Malware Analysis Report

2024-11-15 06:11

Sample ID 240407-3lnahaab24
Target trueking_account.exe
SHA256 b5eafc617e4b4d8e17d28c8bf5a920aba922bd538d4bcf537320cf0a20483fe8
Tags
spyware stealer upx pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b5eafc617e4b4d8e17d28c8bf5a920aba922bd538d4bcf537320cf0a20483fe8

Threat Level: Shows suspicious behavior

The file trueking_account.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer upx pyinstaller

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Detects Pyinstaller

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:36

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:36

Reported

2024-04-07 23:39

Platform

win10v2004-20240319-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\trueking_account.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\trueking_account.exe

"C:\Users\Admin\AppData\Local\Temp\trueking_account.exe"

C:\Users\Admin\AppData\Local\Temp\trueking_account.exe

"C:\Users\Admin\AppData\Local\Temp\trueking_account.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

Network

Country Destination Domain Proto
US 13.107.246.64:443 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI8682\python311.dll

MD5 76eb1ad615ba6600ce747bf1acde6679
SHA1 d3e1318077217372653be3947635b93df68156a4
SHA256 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1
SHA512 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

C:\Users\Admin\AppData\Local\Temp\_MEI8682\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/924-111-0x00007FFBE6190000-0x00007FFBE677E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI8682\base_library.zip

MD5 81cd6d012885629791a9e3d9320c444e
SHA1 53268184fdbddf8909c349ed3c6701abe8884c31
SHA256 a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd
SHA512 d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

C:\Users\Admin\AppData\Local\Temp\_MEI8682\python3.DLL

MD5 ff319d24153238249adea18d8a3e54a7
SHA1 0474faa64826a48821b7a82ad256525aa9c5315e
SHA256 a462a21b5f0c05f0f7ec030c4fde032a13b34a8576d661a8e66f9ad23767e991
SHA512 0e63fe4d5568cd2c54304183a29c7469f769816f517cd2d5b197049aa966c310cc13a7790560ef2edc36b9b6d99ff586698886f906e19645faeb89b0e65adfdd

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_ctypes.pyd

MD5 ee2d4cd284d6bad4f207195bf5de727f
SHA1 781344a403bbffa0afb080942cd9459d9b05a348
SHA256 2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009
SHA512 a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

C:\Users\Admin\AppData\Local\Temp\_MEI8682\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/924-121-0x00007FFBE8720000-0x00007FFBE8744000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_bz2.pyd

MD5 341a6188f375c6702de4f9d0e1de8c08
SHA1 204a508ca6a13eb030ed7953595e9b79b9b9ba3b
SHA256 7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e
SHA512 5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

memory/924-124-0x00007FFBF78A0000-0x00007FFBF78AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_lzma.pyd

MD5 5eee7d45b8d89c291965a153d86592ee
SHA1 93562dcdb10bd93433c7275d991681b299f45660
SHA256 7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9
SHA512 0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_uuid.pyd

MD5 4ba1fcf5f12ebc514e86d7e02901b3c3
SHA1 0fd88df618da41cdeb4afdaded039932a66ce5f6
SHA256 51cb69267f77c094d687af5b80c560eaf325d0990304baf20242d477d8b156a1
SHA512 3601331a84a9dcf62bbdadfc5c273853acf229931e70f5ff6f541d5f23474373f9366c606534ffdbf73c1044e98e464877b395f2e285821f264a57cd90021705

memory/924-145-0x00007FFBE60A0000-0x00007FFBE60CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_ssl.pyd

MD5 936919f3509b2a913bf9e05723bc7cd2
SHA1 6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd
SHA256 efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3
SHA512 2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_sqlite3.pyd

MD5 c9d6ffa3798bb5ae9f1b082d66901350
SHA1 25724fecf4369447e77283ece810def499318086
SHA256 410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec
SHA512 878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_socket.pyd

MD5 3ea95c5c76ea27ca44b7a55f6cfdcf53
SHA1 aace156795cfb6f418b6a68a254bb4adfc2afc56
SHA256 7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923
SHA512 916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_queue.pyd

MD5 8b3ba5fb207d27eb3632486b936396a3
SHA1 5ad45b469041d88ec7fd277d84b1e2093ec7f93e
SHA256 9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051
SHA512 18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_overlapped.pyd

