Malware Analysis Report

2024-08-06 07:59

Sample ID 230810-tdfe9aef62
Target 2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a
SHA256 2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a
Tags
cobaltstrike metasploit 1359593325 backdoor trojan pyinstaller
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a

Threat Level: Known bad

The file 2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a was found to be: Known bad.

Malicious Activity Summary

cobaltstrike metasploit 1359593325 backdoor trojan pyinstaller

MetaSploit

Cobaltstrike

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-08-10 15:56

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 15:56

Reported

2023-08-10 15:58

Platform

win10v2004-20230703-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

MetaSploit

trojan backdoor metasploit

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
PID 2284 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
PID 2284 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

"C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe"

C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

"C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.143.241.8.in-addr.arpa udp
US 8.8.8.8:53 time.api.chinabm.cn udp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 35.142.219.113.in-addr.arpa udp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
CN 113.219.142.35:443 time.api.chinabm.cn tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22842\shellcode_loader_1.exe.manifest

MD5 737cee84004d9e7c1f1256d922490b40
SHA1 f642a0fc241104b7a0aa011e434dfbe3de0b71ce
SHA256 db9d564d53e46ee9ebb875443155f733d297d42a91f000153da1e29fede0a199
SHA512 d3193eb3c9ab1624e9949af78fed47223e88fceeb97b8a3a80161ac358be1018e5eecfeafa6117b6f5ac2ecbb6a179ce707b16a0ef8ffdcbd2114e46152e130b

C:\Users\Admin\AppData\Local\Temp\_MEI22842\python34.dll

MD5 2a78649eb1fe4354060623785f7f98aa
SHA1 85dcadf0b43db27f47713c433f8e31a8642cf8d5
SHA256 fdb01967868edc948d9e0ee128a26a3c76df2600262ca9d38034d45dbe39017d
SHA512 678b122bf318b78a7699f4417d6b74e65f3dc740d287c9a193a59c670d38579fa20180dd363f1e620fbce7e388d993e59321b19127fff3e6d6502a8e24a33d6a

C:\Users\Admin\AppData\Local\Temp\_MEI22842\python34.dll

MD5 2a78649eb1fe4354060623785f7f98aa
SHA1 85dcadf0b43db27f47713c433f8e31a8642cf8d5
SHA256 fdb01967868edc948d9e0ee128a26a3c76df2600262ca9d38034d45dbe39017d
SHA512 678b122bf318b78a7699f4417d6b74e65f3dc740d287c9a193a59c670d38579fa20180dd363f1e620fbce7e388d993e59321b19127fff3e6d6502a8e24a33d6a

C:\Users\Admin\AppData\Local\Temp\_MEI22842\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\_MEI22842\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\_MEI22842\base_library.zip

MD5 0aecf93f79fccf4cecd0b8c40c1563b3
SHA1 36c406740615d9b5f1b89311e65931fe258fc4b1
SHA256 f751f64f4bd5018bd38a0cfe7e808856426b4076897d58abede01413c4fde80d
SHA512 b1e51e3ec81f659a78a5971cdc2e7d234ec0d87c5c787f64af02f90b32f665dda3b421139f88e36f55cda713e670f739178731ae4fe313d629eecc67c6856d27

C:\Users\Admin\AppData\Local\Temp\_MEI22842\_ctypes.pyd

MD5 673dc6681afb67384e923dc9bfd2cd90
SHA1 445fcab47381908214d0636be9604828f9d33a47
SHA256 d551e7fcafab97340e03a41ca2f7d5c2ade7eecf7cdaedf147abad63f09f263c
SHA512 801478c83727a59409c19afa9a3edce81c0139f58e3dc81696ffd690e3f1de9c595f100279b18180a9189feaf9fcc40fb74e609f181f2decbea13c6b2a49f6a6

C:\Users\Admin\AppData\Local\Temp\_MEI22842\_ctypes.pyd

MD5 673dc6681afb67384e923dc9bfd2cd90
SHA1 445fcab47381908214d0636be9604828f9d33a47
SHA256 d551e7fcafab97340e03a41ca2f7d5c2ade7eecf7cdaedf147abad63f09f263c
SHA512 801478c83727a59409c19afa9a3edce81c0139f58e3dc81696ffd690e3f1de9c595f100279b18180a9189feaf9fcc40fb74e609f181f2decbea13c6b2a49f6a6

memory/4904-157-0x0000000000760000-0x0000000000761000-memory.dmp

memory/4904-158-0x00000000044C0000-0x00000000044FD000-memory.dmp

memory/4904-159-0x00000000040C0000-0x00000000044C0000-memory.dmp

memory/4904-160-0x00000000044C0000-0x00000000044FD000-memory.dmp

memory/2284-161-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4904-162-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4904-163-0x00000000040C0000-0x00000000044C0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 15:56

