Analysis Overview
SHA256
ad16e884ae04e09b369bd2febbf1e928a556286909192702c82fd8b573bd461b
Threat Level: Known bad
The file 6febf9009df8b33329a8e746ac27f334 was found to be: Known bad.
Malicious Activity Summary
Metasploit family
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-22 17:47
Signatures
Metasploit family
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 17:47
Reported
2024-01-22 17:49
Platform
win7-20231215-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe
"C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe"
C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe
"C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe"
C:\windows\SysWOW64\schtasks.exe
C:\windows\system32\schtasks.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI10682\python36.dll
| MD5 | 56c6b77c9e833643eb8879cba8b25ca4 |
| SHA1 | 42e476ae69ce242ac8568157051ccc5b2690188f |
| SHA256 | 9829b8779d904e95972e751c1d6e275c07027e642dde03b63f9c62f67daf73d7 |
| SHA512 | 3afe1d94cd2f50d3fd33d65364969a538b9d8401977cdf46a0f5bdf5595ceb80e6ce9e36b7349a664a35afb6d8a4910ac623c1ae86936a4c0794d7fec6ded1e8 |
C:\Users\Admin\AppData\Local\Temp\_MEI10682\test_rules.exe.manifest
| MD5 | 25d73be1f056a07f175030fb2c2cba42 |
| SHA1 | c7b316ae764192c0caae5d1dbf218024f8a4857b |
| SHA256 | d77e1a1da4150ec7670f5d77d718ba4af2bcf6e6cf5c57eebc767c60bb34e135 |
| SHA512 | 27e87160fde48fe973a343b3c629e97d1b391e759fcf09ed4c5d3621939c6ce58cef2e26891b986b7f19cbb8d48b114efcd2db9b0e68fa6567b28d3ccebdbe33 |
C:\Users\Admin\AppData\Local\Temp\_MEI10682\VCRUNTIME140.dll
| MD5 | a2523ea6950e248cbdf18c9ea1a844f6 |
| SHA1 | 549c8c2a96605f90d79a872be73efb5d40965444 |
| SHA256 | 6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4 |
| SHA512 | 2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a |
C:\Users\Admin\AppData\Local\Temp\_MEI10682\base_library.zip
| MD5 | 5014f4d3db24de420a401c0778918e2c |
| SHA1 | 3a595c6a983a93a7753870252f163dc8a1fc79ca |
| SHA256 | 22dd03af519c999f114f44049d350e0cc886323a06a79854068adc7e568caae3 |
| SHA512 | 143a689e591f483296e906ce4ac4295ad8476610802515315fc4d8af42dd228c00680ecfa6a08a4cfc2d2d1b9438b64a5ece24345c32c6addb18790579449152 |
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_ctypes.pyd
| MD5 | 3af3107bb4bbe61cf16075ea8196cfcc |
| SHA1 | e87b263dc73047a7f72af74b02d3deefd76c97dd |
| SHA256 | 5dfe799784ab7fb0727bfed0edf16cc582dbf38eefac16b487874693c707c762 |
| SHA512 | 564895b93154916900b67c6e382ebaf0fe3953dbff9c4b6c99f74691e5f7282e28520a4cdcec5dcb6d199806aa33d7904865159d722c88839883913b9661bcaa |
\Users\Admin\AppData\Local\Temp\_MEI10682\_bz2.pyd
| MD5 | 349b15b78e073cf51e87396264b46458 |
| SHA1 | feb9d0cc20b039247b7575162f902193998d07d4 |
| SHA256 | 3163faab1d971649e78497200382286cac7b4c9302dd49c2fab8be287466f89b |
| SHA512 | 7509d19a4566559d1b701db3249d44bd58bfc62585f4251c27bf91bdcab4d6bd20cc46b63a5410370dbe30cc5cab6bca143b9db1325aca2ee98621b1ecee5b81 |
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_lzma.pyd
| MD5 | 41c28d076a29ef39ada6a88c13a20f26 |
| SHA1 | b679297c4fddf2a083901820b3831e9defeb8868 |
| SHA256 | 6e1beffb1735804a476b247c364c636a6d8205c59fe6817f91d4765f40684d35 |
| SHA512 | c40a60a6b31d81c7e18cc2dfec62c75e6a00c5336201c40b61df11489ae68e399f8321c6c5bdb21c5e41fa73c5bc6a2b2d43c998ddd3a2730dd2d8db362cfff7 |
