ff7bc0e26149313a9645b535dc8307ea40b5502d2143314855da9d07d7268daa

Resubmissions

03-10-2021 19:24

211003-x4nq4afeg3 9

01-10-2021 23:31

211001-3h76hadddp 8

Analysis

max time kernel
230s
max time network
296s
platform
windows10_x64
resource
win10-en-20210920
submitted
01-10-2021 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mslog.exe
Size

9.7MB
MD5

f203e938be3fe17ebf389ade9c6b2c9e
SHA1

85c697602efae829e8765a671b36e705a7c96662
SHA256

f0676c64a2f27a02d7947ad41eecfcd9fde5b47ea8fcb9be2a3838cb7dc86128
SHA512

fcb03c204577fc655361610ee27db83eb87a18ed17291055ef0c94de9df5de18e0624972ab4148cc6d3c2ffbcd5e63cc6ceb59292fd468687fac935bafff0030

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI24122\python39.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\python39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24122\_ctypes.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24122\libffi-7.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24122\_socket.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24122\select.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24122\pywintypes39.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\pywintypes39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24122\_bz2.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24122\_lzma.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24122\win32api.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\win32api.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24122\pythoncom39.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\pythoncom39.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24122\_pytransform.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\_pytransform.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI24122\psutil\_psutil_windows.cp39-win_amd64.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI24122\psutil\_psutil_windows.cp39-win_amd64.pyd	upx

Loads dropped DLL 13 IoCs

Processes:

mslog.exe

pid	process
2676	mslog.exe
2676	mslog.exe
2676	mslog.exe
2676	mslog.exe
2676	mslog.exe
2676	mslog.exe
2676	mslog.exe
2676	mslog.exe
2676	mslog.exe
2676	mslog.exe
2676	mslog.exe
2676	mslog.exe
2676	mslog.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

mslog.exe

pid process

2676 mslog.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mslog.exe

description pid process

Token: SeDebugPrivilege 2676 mslog.exe

description	pid	process
Token: SeDebugPrivilege	2676	mslog.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

mslog.exemslog.exe

description	pid	process	target process
PID 2412 wrote to memory of 2676	2412	mslog.exe	mslog.exe
PID 2412 wrote to memory of 2676	2412	mslog.exe	mslog.exe
PID 2676 wrote to memory of 3452	2676	mslog.exe	cmd.exe
PID 2676 wrote to memory of 3452	2676	mslog.exe	cmd.exe
PID 2676 wrote to memory of 2240	2676	mslog.exe	cmd.exe
PID 2676 wrote to memory of 2240	2676	mslog.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\mslog.exe
"C:\Users\Admin\AppData\Local\Temp\mslog.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\mslog.exe
"C:\Users\Admin\AppData\Local\Temp\mslog.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2240

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI24122\VCRUNTIME140.dll
MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\_bz2.pyd
MD5
5375043ef0829e9c4b54eb2e7687806b

SHA1
80839fab995c6a3e7695bc206f2bcacb425b5a8f

SHA256
8a847e20e346967b4fd2ed7bec42f28dec59b610ab73eac8f1f6abe7116a0036

SHA512
1fd2c2398114c7629710712af87c66e2470c0c51982af5ef2f7ffa25f843e2778993871c98aa1cc2f14f174b694537fce60a4bb5d281d24ea946380b0e7f161f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\_ctypes.pyd
MD5
b8f801273f7a5eb69d3c29f24a44d08c

SHA1
3a5a6e5a03aaf44a80d3798c48f4e38e62271cc1

SHA256
9a2dcd673697f0af45baf74b0e8151668a1553478214296c50e30a8ee491c023

SHA512
acc23f6ea88a6a0f0baba6e5541b362408e3de55d0bc051de8c84f4c95e9bd74e1ab7744551fede9e2cd8aaa0b31cc637af40a6e6b8dd2fdb434c582c5c256bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\_lzma.pyd
MD5
16cab6a9cd403281e573c5f4bbad88a8

SHA1
b5971a6a28e60ccc47d6412dc25d721edae3e74f

SHA256
521a7d9192f8865125c5aa9fcc105b0d46623ef9633027e7c0aeca4371137a5e

SHA512
9dbfbfb92bc240d75b959c17cb109f0fb39d7d77e996abd79974bfa8a28358489f5e1fdde201239b5df0d92d3c0b71f70c79a99556d3ce7a5f504a22917895bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\_pytransform.dll
MD5
b098260aa9e076ef6061f6237f2abd38

SHA1
d2e5e664a6e16698e8923be2c4021ee1c8f8427c

SHA256
0c1d94b66ad479e8e942f0c6821a16601328b1f4af923e02111896b8602aa561

SHA512
36d2a7a8f8f73beb82642519fd293d09693507c2c2b3c3edcc0efed675dc7652e9fb0dd2d31625484075c1a8db7c4cd5dd3a261715d4e77c663d072b1fa716e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\_socket.pyd
MD5
fafdc317ba6c1f505e0531efbbe4c518

