Malware Analysis Report

2025-03-15 03:13

Sample ID 240105-w6335ahfb7
Target VIRUS.exe
SHA256 3d646f6887111d21aa9de74404f2952a03ed724d0a1f08fef901fbed5d77a044
Tags
upx pyinstaller empyrean
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d646f6887111d21aa9de74404f2952a03ed724d0a1f08fef901fbed5d77a044

Threat Level: Known bad

The file VIRUS.exe was found to be: Known bad.

Malicious Activity Summary

upx pyinstaller empyrean

Detects Empyrean stealer

Empyrean family

Loads dropped DLL

UPX packed file

Looks up external IP address via web service

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-05 18:33

Signatures

Detects Empyrean stealer

Description Indicator Process Target
N/A N/A N/A N/A

Empyrean family

empyrean

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 18:32

Reported

2024-01-05 18:35

Platform

win10v2004-20231222-en

Max time kernel

1s

Max time network

81s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VIRUS.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VIRUS.exe

"C:\Users\Admin\AppData\Local\Temp\VIRUS.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\AppData\Local\Temp\VIRUS.exe

"C:\Users\Admin\AppData\Local\Temp\VIRUS.exe"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 ipapi.co udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 104.26.9.44:443 ipapi.co tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 44.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/4088-136-0x00007FFD1FB20000-0x00007FFD1FF8E000-memory.dmp

