Malware Analysis Report

2025-08-05 12:47

Sample ID 240122-wctmlacah8
Target 6febf9009df8b33329a8e746ac27f334
SHA256 ad16e884ae04e09b369bd2febbf1e928a556286909192702c82fd8b573bd461b
Tags
pyinstaller metasploit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad16e884ae04e09b369bd2febbf1e928a556286909192702c82fd8b573bd461b

Threat Level: Known bad

The file 6febf9009df8b33329a8e746ac27f334 was found to be: Known bad.

Malicious Activity Summary

pyinstaller metasploit

Metasploit family

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-22 17:47

Signatures

Metasploit family

metasploit

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 17:47

Reported

2024-01-22 17:49

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe

"C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe"

C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe

"C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe"

C:\windows\SysWOW64\schtasks.exe

C:\windows\system32\schtasks.exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI10682\python36.dll

MD5 56c6b77c9e833643eb8879cba8b25ca4
SHA1 42e476ae69ce242ac8568157051ccc5b2690188f
SHA256 9829b8779d904e95972e751c1d6e275c07027e642dde03b63f9c62f67daf73d7
SHA512 3afe1d94cd2f50d3fd33d65364969a538b9d8401977cdf46a0f5bdf5595ceb80e6ce9e36b7349a664a35afb6d8a4910ac623c1ae86936a4c0794d7fec6ded1e8

C:\Users\Admin\AppData\Local\Temp\_MEI10682\test_rules.exe.manifest

MD5 25d73be1f056a07f175030fb2c2cba42
SHA1 c7b316ae764192c0caae5d1dbf218024f8a4857b
SHA256 d77e1a1da4150ec7670f5d77d718ba4af2bcf6e6cf5c57eebc767c60bb34e135
SHA512 27e87160fde48fe973a343b3c629e97d1b391e759fcf09ed4c5d3621939c6ce58cef2e26891b986b7f19cbb8d48b114efcd2db9b0e68fa6567b28d3ccebdbe33

C:\Users\Admin\AppData\Local\Temp\_MEI10682\VCRUNTIME140.dll

MD5 a2523ea6950e248cbdf18c9ea1a844f6
SHA1 549c8c2a96605f90d79a872be73efb5d40965444
SHA256 6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
SHA512 2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

C:\Users\Admin\AppData\Local\Temp\_MEI10682\base_library.zip

MD5 5014f4d3db24de420a401c0778918e2c
SHA1 3a595c6a983a93a7753870252f163dc8a1fc79ca
SHA256 22dd03af519c999f114f44049d350e0cc886323a06a79854068adc7e568caae3
SHA512 143a689e591f483296e906ce4ac4295ad8476610802515315fc4d8af42dd228c00680ecfa6a08a4cfc2d2d1b9438b64a5ece24345c32c6addb18790579449152

C:\Users\Admin\AppData\Local\Temp\_MEI10682\_ctypes.pyd

MD5 3af3107bb4bbe61cf16075ea8196cfcc
SHA1 e87b263dc73047a7f72af74b02d3deefd76c97dd
SHA256 5dfe799784ab7fb0727bfed0edf16cc582dbf38eefac16b487874693c707c762
SHA512 564895b93154916900b67c6e382ebaf0fe3953dbff9c4b6c99f74691e5f7282e28520a4cdcec5dcb6d199806aa33d7904865159d722c88839883913b9661bcaa

\Users\Admin\AppData\Local\Temp\_MEI10682\_bz2.pyd

MD5 349b15b78e073cf51e87396264b46458
SHA1 feb9d0cc20b039247b7575162f902193998d07d4
SHA256 3163faab1d971649e78497200382286cac7b4c9302dd49c2fab8be287466f89b
SHA512 7509d19a4566559d1b701db3249d44bd58bfc62585f4251c27bf91bdcab4d6bd20cc46b63a5410370dbe30cc5cab6bca143b9db1325aca2ee98621b1ecee5b81

C:\Users\Admin\AppData\Local\Temp\_MEI10682\_lzma.pyd

MD5 41c28d076a29ef39ada6a88c13a20f26
SHA1 b679297c4fddf2a083901820b3831e9defeb8868
SHA256 6e1beffb1735804a476b247c364c636a6d8205c59fe6817f91d4765f40684d35
SHA512 c40a60a6b31d81c7e18cc2dfec62c75e6a00c5336201c40b61df11489ae68e399f8321c6c5bdb21c5e41fa73c5bc6a2b2d43c998ddd3a2730dd2d8db362cfff7

C:\Users\Admin\AppData\Local\Temp\_MEI10682\_socket.pyd

MD5 7e3a0b776d9f2e541cc229914550f73c
SHA1 8a4804554da4fda9b5ee26350892160cb68b3192
SHA256 25605e93c25765780296a13b131eeeccc058e85e75396782a431923b8e5986ee
SHA512 8f3aa12b83b960c99c43d478fa78dd5319d1cb8095834246e769990e75bd3af22690dc212867bd3a1a358eddd5bb2bf119f9fd8b1a92e689ceb98a77411e24c4

\Users\Admin\AppData\Local\Temp\_MEI10682\select.pyd

MD5 53180ac77de73a05568cc8f7bf0ccc37
SHA1 1ae29bd26716b46a4c441f9454169d6a26d451b1
SHA256 11bad8fccaf9cd3c8a1de238a6dad3a4289be1d2e1d97bacf213cd0f3c2b1e75
SHA512 0b30ba9478a7d91c1a3d143d997a4d1e1288dd53f4586005b62f9d64a3d0b051d0b1ae8dd8d252dd36ca57e997138927dd7f22a3d43234432927f6156cb1d3cb

C:\Users\Admin\AppData\Local\Temp\_MEI10682\_ssl.pyd

MD5 390f2cfcb0a28c8b40dc765027db860a
SHA1 a847084eebb1b4cc5b391654b14cfaa20fba9951
SHA256 2a8968976eefa6654ad0180c84827cfdf846fecac371921cb4c1429f7482d202
SHA512 48f99918bb0f13d5989406fcc748ea86d4f9053379bef59c81bf48c62ae4563fcccb709f8d00b4b2b29a4f7b7c5c836e9cfec5314ecff7fdf07d98d1701e9c75

C:\Users\Admin\AppData\Local\Temp\_MEI10682\_hashlib.pyd

MD5 4b513969daebd22c88a6453607a70cc1
SHA1 03cba2aaccab6498bdd3fb9e7b7900741d89374f
SHA256 f549a7a432ad4dbdcd6343d44550fb7d94fd34881487d420aca6db2704378022
SHA512 02f8af9f25479941a9657f06268e00db2026f2d405244964290b0fe97cdf72e0bef0d10cc52e6bcaaf2105849d1ff6f23a14f11275cfe8c4b3d3e03a7857d5c7

C:\Users\Admin\AppData\Local\Temp\_MEI10682\unicodedata.pyd

MD5 508f09979281f99a61d8a2d2165614dd
SHA1 c7f04719b0325c5c2e2de2b9ea9e2db81f8376ee
SHA256 fad1cb2d4eb57612461bc6fa75c6ee827d7fbef15a78031ec9ea251312ba0f0e
SHA512 8ce9ac7ff375dc820aaadc7ef558da6dd34b66abb7a19095e5aaf43e3717d5b0f03b1d9a3886baa23772a3bf0fa97e4eacccb572bd416ec72e599dba516d1a3d

C:\Users\Admin\AppData\Local\Temp\_MEI10682\psutil._psutil_windows.pyd

MD5 95e7df8d97acddd70efc26aa1efe0a7c
SHA1 1dcbcdde4cf6adc64882086ace539c8b86d313d8
SHA256 b2af31f74b0963f45ea5dd5df2948a0713c837776c57c57da4f772da132ed818
SHA512 b78e6e1a90c5a36fdc042ee11466e0ee70588e207d31791da17021be16e487dc4d5c44efd1b576206f194b5de14fd5d7e42b813245abedb05f5fdcc55a238b04

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 17:47

Reported

2024-01-22 17:49

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe

"C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe"

C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe

"C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe"

C:\windows\SysWOW64\schtasks.exe

C:\windows\system32\schtasks.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI32242\test_rules.exe.manifest

MD5 25d73be1f056a07f175030fb2c2cba42
SHA1 c7b316ae764192c0caae5d1dbf218024f8a4857b
SHA256 d77e1a1da4150ec7670f5d77d718ba4af2bcf6e6cf5c57eebc767c60bb34e135
SHA512 27e87160fde48fe973a343b3c629e97d1b391e759fcf09ed4c5d3621939c6ce58cef2e26891b986b7f19cbb8d48b114efcd2db9b0e68fa6567b28d3ccebdbe33

C:\Users\Admin\AppData\Local\Temp\_MEI32242\python36.dll

MD5 6316907faca8ed91e8477eeb1cb62b36
SHA1 5e6816c064538b8ef110f30a67df2c30b965ea23
SHA256 606171464bf27f67bea8d08e8015fd6777ab8b574c22691a29254098b3f94e25
SHA512 f53c7a39f151c19d63872c4ae4e0daebf4229b5332eede56da390b719eabc0dffa2ff4e72bd51a5728ac26aac1752abd30b7d5d5716fe6fc7a97a98faa3f10f7

C:\Users\Admin\AppData\Local\Temp\_MEI32242\python36.dll

MD5 f6732a596a2e62c14d733eb023da7916
SHA1 71bea1945ee05843003badc29d0b18efc47edc06
SHA256 ee7c2c685280b3981def8da10a3247335649c22bcfd464f991ac4c11d02e31f0
SHA512 0916a5ef9aa508d0d33544c8aaef14162f4c04a924daa3386a3a1ba7741711b91fdcb1628b06266598afb163f0ddb993646a7e1df792e3d213cbb75c829a8b0c

C:\Users\Admin\AppData\Local\Temp\_MEI32242\VCRUNTIME140.dll

MD5 a2523ea6950e248cbdf18c9ea1a844f6
SHA1 549c8c2a96605f90d79a872be73efb5d40965444
SHA256 6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
SHA512 2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

C:\Users\Admin\AppData\Local\Temp\_MEI32242\base_library.zip

MD5 2aff2e153eafc1f37acc3e3f77ddebb4
SHA1 8adeedcbaa5161532cae246351dfb01875903d16
SHA256 6f05d6d6b273bb01cda064cce941f1b76b276915f0e6411db2f08ca4a3d8d9ad
SHA512 9d3a1d7ce77f5b759ad8b51acc72c14146aa524698260b8c42abcc2ee121f5343a755086a49dd9fa4b1e5ab750dbe842d02c3a09e172866852ba0ed245fb42d0

C:\Users\Admin\AppData\Local\Temp\_MEI32242\_ctypes.pyd

MD5 3af3107bb4bbe61cf16075ea8196cfcc
SHA1 e87b263dc73047a7f72af74b02d3deefd76c97dd
SHA256 5dfe799784ab7fb0727bfed0edf16cc582dbf38eefac16b487874693c707c762
SHA512 564895b93154916900b67c6e382ebaf0fe3953dbff9c4b6c99f74691e5f7282e28520a4cdcec5dcb6d199806aa33d7904865159d722c88839883913b9661bcaa

C:\Users\Admin\AppData\Local\Temp\_MEI32242\_bz2.pyd

MD5 349b15b78e073cf51e87396264b46458
SHA1 feb9d0cc20b039247b7575162f902193998d07d4
SHA256 3163faab1d971649e78497200382286cac7b4c9302dd49c2fab8be287466f89b
SHA512 7509d19a4566559d1b701db3249d44bd58bfc62585f4251c27bf91bdcab4d6bd20cc46b63a5410370dbe30cc5cab6bca143b9db1325aca2ee98621b1ecee5b81

C:\Users\Admin\AppData\Local\Temp\_MEI32242\_ssl.pyd

MD5 a10957cea5320b03c2f4a710c2e5b63e
SHA1 53700a6efa3bd3e8b3598a8d422f742464a87d3b
SHA256 0ce7a5de2667fc2678b1ea72551d1b45d27d1dbf16de34b951b7a48e6b4956bf
SHA512 c468505017e2033bb2de2d47fd93ac1ff74c76bb4184037f57e882196119907d4a770994980c73cf211e6c9511a26546e987bf72cf596fb20af69878b4239e67

C:\Users\Admin\AppData\Local\Temp\_MEI32242\_ssl.pyd

MD5 b4965c2d1addb0058f30a7855a36ce7f
SHA1 4e1bc5455efcd2c8fdeeb3d013c0b7148650c168
SHA256 aeb2a7b773e3d76d16cb2518580b6056a2f86a21571849dee55e67c32a73ce04
SHA512 c67cdf61aa1d9e06172f55a65e894a6afc644cd64d46ce185aa57addc0472d54dfdb42955c4ec916df10171c02d2a35f3a74174a89a4be487981c8b4e659af9e

C:\Users\Admin\AppData\Local\Temp\_MEI32242\_hashlib.pyd

MD5 e55faaaf0e82fc0e0755ee4633fac2d1
SHA1 31f93c6059f446f6ce56c409b2641facd072b75e
SHA256 ba6331b07b136b921bd624036f9a69bc7053ac76d7b8953f2bb73d37e9f4f628
SHA512 32f40a634301be1351ac5d66a0c32e258c3e0d4351c107ee762406fee9084b1a92216c61aad7bf12af2cc389de51b3fa0f0474b53a3b96b2d64206483bf625f6

C:\Users\Admin\AppData\Local\Temp\_MEI32242\_hashlib.pyd

MD5 a68d3b7c5dbb52a63a59fb7464e4cfcc
SHA1 ca080a3452bd4bb80437fc6856b9c49d21b9429e
SHA256 f87688f17820a0ba7c3a785dac32a110cf81c5a341eb7036f57af4a3b19e70a2
SHA512 0c0bf79e56927868956ce731e16f1ff2cfc98775952313139dd78e0877fe4310f7304b64d10691fc6718aa82868623aa18fd45df6e0c54cdf1e313127372d9a0

C:\Users\Admin\AppData\Local\Temp\_MEI32242\unicodedata.pyd

MD5 a9ae2ac9a00561f6915612e87bfb2170
SHA1 9d2bb2639e06ef9613b99499ec9a14b84bfdd2da
SHA256 c3a4b9c9cae4abeaefe5489cc81ff3f33177558dd2119a1bdbdcec4ed8443788
SHA512 85f4369f0a8c03b366f47772532365aab9880a2682025638d62387be846b404ff2de76aa0788b75a21d1330875c1a218589f96908d197f833b9f686a67f545c6

C:\Users\Admin\AppData\Local\Temp\_MEI32242\psutil._psutil_windows.pyd

MD5 95e7df8d97acddd70efc26aa1efe0a7c
SHA1 1dcbcdde4cf6adc64882086ace539c8b86d313d8
SHA256 b2af31f74b0963f45ea5dd5df2948a0713c837776c57c57da4f772da132ed818
SHA512 b78e6e1a90c5a36fdc042ee11466e0ee70588e207d31791da17021be16e487dc4d5c44efd1b576206f194b5de14fd5d7e42b813245abedb05f5fdcc55a238b04

C:\Users\Admin\AppData\Local\Temp\_MEI32242\unicodedata.pyd

MD5 cf6e427596548d7ba041cd83dacfb46d
SHA1 cdef6bffe65cc618e408bbe575180436cb0663ca
SHA256 405f65e1fe6f3c2df4f4f3fe62598002153645368037a2b8d01a2dff466126c1
SHA512 9684f37bdfbe7bd2b8965b94305b971953699cf741acf028e1cb54451bf0a630c808a00c26f1b0a498f48c7bbcfc07ab459460a600032d98fb0dbd90f7cec505

C:\Users\Admin\AppData\Local\Temp\_MEI32242\select.pyd

MD5 53180ac77de73a05568cc8f7bf0ccc37
SHA1 1ae29bd26716b46a4c441f9454169d6a26d451b1
SHA256 11bad8fccaf9cd3c8a1de238a6dad3a4289be1d2e1d97bacf213cd0f3c2b1e75
SHA512 0b30ba9478a7d91c1a3d143d997a4d1e1288dd53f4586005b62f9d64a3d0b051d0b1ae8dd8d252dd36ca57e997138927dd7f22a3d43234432927f6156cb1d3cb

C:\Users\Admin\AppData\Local\Temp\_MEI32242\_socket.pyd

MD5 7e3a0b776d9f2e541cc229914550f73c
SHA1 8a4804554da4fda9b5ee26350892160cb68b3192
SHA256 25605e93c25765780296a13b131eeeccc058e85e75396782a431923b8e5986ee
SHA512 8f3aa12b83b960c99c43d478fa78dd5319d1cb8095834246e769990e75bd3af22690dc212867bd3a1a358eddd5bb2bf119f9fd8b1a92e689ceb98a77411e24c4

C:\Users\Admin\AppData\Local\Temp\_MEI32242\_lzma.pyd

MD5 41c28d076a29ef39ada6a88c13a20f26
SHA1 b679297c4fddf2a083901820b3831e9defeb8868
SHA256 6e1beffb1735804a476b247c364c636a6d8205c59fe6817f91d4765f40684d35
SHA512 c40a60a6b31d81c7e18cc2dfec62c75e6a00c5336201c40b61df11489ae68e399f8321c6c5bdb21c5e41fa73c5bc6a2b2d43c998ddd3a2730dd2d8db362cfff7