Reported

2023-08-10 15:58

Platform

win7-20230712-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

MetaSploit

trojan backdoor metasploit

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
PID 2140 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
PID 2140 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
PID 2140 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

"C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe"

C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

"C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.api.chinabm.cn udp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 time.api.chinabm.cn tcp
CN 113.219.142.35:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21402\shellcode_loader_1.exe.manifest

MD5 737cee84004d9e7c1f1256d922490b40
SHA1 f642a0fc241104b7a0aa011e434dfbe3de0b71ce
SHA256 db9d564d53e46ee9ebb875443155f733d297d42a91f000153da1e29fede0a199
SHA512 d3193eb3c9ab1624e9949af78fed47223e88fceeb97b8a3a80161ac358be1018e5eecfeafa6117b6f5ac2ecbb6a179ce707b16a0ef8ffdcbd2114e46152e130b

C:\Users\Admin\AppData\Local\Temp\_MEI21402\python34.dll

MD5 2a78649eb1fe4354060623785f7f98aa
SHA1 85dcadf0b43db27f47713c433f8e31a8642cf8d5
SHA256 fdb01967868edc948d9e0ee128a26a3c76df2600262ca9d38034d45dbe39017d
SHA512 678b122bf318b78a7699f4417d6b74e65f3dc740d287c9a193a59c670d38579fa20180dd363f1e620fbce7e388d993e59321b19127fff3e6d6502a8e24a33d6a

\Users\Admin\AppData\Local\Temp\_MEI21402\python34.dll

MD5 2a78649eb1fe4354060623785f7f98aa
SHA1 85dcadf0b43db27f47713c433f8e31a8642cf8d5
SHA256 fdb01967868edc948d9e0ee128a26a3c76df2600262ca9d38034d45dbe39017d
SHA512 678b122bf318b78a7699f4417d6b74e65f3dc740d287c9a193a59c670d38579fa20180dd363f1e620fbce7e388d993e59321b19127fff3e6d6502a8e24a33d6a

C:\Users\Admin\AppData\Local\Temp\_MEI21402\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

\Users\Admin\AppData\Local\Temp\_MEI21402\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\_MEI21402\base_library.zip

MD5 0aecf93f79fccf4cecd0b8c40c1563b3
SHA1 36c406740615d9b5f1b89311e65931fe258fc4b1
SHA256 f751f64f4bd5018bd38a0cfe7e808856426b4076897d58abede01413c4fde80d
SHA512 b1e51e3ec81f659a78a5971cdc2e7d234ec0d87c5c787f64af02f90b32f665dda3b421139f88e36f55cda713e670f739178731ae4fe313d629eecc67c6856d27

C:\Users\Admin\AppData\Local\Temp\_MEI21402\_ctypes.pyd

MD5 673dc6681afb67384e923dc9bfd2cd90
SHA1 445fcab47381908214d0636be9604828f9d33a47
SHA256 d551e7fcafab97340e03a41ca2f7d5c2ade7eecf7cdaedf147abad63f09f263c
SHA512 801478c83727a59409c19afa9a3edce81c0139f58e3dc81696ffd690e3f1de9c595f100279b18180a9189feaf9fcc40fb74e609f181f2decbea13c6b2a49f6a6

\Users\Admin\AppData\Local\Temp\_MEI21402\_ctypes.pyd

MD5 673dc6681afb67384e923dc9bfd2cd90
SHA1 445fcab47381908214d0636be9604828f9d33a47
SHA256 d551e7fcafab97340e03a41ca2f7d5c2ade7eecf7cdaedf147abad63f09f263c
SHA512 801478c83727a59409c19afa9a3edce81c0139f58e3dc81696ffd690e3f1de9c595f100279b18180a9189feaf9fcc40fb74e609f181f2decbea13c6b2a49f6a6

memory/2280-78-0x00000000002E0000-0x00000000002E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8DEF.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar8EAE.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cdad25abcd595b2cdb8af5b8199e04f
SHA1 0bfbafc9c83ea220f7b5fcd209fa9ad4d6e75691
SHA256 cee974d621bad306154616c49367533b3fedeab89ca3842f5ad58a6305444409
SHA512 695321acfb979cd65d4ec3d56d8edc9289852bcc37b420860fad84ca18dc913236a021f56d6d7543b96da5ad77eb977d6d6bfaddf1c5a51e9b456b6457f2bd6a

memory/2280-140-0x0000000003FE0000-0x000000000401D000-memory.dmp

memory/2280-141-0x0000000004390000-0x0000000004790000-memory.dmp

memory/2140-160-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2280-161-0x0000000003FE0000-0x000000000401D000-memory.dmp

memory/2280-162-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2280-163-0x0000000004390000-0x0000000004790000-memory.dmp