA256

    48f1f1842e6845a197c9be50027bb2a67a868e743bfa81b8d8753c24cdc08b7b

    SHA512

    673df6fd4a36f66cbefd05718de0f49ad8299662c3978ad6e05ceaa7437aca6a745573819f267ddb109b1eca7fe366aac8f4e89e53bdee28582836900767dab6

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\base_library.zip

    Filesize

    760KB

    MD5

    e1315e6d33e2300bc1d691ed76bc6bf1

    SHA1

    401075f435707c77904be8915a8c83a422cfe0ee

    SHA256

    52bd4ea66e4ece6bf404c3617d0c9723966adb9206c507fda8a2850d3c194ad0

    SHA512

    a1f7172dfa320976da468f9dab24678ae471904ed390b9721f16e7a86db7a11be7664013ef1125fe9f9c35501eb70c758fb9c20babcaf712af0ba9f5b3293e2c

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\libffi-7.dll

    Filesize

    28KB

    MD5

    bc20614744ebf4c2b8acd28d1fe54174

    SHA1

    665c0acc404e13a69800fae94efd69a41bdda901

    SHA256

    0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

    SHA512

    0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\python3.DLL

    Filesize

    58KB

    MD5

    68bb9599ca71d84de782c2799112b274

    SHA1

    c751c6892b0cb4f9e87bc877ec01f97ef5bca4f2

    SHA256

    eac07e177308b8d77e23ef0f510a56b8fb9a56cda876118f9eab1a8e1d9bb399

    SHA512

    fa904cd9f1c70439b224960e4f4a1e31f0646b45af6ed6ed685af9def511ccfaa7fbe1071e68c2159bd184f90a0aafda50458a4358165a1a50f4ae24616fe9cf

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\python38.dll

    Filesize

    3.9MB

    MD5

    9f8e0de6e7d4b165b4a49600daacc3b1

    SHA1

    8cf37d69fdaf65c49f7f5e048c0085b207f7287b

    SHA256

    a9675a91d767095c9d4a2ae1df6e17bdb59102dbd2b4504c3493b0bcbed5ef55

    SHA512

    3201b7adf94d3f4510e0b39b4766d1314da66662819fd6de5f5f71956750bb4fdf4228b6e1ad9d4d3bc1fdeb99b7414ed2eff0374aaa3216b67eeedfb8673b48

  • C:\Users\Admin\AppData\Local\Temp\_MEI19562\select.pyd

    Filesize

    24KB

    MD5

    25ae837bec095038db628878c3b12c6a

    SHA1

    9c77211ed81e51c72e849a3e5d04027cd2ddb9da

    SHA256

    6d5a3630570035555cea342c3a8e2922ca23451113cb178cd7fee07e59da123c

    SHA512

    c70ff24bdbfdd995da62d8512b4f703371ee000197f58aa723afc9b050a9329cebc81a5ce86481154fcbc6f31a6831c725d83ce9ce9f551dbbc8756d1f42b417

  • \Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Cipher\_Salsa20.pyd

    Filesize

    17KB

    MD5

    d36f144467e425fdaccc93c8ae289798

    SHA1

    65f020a081088ee44336c81434365d24fadc27da

    SHA256

    45d01f12e6ae3b0e82a1513fefc209eb08d0ed08b40071d6213d63d711268cc4

    SHA512

    47e07088546a6e54ce4fd8085db9c71f6e60a071ae7a88bf27170658f6dfb7aed0b79a138c48ff827eee196ab8af6e043f43651baeb05d66f26da0fbc1ca3eb8

  • \Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Cipher\_raw_cbc.pyd

    Filesize

    17KB

    MD5

    ad3d6c58b71b3933f41233bb2122d928

    SHA1

    aff7b564a584bba84ed0a31c9a501315d25f4e85

    SHA256

    f4f0db75d4b71b09c41e48019c3f2e4a45cef80d3b8313843c34ada71afa3c2e

    SHA512

    7dfb0222a2772e35b88ecd7d7d9e3b553cb4f4c66947a4991f8f8906cd3ff919c33e54c2dd74186bd9d8ff4c92190c5bd40433a06efcd5e416ff7932726c7b93