MD5 7919f081d533849d3f58858399ea867c
SHA1 41a337fa0b5310a1854923fd8c2761f3b49643a5
SHA256 d995c5450045a7a31c94af6ddcc136cb50eb430b63671fd5cd3356268083a218
SHA512 f53d62c27191ae65d6506f5b0c98c25e193b7ce41e9ad8be3922d4a5a690b5a6f611b68d689881fdabafc1b2c4f30cce5a4c488f15b159cbea352b842ebd5861

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_multiprocessing.pyd

MD5 51aaeaf339201ddf55f8ae969ce1e627
SHA1 e9202387f1daca089927b74d4afd8ebad38e981b
SHA256 c2c8312ad293d4bff15f3da81915a017f4cfdd6578bd464e6a9c8cd7920d46c5
SHA512 13b50fba96f71a4d6ce7b0ed7ed2ab88a7e4fff824f67237f802d2febcead6a7a99bb1f6c205200064775df1eb161ffa60bd725c38ae6b60b46095ef6938c65b

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_hashlib.pyd

MD5 6d2132108825afd85763fc3b8f612b11
SHA1 af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0
SHA256 aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52
SHA512 196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_decimal.pyd

MD5 918e513c376a52a1046c4d4aee87042d
SHA1 d54edc813f56c17700252f487ef978bde1e7f7e1
SHA256 f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29
SHA512 ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_cffi_backend.cp311-win_amd64.pyd

MD5 1518035a65a45c274f1557ff5655e2d7
SHA1 2676d452113c68aa316cba9a03565ec146088c3f
SHA256 9ca400d84a52ae61c5613403ba379d69c271e8e9e9c3f253f93434c9336bc6e8
SHA512 b5932a2eadd2981a3bbc0918643a9936c9aaafc606d833d5ef2758061e05a3148826060ed52a2d121fabfd719ad9736b3402683640a4c4846b6aaaa457366b66

C:\Users\Admin\AppData\Local\Temp\_MEI8682\_asyncio.pyd

MD5 23c2edc8008d8002b670e3a65ddc1508
SHA1 d8b412bad35d626aa21b8ed8930b328872f21271
SHA256 f1d270615e1ee539ade8c80a9653774bd73264a7413e49f50b4effc649730d93
SHA512 be019fda23a4acbc4c5f76595de058aa365b9fb47dd8e5a7bb1c2f1bda2ede2184da1e3effe845ad3cc8a87d77e714518d76aa92598282594b563f40833c35b9

C:\Users\Admin\AppData\Local\Temp\_MEI8682\pyexpat.pyd

MD5 49b1519413c4a8ab3ee6690e35f44c0d
SHA1 5bab1083a4cf4bd856fbc93ced8ae4a3ce21b91e
SHA256 90da6edafae09ac17f49c53815ef61e15dabd4dadeb022a67940a947cf5042ce
SHA512 1eac266fc01114d38f4cd0197eff35de910269788022ecb6f55726ebd6b011e42118a5c08e67bdef1d0fe4b83878b7e98c92ec103f4f94846fcfd92bb30d2856

C:\Users\Admin\AppData\Local\Temp\_MEI8682\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

memory/924-147-0x00007FFBE5FA0000-0x00007FFBE5FD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI8682\unicodedata.pyd

MD5 6279c26d085d1b2efd53e9c3e74d0285
SHA1 bd0d274fb9502406b6b9a5756760b78919fa2518
SHA256 411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6
SHA512 30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

C:\Users\Admin\AppData\Local\Temp\_MEI8682\sqlite3.dll

MD5 cc9d1869f9305b5a695fc5e76bd57b72
SHA1 c6a28791035e7e10cfae0ab51e9a5a8328ea55c1
SHA256 31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee
SHA512 e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

C:\Users\Admin\AppData\Local\Temp\_MEI8682\select.pyd

MD5 2398a631bae547d1d33e91335e6d210b
SHA1 f1f10f901da76323d68a4c9b57f5edfd3baf30f5
SHA256 487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435
SHA512 6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

memory/924-150-0x00007FFBF75A0000-0x00007FFBF75AD000-memory.dmp

memory/924-152-0x00007FFBE5F80000-0x00007FFBE5F99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI8682\pywin32_system32\pywintypes311.dll

