Analysis Overview
SHA256
c605e919a0b6a36830a388be8e43a29a81139d095cea8f04269a349872afdebe
Threat Level: Shows suspicious behavior
The file 325bbbe1ee2f09f72e1084acae849bf8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
VMProtect packed file
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 10:16
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 10:16
Reported
2024-01-10 08:13
Platform
win7-20231129-en
Max time kernel
0s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe" C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe asadmin
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe" C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe asadmin
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe"
C:\Users\Admin\AppData\Local\Temp\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Users\Admin\AppData\Local\Temp\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /SYS 1
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI30242\python38.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe
| MD5 | 22709abae1f01d878942f391cabedd91 |
| SHA1 | afbdaed36dbfb2697df1f495fa878f87d5eb886d |
| SHA256 | 8fcfde3960b39846c6c20f876df883dd18ad68a8e915a9adf52ddc7d0289ffbf |
| SHA512 | 08accd27d7bdbd742c8d64a53ad40125cb848566bf6dd56e705647c99196861d4c779a040996f74d8b603f46d4a203f05636d34e02942efda5dd2615ebabdcb8 |
memory/1724-135-0x00000000013B0000-0x0000000001452000-memory.dmp
memory/1724-136-0x00000000744B0000-0x0000000074B9E000-memory.dmp
memory/1724-143-0x0000000000410000-0x0000000000411000-memory.dmp
memory/1724-142-0x0000000000C00000-0x0000000000C40000-memory.dmp
\Users\Admin\AppData\Local\Temp\Defender.exe
| MD5 | ac34ba84a5054cd701efad5dd14645c9 |
| SHA1 | dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b |
| SHA256 | c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e |
| SHA512 | df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | cd4326a6fd01cd3ca77cfd8d0f53821b |
| SHA1 | a1030414d1f8e5d5a6e89d5a309921b8920856f9 |
| SHA256 | 1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c |
| SHA512 | 29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67 |
memory/1724-149-0x0000000000AC0000-0x0000000000B90000-memory.dmp
C:\Windows\Temp\jbmbscj
| MD5 | 4f4cfdec02b700d2582f27f6943a1f81 |
| SHA1 | 37027566e228abba3cc596ae860110638231da14 |
| SHA256 | 18a13223c2587bc03ce14be7a63325f3c60d6f805e1bb96e32025ecdc1d620b7 |
| SHA512 | 146128ecb8bc682510a92f58cea58bfed68a215438d235b1b79ad6e0ef1f0f6a6b9400c7b83d70ddf7d8a22a5bcaca17b6532650192b4448e811dd7b4335b592 |
memory/1724-183-0x00000000744B0000-0x0000000074B9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29282\Process.exe
| MD5 | e45ec446aff1a32b03c47d5240c94902 |
| SHA1 | 0f9055f732a8c66406a5becb9ae7b89d42d1a129 |
| SHA256 | 2b1412f56d4356e96d4563957cb22a2025e19066de0b335314ce045540eaa6d3 |
| SHA512 | 3ef70f8dfdcbfaad0391812e11e4fc66e02940ff42664f2eea786c231e864acb9854c7b867d1edf92775926a7c4dd464f39d0380cdb902784a8fdeac54f70316 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 10:16
Reported
2024-01-10 08:13
Platform
win10v2004-20231215-en
Max time kernel
1s
Max time network
118s
Command Line
Signatures
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1228 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe | C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe |
| PID 1228 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe | C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe |
| PID 1228 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe | C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe" C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe asadmin
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe"
C:\Users\Admin\AppData\Local\Temp\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe" C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe asadmin
C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
"C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.135.221.88.in-addr.arpa | udp |
Files
memory/944-144-0x00000000738D0000-0x0000000074080000-memory.dmp
memory/944-143-0x0000000000E70000-0x0000000000F12000-memory.dmp
memory/944-146-0x00000000032D0000-0x00000000032D1000-memory.dmp
memory/944-145-0x0000000005A80000-0x0000000005A90000-memory.dmp
memory/944-147-0x00000000058F0000-0x00000000059C0000-memory.dmp
memory/944-160-0x00000000738D0000-0x0000000074080000-memory.dmp