  • \Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Cipher\_raw_cfb.pyd

    Filesize

    18KB

    MD5

    61d29bf1bd5ca3835f8dd5afda807ce8

    SHA1

    d71831a3f3cd95f96993ff30bdef16695bec939f

    SHA256

    e2dfa804ed0325780c517a75dbad470ca6b47f21d4061b062924e62a9a2bfa4b

    SHA512

    907d3199f0a238212cd559131c8df24a13d2480c960041a4d1cbea7611f7ec7400fa392a4464901c5ae09d650f487a31a2dbcf0631bbc9a5ed7bd2fdef43c9ec

  • \Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Cipher\_raw_ctr.pyd

    Filesize

    19KB

    MD5

    47255a26fd4f4dd153b7c5c3b26e0e72

    SHA1

    419480bfcd19653d4a946e51b0c5625998bfc899

    SHA256

    583199d12aaa22cd8e8443f809efd80f8a4cdb025cd71eeabaea41d18093daee

    SHA512

    87dc904b104848870852a63217bdf0a5ca80c05771149bb96a05554bd2cf637d4586acfddccc0544640dd982bed4ca5d12f84301286561ffb7937bf344a8aea6

  • \Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Hash\_SHA256.pyd

    Filesize

    25KB

    MD5

    e71489c94597f98504e5c6cacf095c46

    SHA1

    eae82e8daf0e019e4c1d334c49c4cab60c36cc27

    SHA256

    8ead9c7d503e5825cae1536a3528c25f98a1449846ee0714c1d7d89fdea05506

    SHA512

    f8552c453642b6cc8587be20002631a0360b9ec27a79999e01d58d614f93e38844f6bab02ec52762107890c1c15ac1e881190734864e9397f8a783e932a00baa

  • \Users\Admin\AppData\Local\Temp\_MEI19562\Cryptodome\Protocol\_scrypt.pyd

    Filesize

    17KB

    MD5

    0e2a03d9efa6a4222077425d0723b96a

    SHA1

    2648692761371af41539fb292b69549bb16856af

    SHA256

    4f224c648b1639b5e08acc8ef86dfcde26517c6cce1cd95f1107f83a3738dec9

    SHA512

    3ff7abe4f6a4907e7e89414817f4f055929eec541aaaec1ead749fbaff4d4c22298d84127aafcf060ff411fe833bda5aa816c5d364d213713d382d37d55f1519

  • \Users\Admin\AppData\Local\Temp\_MEI19562\PyQt5\QtCore.pyd

    Filesize

    1.8MB

    MD5

    b73acca94a2141dc10a1715cbdae271c

    SHA1

    d43f3251670d627704c70c49be10697ba6582f6d

    SHA256

    dbd2ff2fc6e6f4e3a2424d4de34c2552b33f4a4d33487cbe0acd0e0960627688

    SHA512

    cdd9c3ab660d25aabd67247a58f63cd84aa72798afa32fa072d0b984276d708eddf082bedce2ffdb9424d19cd3753f1bf1619dcaf7fdf04a09a6c8d0536bd6cf

  • \Users\Admin\AppData\Local\Temp\_MEI19562\_lzma.pyd

    Filesize

    155KB

    MD5

    b23d17b4b3b15dab84e384b8dd1d8fc6

    SHA1

    72fcf3b4cd61b0a8cb282760c9fd466dbb12565b

    SHA256

    d3350ad957d6c37b2c75f56a5a149f0eeb58295227f78c15048669a2e816ae3a

    SHA512

    e14a1a3b59da76204325c3edd890ca865262b7fab12fb0fa9754f7a425a64b094b8da75236f0a665d1624229bbeced8b661c452af5798006609a5a4f7f08abb7

  • memory/2484-214-0x0000000002B20000-0x0000000002B30000-memory.dmp

    Filesize

    64KB

  • memory/2484-216-0x0000000002E20000-0x0000000002E2A000-memory.dmp

    Filesize

    40KB

  • memory/2484-215-0x0000000002E20000-0x0000000002E2A000-memory.dmp

    Filesize

    40KB

  • memory/2484-217-0x0000000002E20000-0x0000000002E2A000-memory.dmp

    Filesize

    40KB