memory/4088-175-0x00007FFD1FB20000-0x00007FFD1FF8E000-memory.dmp

memory/4088-181-0x00007FFD33120000-0x00007FFD33144000-memory.dmp

memory/4088-199-0x00007FFD2EC80000-0x00007FFD2ED38000-memory.dmp

memory/4088-201-0x000001CC09640000-0x000001CC099B5000-memory.dmp

memory/4088-219-0x00007FFD1F4D0000-0x00007FFD1F5E8000-memory.dmp

memory/4088-234-0x00007FFD2EC50000-0x00007FFD2EC5B000-memory.dmp

memory/4088-239-0x00007FFD2DD90000-0x00007FFD2DD9C000-memory.dmp

memory/4088-241-0x00007FFD28E10000-0x00007FFD28E22000-memory.dmp

memory/4088-244-0x00007FFD269B0000-0x00007FFD269C9000-memory.dmp

memory/4088-245-0x00007FFD26290000-0x00007FFD262A1000-memory.dmp

memory/4088-259-0x00007FFD2F380000-0x00007FFD2F3AE000-memory.dmp

memory/4088-258-0x00007FFD20580000-0x00007FFD205A9000-memory.dmp

memory/4088-260-0x00007FFD1F0F0000-0x00007FFD1F342000-memory.dmp

memory/4088-257-0x00007FFD205B0000-0x00007FFD205CC000-memory.dmp

memory/4088-256-0x00007FFD262B0000-0x00007FFD262F9000-memory.dmp

memory/4088-255-0x00007FFD269D0000-0x00007FFD269E7000-memory.dmp

memory/4088-254-0x00007FFD269F0000-0x00007FFD26A12000-memory.dmp

memory/4088-253-0x00007FFD28DB0000-0x00007FFD28DC4000-memory.dmp

memory/4088-252-0x00007FFD28DD0000-0x00007FFD28DE0000-memory.dmp

memory/4088-251-0x00007FFD28E30000-0x00007FFD28E3D000-memory.dmp

memory/4088-250-0x00007FFD2E5C0000-0x00007FFD2E5CB000-memory.dmp

memory/4088-249-0x00007FFD2EBD0000-0x00007FFD2EBDB000-memory.dmp

memory/4088-246-0x00007FFD2EBE0000-0x00007FFD2EBEC000-memory.dmp

memory/4088-243-0x00007FFD28DE0000-0x00007FFD28DF5000-memory.dmp

memory/4088-242-0x00007FFD28E00000-0x00007FFD28E0C000-memory.dmp

memory/4088-240-0x00007FFD2DD80000-0x00007FFD2DD8C000-memory.dmp

memory/4088-238-0x00007FFD2EBF0000-0x00007FFD2EBFC000-memory.dmp

memory/4088-237-0x00007FFD2EC10000-0x00007FFD2EC1D000-memory.dmp

memory/4088-236-0x00007FFD2EC20000-0x00007FFD2EC2C000-memory.dmp

memory/4088-235-0x00007FFD2EC30000-0x00007FFD2EC3B000-memory.dmp

memory/4088-233-0x00007FFD2EC70000-0x00007FFD2EC7B000-memory.dmp

memory/4088-232-0x00007FFD2F370000-0x00007FFD2F37B000-memory.dmp

memory/4088-231-0x00007FFD2EC00000-0x00007FFD2EC0E000-memory.dmp

memory/4088-230-0x00007FFD2EC40000-0x00007FFD2EC4C000-memory.dmp

memory/4088-229-0x00007FFD2EC60000-0x00007FFD2EC6C000-memory.dmp

memory/4088-227-0x00007FFD1F350000-0x00007FFD1F4C1000-memory.dmp

memory/4088-220-0x00007FFD2F080000-0x00007FFD2F09F000-memory.dmp

memory/4088-215-0x00007FFD2F0A0000-0x00007FFD2F0C6000-memory.dmp

memory/4088-213-0x00007FFD2F420000-0x00007FFD2F4DC000-memory.dmp

memory/4088-209-0x00007FFD2F7D0000-0x00007FFD2F7DB000-memory.dmp

memory/4088-206-0x00007FFD2F0D0000-0x00007FFD2F0E4000-memory.dmp

memory/4088-204-0x00007FFD2F820000-0x00007FFD2F84E000-memory.dmp

memory/4088-200-0x00007FFD1F5F0000-0x00007FFD1F965000-memory.dmp

memory/4088-196-0x00007FFD2F8C0000-0x00007FFD2F8D9000-memory.dmp

memory/4088-194-0x00007FFD2F380000-0x00007FFD2F3AE000-memory.dmp

memory/4088-262-0x00007FFD1F5F0000-0x00007FFD1F965000-memory.dmp

memory/4088-261-0x00007FFD2EC80000-0x00007FFD2ED38000-memory.dmp

memory/4088-190-0x00007FFD2F3B0000-0x00007FFD2F3CC000-memory.dmp

memory/4088-188-0x00007FFD330A0000-0x00007FFD330CD000-memory.dmp

memory/4088-185-0x00007FFD2F7E0000-0x00007FFD2F7EA000-memory.dmp

memory/4088-183-0x00007FFD2F3D0000-0x00007FFD2F412000-memory.dmp

memory/4088-176-0x00007FFD2F7F0000-0x00007FFD2F81B000-memory.dmp

memory/4088-172-0x00007FFD2F420000-0x00007FFD2F4DC000-memory.dmp

memory/4088-169-0x00007FFD2F820000-0x00007FFD2F84E000-memory.dmp

memory/4088-165-0x00007FFD33C40000-0x00007FFD33C4D000-memory.dmp

memory/4088-161-0x00007FFD34B30000-0x00007FFD34B3D000-memory.dmp

memory/4088-158-0x00007FFD2F8C0000-0x00007FFD2F8D9000-memory.dmp

memory/4088-155-0x00007FFD2F8E0000-0x00007FFD2F914000-memory.dmp

memory/4088-152-0x00007FFD330A0000-0x00007FFD330CD000-memory.dmp

memory/4088-150-0x00007FFD34160000-0x00007FFD34179000-memory.dmp

memory/4088-146-0x00007FFD38460000-0x00007FFD3846F000-memory.dmp

memory/4088-145-0x00007FFD33120000-0x00007FFD33144000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI7042\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