SHA1
28a082b1a5ba5d8d1d7401eccb93ffe411b04d45

SHA256
434b0ea06c50ae679733743aa0ddefb73b8bf03ba0e784d698922eab54cf4ab7

SHA512
41a6fc947b0247ca4001c00c92377a0c56c3f53620b7090f890f26617257d88f1fb3b44bb2b1f290690655bbc40e91d3bdc9d6a16d109e6f5ec758db74123684

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\base_library.zip
MD5
2b0a62ae1ae6e4ed6cc5c2a8b6a37d4d

SHA1
e8771f3d8ea8fe11a6124c748242b9e944a6281f

SHA256
ce4cca3d1fc87974374d807aace5783b6ed3b5ccabb0b326e097c4ae89e90cfa

SHA512
43681ae9d9eddc21b4635e94e8f69ee06743d046e31e2470c8ca4086fab41917ae354dfe36e8ee396f559a77ad4bbf0b902eab9b0308be602164c564871faa6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\libffi-7.dll
MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\psutil\_psutil_windows.cp39-win_amd64.pyd
MD5
d400470a5cf04e2762c54880789f911c

SHA1
010c2cdcc43e44570ffebb62c0f663c92ab5299a

SHA256
3ea250ad631efaf5e918cc7fe36ac1d7f0129ecaed4fe9ce01d949bc3ca71379

SHA512
7119aea6bfb24911d69780e5a4a52dbc4fcc7d1a966f595227f18f9f1da45a397f9449b5ab75fdc357216af315706e8781d9447d2ba4cf68d5db389170120a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\python39.dll
MD5
25c2f126b06b7b2f6188d89224c4a277

SHA1
db0a08bd014bd61f91319b19730a6647febd16ad

SHA256
f37a76eced4d25f4f652cb2e4fc7aac2592156a38652cab7e87f1e63892e6a02

SHA512
aed3321475b3437abb614c1a927a6ce337dc0507f8ade6d86d3b31642eedb6c771cd113307c7f3cc8162a9903b90e89c1513cf1e4549914cbe8d7a55bd9ad0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\pythoncom39.dll
MD5
384e425ed5d05db9b0d65f96c8272669

SHA1
08646cdeb67a903c018b57016b789f6a118505b7

SHA256
afcbd97e820d7aaf83d9626a2e44b2a5748545a8f062972eccf7d815a41b62d9

SHA512
064d409bd5574952ad2631c44460d9620e074f239ada5da1f5469cc942c1f4750366de4f83d9e2abb081303f96db4adbc92eca5043dbd376e096eef643d21e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\pywintypes39.dll
MD5
1c5db28728548ea9538b7134672f5217

SHA1
9f13742cc4ab66ab21a97ae85588ef52b5e10c05

SHA256
86babf5d51a2e379717df11189279429e9d44d07e1e4d84e50953c7a57a9dd55

SHA512
45678a7dd86aac4da2694a38973bde3a1ed6e57ecd4cb6f04d4e0141bf41f8f4c34b349c0d7f28d30785793ce920b9584e08978f4cddcb5aa5b69e6a11bce5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\select.pyd
MD5
422e53009817df33a5d8242123dde046

SHA1
685a8ab58e7a60e4bc027668db983191366f949a

SHA256
294a3908f65b8b2c90ecc496b7698f4bd353810fc9ad2677f9384327e551fcbf

SHA512
6089a2a6bf449bcd0a31e9b57f42487ad927eccb3e397914eef0227d336b9fbd4257a46aebdc0d559e75b429d764978ff3398e96a4dd18ae5cdc8b8c7002bfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24122\win32api.pyd
MD5
e02581df32bf0391ecce421e9ff1c83a

SHA1
7b56170d64458cce26f447142dfb3e4f492d1ff2

SHA256
a04e4a2576a3aa912a27775f0a75080108ea8593b26901a45af2bd5578ebb6f2

SHA512
f46544930cce4f419276da68ed4850f845651e323cc7e401b45fd04e69e001da2b6b63684ee991df9acf5bfab5eff571acab5c5b707a42380c1a7d4fe89f42e8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\VCRUNTIME140.dll
MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\_bz2.pyd
MD5
5375043ef0829e9c4b54eb2e7687806b

SHA1
80839fab995c6a3e7695bc206f2bcacb425b5a8f

SHA256
8a847e20e346967b4fd2ed7bec42f28dec59b610ab73eac8f1f6abe7116a0036

SHA512
1fd2c2398114c7629710712af87c66e2470c0c51982af5ef2f7ffa25f843e2778993871c98aa1cc2f14f174b694537fce60a4bb5d281d24ea946380b0e7f161f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\_ctypes.pyd
MD5
b8f801273f7a5eb69d3c29f24a44d08c

SHA1
3a5a6e5a03aaf44a80d3798c48f4e38e62271cc1

SHA256
9a2dcd673697f0af45baf74b0e8151668a1553478214296c50e30a8ee491c023

SHA512
acc23f6ea88a6a0f0baba6e5541b362408e3de55d0bc051de8c84f4c95e9bd74e1ab7744551fede9e2cd8aaa0b31cc637af40a6e6b8dd2fdb434c582c5c256bd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\_lzma.pyd
MD5
16cab6a9cd403281e573c5f4bbad88a8

