Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 01:13
Behavioral task
behavioral1
Sample
Romper V5/Romper V5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Romper V5/Romper V5.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Romper V5/Romper V5/Romper V5.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Romper V5/Romper V5/Romper V5.exe
Resource
win10v2004-20240508-en
General
-
Target
Romper V5/Romper V5.exe
-
Size
30.1MB
-
MD5
20ccae603d435aab174b7b7e46ac7189
-
SHA1
c4c34d0a46c2f9532596f6dcb6fb86cc44046ab7
-
SHA256
cf675be72d39b1ee645b19bdbebbc615d6787d3f1c0e7ca9e2ef7c4396a7764b
-
SHA512
69658a3e15a9885691098976b89e8e2dd2936cbc78f0f0d58400dbf98fa14c4e170f9180b1ab130cc796b3a4b4245879e8406860770e03f3223a01d25532beb9
-
SSDEEP
786432:GW+e569MZLW+e569MuW+e569MgjW+e5i9M:GW+enhW+enuW+engjW+ev
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
Processes:
COOKD.EXECREAL.EXEDISCORD.EXECREAL.EXEDISCORD.EXEPYTHON.EXEPYTHON.EXECOOKD.EXEpid process 1840 COOKD.EXE 2260 CREAL.EXE 1276 DISCORD.EXE 2816 CREAL.EXE 2764 DISCORD.EXE 2520 PYTHON.EXE 1416 PYTHON.EXE 1184 COOKD.EXE -
Loads dropped DLL 12 IoCs
Processes:
Romper V5.exeCREAL.EXEDISCORD.EXEPYTHON.EXECREAL.EXEDISCORD.EXEPYTHON.EXECOOKD.EXECOOKD.EXEpid process 2164 Romper V5.exe 2164 Romper V5.exe 2164 Romper V5.exe 2260 CREAL.EXE 2164 Romper V5.exe 1276 DISCORD.EXE 2520 PYTHON.EXE 2816 CREAL.EXE 2764 DISCORD.EXE 1416 PYTHON.EXE 1840 COOKD.EXE 1184 COOKD.EXE -
Detects Pyinstaller 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\COOKD.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\CREAL.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE pyinstaller \Users\Admin\AppData\Local\Temp\PYTHON.EXE pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Romper V5.exeCREAL.EXEDISCORD.EXEPYTHON.EXECOOKD.EXEdescription pid process target process PID 2164 wrote to memory of 1840 2164 Romper V5.exe COOKD.EXE PID 2164 wrote to memory of 1840 2164 Romper V5.exe COOKD.EXE PID 2164 wrote to memory of 1840 2164 Romper V5.exe COOKD.EXE PID 2164 wrote to memory of 1840 2164 Romper V5.exe COOKD.EXE PID 2164 wrote to memory of 2260 2164 Romper V5.exe CREAL.EXE PID 2164 wrote to memory of 2260 2164 Romper V5.exe CREAL.EXE PID 2164 wrote to memory of 2260 2164 Romper V5.exe CREAL.EXE PID 2164 wrote to memory of 2260 2164 Romper V5.exe CREAL.EXE PID 2164 wrote to memory of 1276 2164 Romper V5.exe DISCORD.EXE PID 2164 wrote to memory of 1276 2164 Romper V5.exe DISCORD.EXE PID 2164 wrote to memory of 1276 2164 Romper V5.exe DISCORD.EXE PID 2164 wrote to memory of 1276 2164 Romper V5.exe DISCORD.EXE PID 2260 wrote to memory of 2816 2260 CREAL.EXE CREAL.EXE PID 2260 wrote to memory of 2816 2260 CREAL.EXE CREAL.EXE PID 2260 wrote to memory of 2816 2260 CREAL.EXE CREAL.EXE PID 1276 wrote to memory of 2764 1276 DISCORD.EXE DISCORD.EXE PID 1276 wrote to memory of 2764 1276 DISCORD.EXE DISCORD.EXE PID 1276 wrote to memory of 2764 1276 DISCORD.EXE DISCORD.EXE PID 2164 wrote to memory of 2520 2164 Romper V5.exe PYTHON.EXE PID 2164 wrote to memory of 2520 2164 Romper V5.exe PYTHON.EXE PID 2164 wrote to memory of 2520 2164 Romper V5.exe PYTHON.EXE PID 2164 wrote to memory of 2520 2164 Romper V5.exe PYTHON.EXE PID 2520 wrote to memory of 1416 2520 PYTHON.EXE PYTHON.EXE PID 2520 wrote to memory of 1416 2520 PYTHON.EXE PYTHON.EXE PID 2520 wrote to memory of 1416 2520 PYTHON.EXE PYTHON.EXE PID 1840 wrote to memory of 1184 1840 COOKD.EXE COOKD.EXE PID 1840 wrote to memory of 1184 1840 COOKD.EXE COOKD.EXE PID 1840 wrote to memory of 1184 1840 COOKD.EXE COOKD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Romper V5\Romper V5.exe"C:\Users\Admin\AppData\Local\Temp\Romper V5\Romper V5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CREAL.EXEFilesize
7.5MB
MD52dc33067754eb099bd137180a357088b
SHA165ec6e077726a462fe96c32f0540891e76cabc4e
SHA25678b6b54a4643d3648f9653cfd9ec89b0d158f586647e7afc1b78113e1b988585
SHA512b0073ba54eebfc0afc1ce8c72d9dc87050e434d77f86d2c3d4cfc00c2d84463cd0ab7891e74eaea92de46c934ff13f61202d4f33d6209e45b4b96e064348d7fa
-
C:\Users\Admin\AppData\Local\Temp\DISCORD.EXEFilesize
7.4MB
MD53cc78ec13e19e7deacb003b556afa189
SHA126f4ce646c930464b07c3eb8d7f888354df0f73b
SHA256c11cf38be5e32cf2f7172a47dd93bff04168b4f607a26558d84b90783ba67372
SHA51223bd312a390f7779085732a648026bb06f215ebde483dd1b824b53be03382173b0626be5683860c0c3b806dd081677165b99305ff8990c086231f818f03828b8
-
C:\Users\Admin\AppData\Local\Temp\_MEI22602\python312.dllFilesize
6.6MB
MD55c5602cda7ab8418420f223366fff5db
SHA152f81ee0aef9b6906f7751fd2bbd4953e3f3b798
SHA256e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce
SHA51251c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f
-
\Users\Admin\AppData\Local\Temp\COOKD.EXEFilesize
7.5MB
MD5a4d88d60fdebe4d85736d7684de377d5
SHA13cd96116e5ee43b28a499ea48eff1533b029d8be
SHA25613611a82912fc262cec5433aeb83c62e6488c5931359749c8a29dcc3bc66c731
SHA512739223bae82b42c55bdabc0e7d94d0f9daf4b130317122a491ad36e34da0f3a6ba30e87ef0aeba4319aded8a156f31ffdbcb803921f208c7e00ea7ee11e144b5
-
\Users\Admin\AppData\Local\Temp\PYTHON.EXEFilesize
7.3MB
MD5ac69ea4dae2d61194cedc40f423fc240
SHA19ec71b517b7e7c36091dbf96fb8eb0577cf0b7f2
SHA256aabbc779eef339c207509e4ca1ab3cf82abe780c3a5c2cecf39cb3730de5cf61
SHA5120c224aeccc66a19bc2ab2911c70a7b2a6bbd5c4cc8f57c3001c7e1f6dfb5c2aa310b73e669592a9c3f244d352bff37f5c912ed37a4e860a62ef1a508de1acc8b