C:\Users\Admin\AppData\Local\Temp\_MEI7042\python310.dll

MD5 807dde602a1c5501c615a50a44d3dd75
SHA1 8d3689ca837b8ecec6dbb3560f815609c27d912e
SHA256 618f5a06c563585c7abc2975e34e504f0d17a347150e250c4cb675c231b9eb04
SHA512 9c7e651f0a41d03c48004534a52f9c1f578af35279765ac1b325727102735b1879afd5c3b9e716e40d4ba1e046e2831d18402091a1867047ad8de02e58868690

memory/4088-263-0x000001CC09640000-0x000001CC099B5000-memory.dmp

memory/4088-266-0x00007FFD1FB20000-0x00007FFD1FF8E000-memory.dmp

memory/4088-283-0x00007FFD1F5F0000-0x00007FFD1F965000-memory.dmp

memory/4088-312-0x00007FFD269D0000-0x00007FFD269E7000-memory.dmp

memory/4088-318-0x00007FFD1F0F0000-0x00007FFD1F342000-memory.dmp

memory/4088-317-0x00007FFD20580000-0x00007FFD205A9000-memory.dmp

memory/4088-316-0x00007FFD205B0000-0x00007FFD205CC000-memory.dmp

memory/4088-315-0x00007FFD26290000-0x00007FFD262A1000-memory.dmp

memory/4088-314-0x00007FFD262B0000-0x00007FFD262F9000-memory.dmp

memory/4088-313-0x00007FFD269B0000-0x00007FFD269C9000-memory.dmp

memory/4088-311-0x00007FFD269F0000-0x00007FFD26A12000-memory.dmp

memory/4088-310-0x00007FFD28DB0000-0x00007FFD28DC4000-memory.dmp

memory/4088-309-0x00007FFD28DD0000-0x00007FFD28DE0000-memory.dmp

memory/4088-308-0x00007FFD28DE0000-0x00007FFD28DF5000-memory.dmp

memory/4088-307-0x00007FFD28E00000-0x00007FFD28E0C000-memory.dmp

memory/4088-306-0x00007FFD28E10000-0x00007FFD28E22000-memory.dmp

memory/4088-305-0x00007FFD28E30000-0x00007FFD28E3D000-memory.dmp

memory/4088-304-0x00007FFD2DD80000-0x00007FFD2DD8C000-memory.dmp

memory/4088-303-0x00007FFD2DD90000-0x00007FFD2DD9C000-memory.dmp

memory/4088-302-0x00007FFD2E5C0000-0x00007FFD2E5CB000-memory.dmp

memory/4088-301-0x00007FFD2EBD0000-0x00007FFD2EBDB000-memory.dmp

memory/4088-300-0x00007FFD2EBE0000-0x00007FFD2EBEC000-memory.dmp

memory/4088-299-0x00007FFD2EBF0000-0x00007FFD2EBFC000-memory.dmp

memory/4088-298-0x00007FFD2EC00000-0x00007FFD2EC0E000-memory.dmp

memory/4088-297-0x00007FFD2EC10000-0x00007FFD2EC1D000-memory.dmp

memory/4088-296-0x00007FFD2EC20000-0x00007FFD2EC2C000-memory.dmp

memory/4088-295-0x00007FFD2EC30000-0x00007FFD2EC3B000-memory.dmp

memory/4088-294-0x00007FFD2EC40000-0x00007FFD2EC4C000-memory.dmp

memory/4088-293-0x00007FFD2EC50000-0x00007FFD2EC5B000-memory.dmp

memory/4088-292-0x00007FFD2EC60000-0x00007FFD2EC6C000-memory.dmp

memory/4088-291-0x00007FFD2EC70000-0x00007FFD2EC7B000-memory.dmp

memory/4088-290-0x00007FFD2F370000-0x00007FFD2F37B000-memory.dmp

memory/4088-289-0x00007FFD1F350000-0x00007FFD1F4C1000-memory.dmp

memory/4088-288-0x00007FFD2F080000-0x00007FFD2F09F000-memory.dmp

memory/4088-287-0x00007FFD1F4D0000-0x00007FFD1F5E8000-memory.dmp

memory/4088-286-0x00007FFD2F0A0000-0x00007FFD2F0C6000-memory.dmp

memory/4088-285-0x00007FFD2F7D0000-0x00007FFD2F7DB000-memory.dmp

memory/4088-284-0x00007FFD2F0D0000-0x00007FFD2F0E4000-memory.dmp

memory/4088-282-0x00007FFD2EC80000-0x00007FFD2ED38000-memory.dmp

memory/4088-281-0x00007FFD2F380000-0x00007FFD2F3AE000-memory.dmp

memory/4088-280-0x00007FFD2F3B0000-0x00007FFD2F3CC000-memory.dmp