SHA1
b5971a6a28e60ccc47d6412dc25d721edae3e74f

SHA256
521a7d9192f8865125c5aa9fcc105b0d46623ef9633027e7c0aeca4371137a5e

SHA512
9dbfbfb92bc240d75b959c17cb109f0fb39d7d77e996abd79974bfa8a28358489f5e1fdde201239b5df0d92d3c0b71f70c79a99556d3ce7a5f504a22917895bf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\_pytransform.dll
MD5
b098260aa9e076ef6061f6237f2abd38

SHA1
d2e5e664a6e16698e8923be2c4021ee1c8f8427c

SHA256
0c1d94b66ad479e8e942f0c6821a16601328b1f4af923e02111896b8602aa561

SHA512
36d2a7a8f8f73beb82642519fd293d09693507c2c2b3c3edcc0efed675dc7652e9fb0dd2d31625484075c1a8db7c4cd5dd3a261715d4e77c663d072b1fa716e8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\_socket.pyd
MD5
fafdc317ba6c1f505e0531efbbe4c518

SHA1
28a082b1a5ba5d8d1d7401eccb93ffe411b04d45

SHA256
434b0ea06c50ae679733743aa0ddefb73b8bf03ba0e784d698922eab54cf4ab7

SHA512
41a6fc947b0247ca4001c00c92377a0c56c3f53620b7090f890f26617257d88f1fb3b44bb2b1f290690655bbc40e91d3bdc9d6a16d109e6f5ec758db74123684

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\libffi-7.dll
MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\psutil\_psutil_windows.cp39-win_amd64.pyd
MD5
d400470a5cf04e2762c54880789f911c

SHA1
010c2cdcc43e44570ffebb62c0f663c92ab5299a

SHA256
3ea250ad631efaf5e918cc7fe36ac1d7f0129ecaed4fe9ce01d949bc3ca71379

SHA512
7119aea6bfb24911d69780e5a4a52dbc4fcc7d1a966f595227f18f9f1da45a397f9449b5ab75fdc357216af315706e8781d9447d2ba4cf68d5db389170120a57

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\python39.dll
MD5
25c2f126b06b7b2f6188d89224c4a277

SHA1
db0a08bd014bd61f91319b19730a6647febd16ad

SHA256
f37a76eced4d25f4f652cb2e4fc7aac2592156a38652cab7e87f1e63892e6a02

SHA512
aed3321475b3437abb614c1a927a6ce337dc0507f8ade6d86d3b31642eedb6c771cd113307c7f3cc8162a9903b90e89c1513cf1e4549914cbe8d7a55bd9ad0ef

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\pythoncom39.dll
MD5
384e425ed5d05db9b0d65f96c8272669

SHA1
08646cdeb67a903c018b57016b789f6a118505b7

SHA256
afcbd97e820d7aaf83d9626a2e44b2a5748545a8f062972eccf7d815a41b62d9

SHA512
064d409bd5574952ad2631c44460d9620e074f239ada5da1f5469cc942c1f4750366de4f83d9e2abb081303f96db4adbc92eca5043dbd376e096eef643d21e55

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\pywintypes39.dll
MD5
1c5db28728548ea9538b7134672f5217

SHA1
9f13742cc4ab66ab21a97ae85588ef52b5e10c05

SHA256
86babf5d51a2e379717df11189279429e9d44d07e1e4d84e50953c7a57a9dd55

SHA512
45678a7dd86aac4da2694a38973bde3a1ed6e57ecd4cb6f04d4e0141bf41f8f4c34b349c0d7f28d30785793ce920b9584e08978f4cddcb5aa5b69e6a11bce5de

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\select.pyd
MD5
422e53009817df33a5d8242123dde046

SHA1
685a8ab58e7a60e4bc027668db983191366f949a

SHA256
294a3908f65b8b2c90ecc496b7698f4bd353810fc9ad2677f9384327e551fcbf

SHA512
6089a2a6bf449bcd0a31e9b57f42487ad927eccb3e397914eef0227d336b9fbd4257a46aebdc0d559e75b429d764978ff3398e96a4dd18ae5cdc8b8c7002bfe6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24122\win32api.pyd
MD5
e02581df32bf0391ecce421e9ff1c83a

SHA1
7b56170d64458cce26f447142dfb3e4f492d1ff2

SHA256
a04e4a2576a3aa912a27775f0a75080108ea8593b26901a45af2bd5578ebb6f2

SHA512
f46544930cce4f419276da68ed4850f845651e323cc7e401b45fd04e69e001da2b6b63684ee991df9acf5bfab5eff571acab5c5b707a42380c1a7d4fe89f42e8

Download Submit
memory/2240-144-0x0000000000000000-mapping.dmp

Download
memory/2676-115-0x0000000000000000-mapping.dmp

Download
memory/3452-139-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads