Resubmissions
02-01-2025 22:04
250102-1y3vlsxmbz 1002-01-2025 17:10
250102-vp68sayqbw 1002-01-2025 16:48
250102-vbc3sa1pdl 10Analysis
-
max time kernel
146s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-01-2025 16:48
General
-
Target
Mw16 chair.exe
-
Size
38.6MB
-
MD5
29e6c7c04a6b3c941b0822fa2c5fa877
-
SHA1
b3a17c472737c60924ac16350299a64e33782005
-
SHA256
094808c3a439d8e8b8f26b1deb2a8f870ef2807d3af2efe8ef122d7f7defc9ad
-
SHA512
0748c9c072899f284f315bbe5416196919bbb2c82bbe6328931955347b31edd72b0d3e778b3447e090c639cc839472f9f269520fbce0f116d9bff3260bd3484d
-
SSDEEP
786432:BPclT+3fr3DPLFXNricwQhEfILwbTgpfePclT+3fr3L:oT+3fr3DLFdMQhEg8bgBT+3fr3L
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 6 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 39 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mw16 chair.exe"C:\Users\Admin\AppData\Local\Temp\Mw16 chair.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\Mw1_Aio.exe"C:\Users\Admin\AppData\Local\Temp\Mw1_Aio.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Mw1_Aio.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Mw1_Aio.exe" MD54⤵
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/3o3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:664 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Session not found. Use latest code. You can only have app opened 1 at a time. && timeout /t 5"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Session not found. Use latest code. You can only have app opened 1 at a time. && timeout /t 5"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 55⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2840 -s 51763⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD59be0681223f5e11ec5cff35182589799
SHA101cee8de9b06f49ee6b501f61f9330b64923b008
SHA256a827a8410570ef1302de5e590dbc6cf7f3e644724f6429604d4aca01a15014f1
SHA512bb11497249537c8888673809d5fce78f42201488a641d4a4ff3a30beb2e0c36e652cd98c9c1b435ffaebba093dbf1fc907a1997e4dd97538d3fa0dfdef7547cb
-
Filesize
342B
MD5d3681d1fa82bc77b2bf988ae219586b9
SHA19ab7b66029e450c18dd26d367069ab95f4681b70
SHA256a16297b9ec90536ae0d7266374ac88ce431f2a4a0ebfe69a2aa2b7ec5bf426bc
SHA51291297f8408e389fd7376617b1adda177301b77bb24b09e590167631afd7c5f0dd1e076e2d388cb7269a9688b76cf2e9718d80c8ed3c8acad268d6f6bc00f1218
-
Filesize
342B
MD5db8181d957ef60055a463e100b29ba64
SHA1d7090cc9af6cb7d9af275477885e12dd7278316a
SHA256ae9742cfa82bb9f3272ad1c0c1c8cbe8a6e859ab26df5c9f9bcd5db76485b147
SHA512d6d9ab3329c84fcd33a42ad130ea690a051705b68f834809365e37bdac6fe436e56bf209e574391f8225a2c6c11c8d4d97d4cb56774de5e4cce4164d6f58e5cf
-
Filesize
342B
MD5a54aa0af1535825a86d5e56f41608e4e
SHA1493cdb8c59fe28eed2f68e310122679280ee5d3d
SHA256cf9948b58ffb1effb5515740c7a3912a64cd344e165a84a6168535b4b1dda05d
SHA5121d7c1c657c64c96e1beda779f2698646bcf2dbc2a3c21b5ed0f19430de08c66c1e5ab63dfdd013cd227c255f786f8150befc6897a89f88e7bfd71f6f43730dff
-
Filesize
342B
MD51f68a2229c90f1d9f3fcfb7a961a90b3
SHA145a9facbae719395fa2f83925824af9bdaaa53f8
SHA256778e8a3c251fd60639a970e955322f1adf63ca2cebf1fbd428b40cd3d5d65d70