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_socket.pyd
| MD5 | 7e3a0b776d9f2e541cc229914550f73c |
| SHA1 | 8a4804554da4fda9b5ee26350892160cb68b3192 |
| SHA256 | 25605e93c25765780296a13b131eeeccc058e85e75396782a431923b8e5986ee |
| SHA512 | 8f3aa12b83b960c99c43d478fa78dd5319d1cb8095834246e769990e75bd3af22690dc212867bd3a1a358eddd5bb2bf119f9fd8b1a92e689ceb98a77411e24c4 |
\Users\Admin\AppData\Local\Temp\_MEI10682\select.pyd
| MD5 | 53180ac77de73a05568cc8f7bf0ccc37 |
| SHA1 | 1ae29bd26716b46a4c441f9454169d6a26d451b1 |
| SHA256 | 11bad8fccaf9cd3c8a1de238a6dad3a4289be1d2e1d97bacf213cd0f3c2b1e75 |
| SHA512 | 0b30ba9478a7d91c1a3d143d997a4d1e1288dd53f4586005b62f9d64a3d0b051d0b1ae8dd8d252dd36ca57e997138927dd7f22a3d43234432927f6156cb1d3cb |
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_ssl.pyd
| MD5 | 390f2cfcb0a28c8b40dc765027db860a |
| SHA1 | a847084eebb1b4cc5b391654b14cfaa20fba9951 |
| SHA256 | 2a8968976eefa6654ad0180c84827cfdf846fecac371921cb4c1429f7482d202 |
| SHA512 | 48f99918bb0f13d5989406fcc748ea86d4f9053379bef59c81bf48c62ae4563fcccb709f8d00b4b2b29a4f7b7c5c836e9cfec5314ecff7fdf07d98d1701e9c75 |
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_hashlib.pyd
| MD5 | 4b513969daebd22c88a6453607a70cc1 |
| SHA1 | 03cba2aaccab6498bdd3fb9e7b7900741d89374f |
| SHA256 | f549a7a432ad4dbdcd6343d44550fb7d94fd34881487d420aca6db2704378022 |
| SHA512 | 02f8af9f25479941a9657f06268e00db2026f2d405244964290b0fe97cdf72e0bef0d10cc52e6bcaaf2105849d1ff6f23a14f11275cfe8c4b3d3e03a7857d5c7 |
C:\Users\Admin\AppData\Local\Temp\_MEI10682\unicodedata.pyd
| MD5 | 508f09979281f99a61d8a2d2165614dd |
| SHA1 | c7f04719b0325c5c2e2de2b9ea9e2db81f8376ee |
| SHA256 | fad1cb2d4eb57612461bc6fa75c6ee827d7fbef15a78031ec9ea251312ba0f0e |
| SHA512 | 8ce9ac7ff375dc820aaadc7ef558da6dd34b66abb7a19095e5aaf43e3717d5b0f03b1d9a3886baa23772a3bf0fa97e4eacccb572bd416ec72e599dba516d1a3d |
C:\Users\Admin\AppData\Local\Temp\_MEI10682\psutil._psutil_windows.pyd
| MD5 | 95e7df8d97acddd70efc26aa1efe0a7c |
| SHA1 | 1dcbcdde4cf6adc64882086ace539c8b86d313d8 |
| SHA256 | b2af31f74b0963f45ea5dd5df2948a0713c837776c57c57da4f772da132ed818 |
| SHA512 | b78e6e1a90c5a36fdc042ee11466e0ee70588e207d31791da17021be16e487dc4d5c44efd1b576206f194b5de14fd5d7e42b813245abedb05f5fdcc55a238b04 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 17:47
Reported
2024-01-22 17:49
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3224 wrote to memory of 848 | N/A | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe |
| PID 3224 wrote to memory of 848 | N/A | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe |
| PID 3224 wrote to memory of 848 | N/A | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe |
| PID 848 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe | C:\windows\SysWOW64\schtasks.exe |
| PID 848 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe | C:\windows\SysWOW64\schtasks.exe |
| PID 848 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe | C:\windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe
"C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe"
C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe
"C:\Users\Admin\AppData\Local\Temp\6febf9009df8b33329a8e746ac27f334.exe"
C:\windows\SysWOW64\schtasks.exe
C:\windows\system32\schtasks.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI32242\test_rules.exe.manifest
| MD5 | 25d73be1f056a07f175030fb2c2cba42 |
| SHA1 | c7b316ae764192c0caae5d1dbf218024f8a4857b |
| SHA256 | d77e1a1da4150ec7670f5d77d718ba4af2bcf6e6cf5c57eebc767c60bb34e135 |
| SHA512 | 27e87160fde48fe973a343b3c629e97d1b391e759fcf09ed4c5d3621939c6ce58cef2e26891b986b7f19cbb8d48b114efcd2db9b0e68fa6567b28d3ccebdbe33 |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\python36.dll
| MD5 | 6316907faca8ed91e8477eeb1cb62b36 |
| SHA1 | 5e6816c064538b8ef110f30a67df2c30b965ea23 |
| SHA256 | 606171464bf27f67bea8d08e8015fd6777ab8b574c22691a29254098b3f94e25 |
| SHA512 | f53c7a39f151c19d63872c4ae4e0daebf4229b5332eede56da390b719eabc0dffa2ff4e72bd51a5728ac26aac1752abd30b7d5d5716fe6fc7a97a98faa3f10f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\python36.dll
| MD5 | f6732a596a2e62c14d733eb023da7916 |
| SHA1 | 71bea1945ee05843003badc29d0b18efc47edc06 |
| SHA256 | ee7c2c685280b3981def8da10a3247335649c22bcfd464f991ac4c11d02e31f0 |
| SHA512 | 0916a5ef9aa508d0d33544c8aaef14162f4c04a924daa3386a3a1ba7741711b91fdcb1628b06266598afb163f0ddb993646a7e1df792e3d213cbb75c829a8b0c |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\VCRUNTIME140.dll
| MD5 | a2523ea6950e248cbdf18c9ea1a844f6 |
| SHA1 | 549c8c2a96605f90d79a872be73efb5d40965444 |
| SHA256 | 6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4 |
| SHA512 | 2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\base_library.zip
| MD5 | 2aff2e153eafc1f37acc3e3f77ddebb4 |
| SHA1 | 8adeedcbaa5161532cae246351dfb01875903d16 |
| SHA256 | 6f05d6d6b273bb01cda064cce941f1b76b276915f0e6411db2f08ca4a3d8d9ad |
| SHA512 | 9d3a1d7ce77f5b759ad8b51acc72c14146aa524698260b8c42abcc2ee121f5343a755086a49dd9fa4b1e5ab750dbe842d02c3a09e172866852ba0ed245fb42d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_ctypes.pyd
| MD5 | 3af3107bb4bbe61cf16075ea8196cfcc |
| SHA1 | e87b263dc73047a7f72af74b02d3deefd76c97dd |
| SHA256 | 5dfe799784ab7fb0727bfed0edf16cc582dbf38eefac16b487874693c707c762 |
| SHA512 | 564895b93154916900b67c6e382ebaf0fe3953dbff9c4b6c99f74691e5f7282e28520a4cdcec5dcb6d199806aa33d7904865159d722c88839883913b9661bcaa |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_bz2.pyd
| MD5 | 349b15b78e073cf51e87396264b46458 |
| SHA1 | feb9d0cc20b039247b7575162f902193998d07d4 |
| SHA256 | 3163faab1d971649e78497200382286cac7b4c9302dd49c2fab8be287466f89b |
| SHA512 | 7509d19a4566559d1b701db3249d44bd58bfc62585f4251c27bf91bdcab4d6bd20cc46b63a5410370dbe30cc5cab6bca143b9db1325aca2ee98621b1ecee5b81 |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_ssl.pyd
| MD5 | a10957cea5320b03c2f4a710c2e5b63e |
| SHA1 | 53700a6efa3bd3e8b3598a8d422f742464a87d3b |
| SHA256 | 0ce7a5de2667fc2678b1ea72551d1b45d27d1dbf16de34b951b7a48e6b4956bf |
| SHA512 | c468505017e2033bb2de2d47fd93ac1ff74c76bb4184037f57e882196119907d4a770994980c73cf211e6c9511a26546e987bf72cf596fb20af69878b4239e67 |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_ssl.pyd
| MD5 | b4965c2d1addb0058f30a7855a36ce7f |
| SHA1 | 4e1bc5455efcd2c8fdeeb3d013c0b7148650c168 |
| SHA256 | aeb2a7b773e3d76d16cb2518580b6056a2f86a21571849dee55e67c32a73ce04 |
