291f746c2eb1c7f1c979899d9a61c44b8f3085622f0b311cfa99fc0e584b1aac

Analysis

max time kernel
122s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Romper V5/Romper V5/Romper V5.exe
Size

30.1MB
MD5

20ccae603d435aab174b7b7e46ac7189
SHA1

c4c34d0a46c2f9532596f6dcb6fb86cc44046ab7
SHA256

cf675be72d39b1ee645b19bdbebbc615d6787d3f1c0e7ca9e2ef7c4396a7764b
SHA512

69658a3e15a9885691098976b89e8e2dd2936cbc78f0f0d58400dbf98fa14c4e170f9180b1ab130cc796b3a4b4245879e8406860770e03f3223a01d25532beb9
SSDEEP

786432:GW+e569MZLW+e569MuW+e569MgjW+e5i9M:GW+enhW+enuW+engjW+ev

Score

7^/10

pyinstaller

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

COOKD.EXECREAL.EXECOOKD.EXEDISCORD.EXECREAL.EXEDISCORD.EXEPYTHON.EXEPYTHON.EXE

pid process

3056 COOKD.EXE
2040 CREAL.EXE
2664 COOKD.EXE
2892 DISCORD.EXE
2992 CREAL.EXE
2504 DISCORD.EXE
2996 PYTHON.EXE
3004 PYTHON.EXE
Loads dropped DLL 12 IoCs

Processes:

Romper V5.exeCOOKD.EXEDISCORD.EXECREAL.EXECOOKD.EXECREAL.EXEPYTHON.EXEDISCORD.EXEPYTHON.EXE

pid process

2944 Romper V5.exe
2944 Romper V5.exe
3056 COOKD.EXE
2944 Romper V5.exe
2892 DISCORD.EXE
2040 CREAL.EXE
2944 Romper V5.exe
2664 COOKD.EXE
2992 CREAL.EXE
2996 PYTHON.EXE
2504 DISCORD.EXE
3004 PYTHON.EXE

pid	process
3056	COOKD.EXE
2040	CREAL.EXE
2664	COOKD.EXE
2892	DISCORD.EXE
2992	CREAL.EXE
2504	DISCORD.EXE
2996	PYTHON.EXE
3004	PYTHON.EXE

pid	process
2944	Romper V5.exe
2944	Romper V5.exe
3056	COOKD.EXE
2944	Romper V5.exe
2892	DISCORD.EXE
2040	CREAL.EXE
2944	Romper V5.exe
2664	COOKD.EXE
2992	CREAL.EXE
2996	PYTHON.EXE
2504	DISCORD.EXE
3004	PYTHON.EXE

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\COOKD.EXE	pyinstaller
\Users\Admin\AppData\Local\Temp\CREAL.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Romper V5.exeCOOKD.EXECREAL.EXEDISCORD.EXEPYTHON.EXE

description	pid	process	target process
PID 2944 wrote to memory of 3056	2944	Romper V5.exe	COOKD.EXE
PID 2944 wrote to memory of 3056	2944	Romper V5.exe	COOKD.EXE
PID 2944 wrote to memory of 3056	2944	Romper V5.exe	COOKD.EXE
PID 2944 wrote to memory of 3056	2944	Romper V5.exe	COOKD.EXE
PID 2944 wrote to memory of 2040	2944	Romper V5.exe	CREAL.EXE
PID 2944 wrote to memory of 2040	2944	Romper V5.exe	CREAL.EXE
PID 2944 wrote to memory of 2040	2944	Romper V5.exe	CREAL.EXE
PID 2944 wrote to memory of 2040	2944	Romper V5.exe	CREAL.EXE
PID 3056 wrote to memory of 2664	3056	COOKD.EXE	COOKD.EXE
PID 3056 wrote to memory of 2664	3056	COOKD.EXE	COOKD.EXE
PID 3056 wrote to memory of 2664	3056	COOKD.EXE	COOKD.EXE
PID 2944 wrote to memory of 2892	2944	Romper V5.exe	DISCORD.EXE
PID 2944 wrote to memory of 2892	2944	Romper V5.exe	DISCORD.EXE
PID 2944 wrote to memory of 2892	2944	Romper V5.exe	DISCORD.EXE
PID 2944 wrote to memory of 2892	2944	Romper V5.exe	DISCORD.EXE
PID 2040 wrote to memory of 2992	2040	CREAL.EXE	CREAL.EXE
PID 2040 wrote to memory of 2992	2040	CREAL.EXE	CREAL.EXE
PID 2040 wrote to memory of 2992	2040	CREAL.EXE	CREAL.EXE
PID 2892 wrote to memory of 2504	2892	DISCORD.EXE	DISCORD.EXE
PID 2892 wrote to memory of 2504	2892	DISCORD.EXE	DISCORD.EXE
PID 2892 wrote to memory of 2504	2892	DISCORD.EXE	DISCORD.EXE
PID 2944 wrote to memory of 2996	2944	Romper V5.exe	PYTHON.EXE
PID 2944 wrote to memory of 2996	2944	Romper V5.exe	PYTHON.EXE
PID 2944 wrote to memory of 2996	2944	Romper V5.exe	PYTHON.EXE
PID 2944 wrote to memory of 2996	2944	Romper V5.exe	PYTHON.EXE
PID 2996 wrote to memory of 3004	2996	PYTHON.EXE	PYTHON.EXE
PID 2996 wrote to memory of 3004	2996	PYTHON.EXE	PYTHON.EXE
PID 2996 wrote to memory of 3004	2996	PYTHON.EXE	PYTHON.EXE

C:\Users\Admin\AppData\Local\Temp\Romper V5\Romper V5\Romper V5.exe
"C:\Users\Admin\AppData\Local\Temp\Romper V5\Romper V5\Romper V5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Local\Temp\COOKD.EXE
"C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\COOKD.EXE
"C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664

C:\Users\Admin\AppData\Local\Temp\CREAL.EXE
"C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\CREAL.EXE
"C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992

C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE
"C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE
"C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504

C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE
"C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996

C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE
"C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE
Filesize
7.4MB

MD5
3cc78ec13e19e7deacb003b556afa189

SHA1
26f4ce646c930464b07c3eb8d7f888354df0f73b

SHA256
c11cf38be5e32cf2f7172a47dd93bff04168b4f607a26558d84b90783ba67372

SHA512
23bd312a390f7779085732a648026bb06f215ebde483dd1b824b53be03382173b0626be5683860c0c3b806dd081677165b99305ff8990c086231f818f03828b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE
Filesize
7.3MB

MD5
ac69ea4dae2d61194cedc40f423fc240

SHA1
9ec71b517b7e7c36091dbf96fb8eb0577cf0b7f2

SHA256
aabbc779eef339c207509e4ca1ab3cf82abe780c3a5c2cecf39cb3730de5cf61

SHA512
0c224aeccc66a19bc2ab2911c70a7b2a6bbd5c4cc8f57c3001c7e1f6dfb5c2aa310b73e669592a9c3f244d352bff37f5c912ed37a4e860a62ef1a508de1acc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30562\python312.dll
Filesize
6.6MB

MD5
5c5602cda7ab8418420f223366fff5db

SHA1
52f81ee0aef9b6906f7751fd2bbd4953e3f3b798

SHA256
e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce

SHA512
51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f

Download Submit
\Users\Admin\AppData\Local\Temp\COOKD.EXE
Filesize
7.5MB

MD5
a4d88d60fdebe4d85736d7684de377d5

SHA1
3cd96116e5ee43b28a499ea48eff1533b029d8be

SHA256
13611a82912fc262cec5433aeb83c62e6488c5931359749c8a29dcc3bc66c731

SHA512
739223bae82b42c55bdabc0e7d94d0f9daf4b130317122a491ad36e34da0f3a6ba30e87ef0aeba4319aded8a156f31ffdbcb803921f208c7e00ea7ee11e144b5

Download Submit
\Users\Admin\AppData\Local\Temp\CREAL.EXE
Filesize
7.5MB

MD5
2dc33067754eb099bd137180a357088b

SHA1
65ec6e077726a462fe96c32f0540891e76cabc4e

SHA256
78b6b54a4643d3648f9653cfd9ec89b0d158f586647e7afc1b78113e1b988585

SHA512
b0073ba54eebfc0afc1ce8c72d9dc87050e434d77f86d2c3d4cfc00c2d84463cd0ab7891e74eaea92de46c934ff13f61202d4f33d6209e45b4b96e064348d7fa

Download Submit