SHA5122add0e5023e53c8299713fd715b6d7f4459193e4e098a8f134e8e4b804e26be2a610ac85a13406bd5c0fd91b76a66386c0e3d0ab94c8e63e80c75e1c7406af76
-
Filesize
342B
MD5b72cc3c79abf7195219b8e347fe6b14b
SHA1687876d12fcd17505cdc5fcc6b673101204e85ed
SHA256e9768aa7fb9115d9b0a7ca76284d60a0624f4d728c9e0f42a3d0267ef2bf67ae
SHA512cb30ed12943231b23186ed3351f8ad98aba411bff4cde1fba64ed04a9121141640993650a13dc7b7fb7cdd571443e179b4e6a46accbc0732d135bd23b65cdf7f
-
Filesize
342B
MD5128ef79bc267632e009dfc0178b34971
SHA1384addb092ff3f94e26cd4ee1121e01272ce2f95
SHA25676e0380a75a0693086a13430d952ad07ceb1d882fd1df46126cae0d326c3c647
SHA5124c45007c708d446031d297415220049ce5d268603986dde5ac63286f12a8816a6acb5f586faf624c45b3664f0cb805e977bd4e2711338d6a4a84bb14ce2c63e5
-
Filesize
342B
MD5bcd9e409ca5cf3490c9ef9d7cb533e9c
SHA1eec6b7be14396cae32e64227606b1d5cb3fe1605
SHA25690fd30b12da2c505d536b905bd39ce81313ff0ae8a3d243b44a36aac8dd77df7
SHA51288d243745cb169086834f562d9d0027610aec709cfdbde8fa0ee70681c679446665a80abb44bc6488b74ccb81b37f95d2ce6759cda11e83e51ed89c7262b8561
-
Filesize
342B
MD591a6debd09ec3344dd4876c12613455d
SHA170d250bab12a489a2ec5014a0e4780131871c03a
SHA2560361852e45e931e2978a245957dba9e1be9e5b4dcb4c89fc61d4ab3d3f442672
SHA51277b913a8cf7530d1c839ae2a43a9f2496b69c35c411f9e450d213ddcd66ddd4b872e0a10cca027e30afbf5f309146abfd14671dfbae7d06fb578ca94f01f8184
-
Filesize
342B
MD5ece30f0e30a317f7493ab82568af12f4
SHA15e8f65c316ecc4edf53e6d54953722566607af5e
SHA2567b706c023eb4a9330a4f11bdd473db58be9f462a99e138229c59991adb8c72a2
SHA512e489c08ba912d6a6033fe723d77fcadd4937d431510f1d8151895eb48450a7d3e75e2616c014c00de9573fa2c78062c77360428590f76755ef16f98ea7797e71
-
Filesize
342B
MD503ef7d1d4a38884cf9a3aea4bffc03c8
SHA1b15dcbdb8c4b49917e2a67d9c77fe36468fc2c6b
SHA2567fd315f850895ca6718ef5596bdc2d99f60f6b18da9b9674ab8c149815d67579
SHA51299cb234adf8943431e3f77e64f1e374fe456a7c13839024dc6ed5320bd3c58cec238a6a696e62904dcb8240c5151dba8be2369e506bb1b6f9e7c72b73ec904c0
-
Filesize
342B
MD55e1e14e8877b4ed4517833a59bd497b9
SHA131b45595a50e60c1823ac16c2a32e942d0ad8e56
SHA256764d50c5beab0316312f0f3d9ecc87c80425c1ebb3eb4c9e544cd79defacf78e
SHA512641741cbeba74295327242a6f82ad4a0aafdcc41c356799c261c3b07a15315f092a9a1494a61ed7c9e2357d8641e0cd9688d1e1519c25b62ce3b80c6e7e9cd9a
-
Filesize
342B
MD54a13aee9a82269f7dc2d32d9b73a9fd3
SHA1698a0ba877fce9f6f679155b0cb08c3f36e18eab
SHA256eb9f68f2dc1cdf83cbbc14d2df9a6ca03c5250e17dbc2cc0548498d3766784a9
SHA512535795cd7a3b6e34cce8bef2234b10f74e254f9f99ea9a30ba47aa05462897269665dfd29858764b40881f05aad1c5123f917f7de445a9315798a0c8440a7495
-
Filesize
342B
MD5148af3fb9b0e717f79737b76a0850c00
SHA190149bb30f7f277303038bc6dca7196e7a153a1e
SHA25690f1b1993ec5c2684caa2c2b25d678a0132c199c751d07fe8603bdde26cf7c60
SHA512f44711253dacd7919b2e0f65934fe8093e800bd0ed14fd0ebe4bc3d969bafdd77a3ffc813a240f32474c89adb236491b18b78dfc255b44a81009341d56e6a891
-
Filesize
342B
MD5165b18528b834e6decddfafe2186d093
SHA12c084838b47385d2fec98da880b38bc343b2c48e
SHA25601a8305ee949db55de4c64c33aee646bd7a981b2d4ea6d5e6d79cb763b5a90a3