| SHA512 | c67cdf61aa1d9e06172f55a65e894a6afc644cd64d46ce185aa57addc0472d54dfdb42955c4ec916df10171c02d2a35f3a74174a89a4be487981c8b4e659af9e |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_hashlib.pyd
| MD5 | e55faaaf0e82fc0e0755ee4633fac2d1 |
| SHA1 | 31f93c6059f446f6ce56c409b2641facd072b75e |
| SHA256 | ba6331b07b136b921bd624036f9a69bc7053ac76d7b8953f2bb73d37e9f4f628 |
| SHA512 | 32f40a634301be1351ac5d66a0c32e258c3e0d4351c107ee762406fee9084b1a92216c61aad7bf12af2cc389de51b3fa0f0474b53a3b96b2d64206483bf625f6 |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_hashlib.pyd
| MD5 | a68d3b7c5dbb52a63a59fb7464e4cfcc |
| SHA1 | ca080a3452bd4bb80437fc6856b9c49d21b9429e |
| SHA256 | f87688f17820a0ba7c3a785dac32a110cf81c5a341eb7036f57af4a3b19e70a2 |
| SHA512 | 0c0bf79e56927868956ce731e16f1ff2cfc98775952313139dd78e0877fe4310f7304b64d10691fc6718aa82868623aa18fd45df6e0c54cdf1e313127372d9a0 |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\unicodedata.pyd
| MD5 | a9ae2ac9a00561f6915612e87bfb2170 |
| SHA1 | 9d2bb2639e06ef9613b99499ec9a14b84bfdd2da |
| SHA256 | c3a4b9c9cae4abeaefe5489cc81ff3f33177558dd2119a1bdbdcec4ed8443788 |
| SHA512 | 85f4369f0a8c03b366f47772532365aab9880a2682025638d62387be846b404ff2de76aa0788b75a21d1330875c1a218589f96908d197f833b9f686a67f545c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\psutil._psutil_windows.pyd
| MD5 | 95e7df8d97acddd70efc26aa1efe0a7c |
| SHA1 | 1dcbcdde4cf6adc64882086ace539c8b86d313d8 |
| SHA256 | b2af31f74b0963f45ea5dd5df2948a0713c837776c57c57da4f772da132ed818 |
| SHA512 | b78e6e1a90c5a36fdc042ee11466e0ee70588e207d31791da17021be16e487dc4d5c44efd1b576206f194b5de14fd5d7e42b813245abedb05f5fdcc55a238b04 |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\unicodedata.pyd
| MD5 | cf6e427596548d7ba041cd83dacfb46d |
| SHA1 | cdef6bffe65cc618e408bbe575180436cb0663ca |
| SHA256 | 405f65e1fe6f3c2df4f4f3fe62598002153645368037a2b8d01a2dff466126c1 |
| SHA512 | 9684f37bdfbe7bd2b8965b94305b971953699cf741acf028e1cb54451bf0a630c808a00c26f1b0a498f48c7bbcfc07ab459460a600032d98fb0dbd90f7cec505 |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\select.pyd
| MD5 | 53180ac77de73a05568cc8f7bf0ccc37 |
| SHA1 | 1ae29bd26716b46a4c441f9454169d6a26d451b1 |
| SHA256 | 11bad8fccaf9cd3c8a1de238a6dad3a4289be1d2e1d97bacf213cd0f3c2b1e75 |
| SHA512 | 0b30ba9478a7d91c1a3d143d997a4d1e1288dd53f4586005b62f9d64a3d0b051d0b1ae8dd8d252dd36ca57e997138927dd7f22a3d43234432927f6156cb1d3cb |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_socket.pyd
| MD5 | 7e3a0b776d9f2e541cc229914550f73c |
| SHA1 | 8a4804554da4fda9b5ee26350892160cb68b3192 |
| SHA256 | 25605e93c25765780296a13b131eeeccc058e85e75396782a431923b8e5986ee |
| SHA512 | 8f3aa12b83b960c99c43d478fa78dd5319d1cb8095834246e769990e75bd3af22690dc212867bd3a1a358eddd5bb2bf119f9fd8b1a92e689ceb98a77411e24c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_lzma.pyd
| MD5 | 41c28d076a29ef39ada6a88c13a20f26 |
| SHA1 | b679297c4fddf2a083901820b3831e9defeb8868 |
| SHA256 | 6e1beffb1735804a476b247c364c636a6d8205c59fe6817f91d4765f40684d35 |
| SHA512 | c40a60a6b31d81c7e18cc2dfec62c75e6a00c5336201c40b61df11489ae68e399f8321c6c5bdb21c5e41fa73c5bc6a2b2d43c998ddd3a2730dd2d8db362cfff7 |