memory/4088-279-0x00007FFD2F7E0000-0x00007FFD2F7EA000-memory.dmp

memory/4088-278-0x00007FFD2F3D0000-0x00007FFD2F412000-memory.dmp

memory/4088-277-0x00007FFD2F7F0000-0x00007FFD2F81B000-memory.dmp

memory/4088-276-0x00007FFD2F420000-0x00007FFD2F4DC000-memory.dmp

memory/4088-275-0x00007FFD2F820000-0x00007FFD2F84E000-memory.dmp

memory/4088-274-0x00007FFD33C40000-0x00007FFD33C4D000-memory.dmp

memory/4088-273-0x00007FFD34B30000-0x00007FFD34B3D000-memory.dmp

memory/4088-272-0x00007FFD2F8C0000-0x00007FFD2F8D9000-memory.dmp

memory/4088-271-0x00007FFD2F8E0000-0x00007FFD2F914000-memory.dmp

memory/4088-270-0x00007FFD330A0000-0x00007FFD330CD000-memory.dmp

memory/4088-269-0x00007FFD34160000-0x00007FFD34179000-memory.dmp

memory/4088-268-0x00007FFD38460000-0x00007FFD3846F000-memory.dmp

memory/4088-267-0x00007FFD33120000-0x00007FFD33144000-memory.dmp

memory/3304-395-0x000002167D190000-0x000002167D191000-memory.dmp

memory/3304-405-0x000002167D190000-0x000002167D191000-memory.dmp

memory/3304-404-0x000002167D190000-0x000002167D191000-memory.dmp

memory/3304-403-0x000002167D190000-0x000002167D191000-memory.dmp

memory/3304-402-0x000002167D190000-0x000002167D191000-memory.dmp

memory/3304-401-0x000002167D190000-0x000002167D191000-memory.dmp

memory/3304-400-0x000002167D190000-0x000002167D191000-memory.dmp

memory/3304-399-0x000002167D190000-0x000002167D191000-memory.dmp

memory/3304-394-0x000002167D190000-0x000002167D191000-memory.dmp

memory/3304-393-0x000002167D190000-0x000002167D191000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 18:32

Reported

2024-01-05 18:36

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VIRUS.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIRUS.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\VIRUS.exe C:\Users\Admin\AppData\Local\Temp\VIRUS.exe
PID 2356 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\VIRUS.exe C:\Users\Admin\AppData\Local\Temp\VIRUS.exe
PID 2356 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\VIRUS.exe C:\Users\Admin\AppData\Local\Temp\VIRUS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VIRUS.exe

"C:\Users\Admin\AppData\Local\Temp\VIRUS.exe"

C:\Users\Admin\AppData\Local\Temp\VIRUS.exe

"C:\Users\Admin\AppData\Local\Temp\VIRUS.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_MEI23562\python310.dll

MD5 0edbf94078ddee2201ba31c53bb0cc8e
SHA1 0315c859f31a7740f1d7b2c3020449d9e0fec7e5
SHA256 0261b31c628d26e7df32a27c6a1a45b9d8988301088d1a152345fc91ad313941
SHA512 b64ad56067b6ce21cb78cf9e954795e8e6877664f27802214497ded72b01605128f77cc27608f9fc91f819cd64a64491bb06890427ac35574c1a892522c375f9

memory/2520-134-0x000007FEF6210000-0x000007FEF667E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI23562\python310.dll

MD5 7dc79888694217cde5609f9d08f762ed
SHA1 f08f1dc4441ef3d7d4a0bb42d70b0272aecc9bba
SHA256 a09c93d51ac06dec9578d0cf598167b7c1e5beebe5947150e23850710f3380b5
SHA512 10d2f70251bafa44294112ed43d9af5cb94f26c5667c21cbde5c3c82d5516be048ee19e4f479864f9a0601d9fefbd196ac17ba823699a81cdc40855e1c7a04cd