SHA512e85e9951d0b550b083b72e0653fa1a016af24c4d95a9cbe15dfae3150645eda8343318a89b983a2aee221cffe5b2e255348c102b507e71f00b8c614cdd4e4ffe
-
Filesize
342B
MD5fd4690cf2a66933c5c73d1b254365322
SHA11b9135d31667d3e9d9316c4b44a0b2a7302c0c4a
SHA25652e6c19a9937fb011a203c28fffbad3eccd021003b307d927f966fd4b49ef82e
SHA512f8bbe0baedf101b7d28ce94df2e8ef6fcc92e28bfe19cbbafbc29e9945404271fa25e45f0121d09d53de85fa147f0a9a1b3745066df0b561598bb543cb3b5054
-
Filesize
342B
MD52f15ed0feb00a12afa81563e274c5451
SHA153efd0096f697dca69c5edb18cb977bc284081e6
SHA25667475088512ed74f03bee1d273cf761963d35d6ddb38e3d51b787910a107d8f7
SHA51228782c1a3d72f2db6402d7eb537258ed565814b870f8c39b769d5a90102fdb895cd752492c52f4fb9d339663bdb54922869651ad319438dd1db1754a65299dbd
-
Filesize
342B
MD59a63a1728e7176ce7cb5f66a54e2168c
SHA17219631a5a86d5c6bae9f20536a6aa89489dce3d
SHA256f63b49b1e90232706933d151733509d6780cfacf738fd060e78545c248d1d541
SHA512f23773e47ddc18caec7bd87748416548012b1f1f0528c08b24d1b373dee2eba00ee6aa2bec507b3678ad4023535a8df899d8cb58e268d4afb4e3eec7b7d99c9c
-
Filesize
342B
MD53a3d9e6cf8be297676e61c420e5efd9c
SHA1429fc37fb78bd3bfaf81d6a523e2b3563d6980c6
SHA2566cea901553b862ddec24b23111389a455962504ab701fb8e0b14e1be2d518099
SHA5124fb48e0259a6d2328a8b6eaff62f52f295a434e54bc3bbad5f3cd8073c3e44fe1915b36003d0707108d5caf0d653b51dde2881fbdb5973c4d64b07f04f04e7f8
-
Filesize
242B
MD55e9d27cd6cce6d69d087edbecb0bbed5
SHA18ae191076513fcff47ac426bf3042b909b9170f7
SHA256f7c1d77359f1dc46021bc08818e23c4cd29477473026f699d89f3d44ad70fcf2
SHA512d4c3a5307c5676e73d915e03650f38c25ef1494e5d6e5b10158af11e39deb4fbf1f195aec1c1db6c961ead2c31a6ada0869250e83313e048ca3ab3ed482c5b62
-
Filesize
24KB
MD5bcfa24d2257cfd106f6d1b56c89ea406
SHA12dcc073d9f1c7947b76d295cc6c6c599423d6ba2
SHA256126829c0ada24c85e441db1b13dce864813b6e0061b2fc524f326f7a6d9e0ad8
SHA512281a02d0c1d372ce3c3ef79f04a4b95a71f141d46842e262525a83348ff2e4e6052c566db912f4f49af0ba1ef845d0b8d7d8e2fcc1362616d0d2afa900ded0a3
-
Filesize
23KB
MD5ec2c34cadd4b5f4594415127380a85e6
SHA1e7e129270da0153510ef04a148d08702b980b679
SHA256128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7
SHA512c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
8.6MB
MD5d82ce36e62e78b8a64e811e1084304d0
SHA14e0c9c7f4ded48e3fd0b5ba44618a750f3ebe80d
SHA25646829b70a0cec6691c91a4863a73540afb22195e60f80116f18e25e97fdaa569
SHA5120bd7dea809be5250d5380d8d84bc45041c63b055c3e4ec5c35452c41966d18c97ed353e0b260d140260e84bacf86118fe91a703878a70da6fafc7a50b5e8b258
-
Filesize
1.4MB
MD569d4f13fbaeee9b551c2d9a4a94d4458
SHA169540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA5128e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378
-
Filesize
20.8MB
MD56915d905325f953bc6cd69b7c6d6144b
SHA16073bee0ea580254a1d42c33948408c6ba6e4524
SHA256540c41acad1939ed9e618f58945d71bb71445397835fbaa633e11aaed7fc520f
SHA512b220f4cdd356781556c6e27ae9f74f6a275224849c447e23019cfad5b64d087a3f0aa6f1d44f90187f7cb7c912551f84c4ef5d2186a5258475b9168ca5ca699c
-
Filesize
4.4MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.6MB