MD5 3bf87b8d3995425b8ce60dce61bccf30
SHA1 a1a6312d007da5f7ff580871b56248c642b84491
SHA256 b5f75de7bfa298962b2e98e51d13fcd7bdfae54b3504453f560ea7f2d5676c81
SHA512 7dce095647e6890e952c38328a745f467255af744c34cf104e95e73ec55b9a1b0823bdbba34e421e66cd66f247ed561e4f0f103238c914d4b4b1609fb6e139d3

C:\Users\Admin\AppData\Local\Temp\_MEI8682\pywin32_system32\pythoncom311.dll

MD5 e7fff204fe3d536ff7982337d9dd8ac2
SHA1 1ba30434a94de4f2d3f4ecfcc9c8286449130f5b
SHA256 558452270fbec84ab2a5d1e8322952a4a962ac9edb96cbc10cf62a7d6b26fc4d
SHA512 1684b50e04f38bdd005f131ab0acfbc270f9cab51621b8b6eb8ae548f8fae3ca0d8458606968c88d3fed36601ef5ce66d0d06978cf303d096bc00deb23bf26a6

C:\Users\Admin\AppData\Local\Temp\_MEI8682\win32\win32api.pyd

MD5 85642cb62201b351b19d5a8d0b4ab378
SHA1 1a74b9e4116e71d01d2ece8bf89e205e5e491314
SHA256 389ba902f34fb3290206970719740764371a693d53f3c71a150e06805aae8404
SHA512 05d8e26e2316fba86e4e55310e14746f7165b159c22f40bb6d03fbdec35842f85cc6e618ed87fda9c1d236fd5b9ee4d26eb3886b740d6e67945f7e727b7d9f18

C:\Users\Admin\AppData\Local\Temp\_MEI8682\libssl-3.dll

MD5 6eda5a055b164e5e798429dcd94f5b88
SHA1 2c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA512 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

C:\Users\Admin\AppData\Local\Temp\_MEI8682\libcrypto-3.dll

MD5 27515b5bb912701abb4dfad186b1da1f
SHA1 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256 fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

memory/924-126-0x00007FFBF6EA0000-0x00007FFBF6EB9000-memory.dmp

memory/924-160-0x00007FFBF6E70000-0x00007FFBF6E7D000-memory.dmp

memory/924-161-0x00007FFBE5B40000-0x00007FFBE5BFC000-memory.dmp

memory/924-164-0x00007FFBE5B10000-0x00007FFBE5B3B000-memory.dmp

memory/924-165-0x00007FFBE5F50000-0x00007FFBE5F7E000-memory.dmp

memory/924-167-0x00007FFBE5800000-0x00007FFBE5833000-memory.dmp

memory/924-169-0x00007FFBE5730000-0x00007FFBE57FD000-memory.dmp

memory/924-172-0x00007FFBE5060000-0x00007FFBE5582000-memory.dmp

memory/924-173-0x00000126CF820000-0x00000126CFD42000-memory.dmp

memory/924-175-0x00007FFBE5040000-0x00007FFBE5055000-memory.dmp

memory/924-178-0x00007FFBE6190000-0x00007FFBE677E000-memory.dmp

memory/924-180-0x00007FFBE8720000-0x00007FFBE8744000-memory.dmp

memory/924-181-0x00007FFBE5020000-0x00007FFBE5032000-memory.dmp

memory/924-186-0x00007FFBE4E50000-0x00007FFBE4E68000-memory.dmp

memory/924-185-0x00007FFBE4FF0000-0x00007FFBE5013000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI8682\psutil\_psutil_windows.pyd

MD5 937fa2077ad3fb82f9edc419627969a3
SHA1 381011c5b575c03ab77ab943920b39ef8ec8e57b
SHA256 633fb691bc13e4d42b9caa0af3a0897e081c8cccdab37530745598fba597a4c2
SHA512 deb6f7f0dd850528aa78c32fdcb42e836507ed7dc1f198c4903810dbba47ef37b87cabae7f148f9017d6f628d93904250a11cdce05d5e29758a422285b01025a

memory/924-193-0x00007FFBE5F80000-0x00007FFBE5F99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI8682\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 1c52efd6568c7d95b83b885632ec7798
SHA1 cae9e800292cb7f328105495dd53fc20749741f8
SHA256 2b2cad68bec8979fd577d692013a7981fdbc80a5a6e8f517c2467fdcee5d8939
SHA512 35e619f996e823f59455b531f1872d7658b299c41e14d91cd13dcef20072971a437884fde4424fd9a10b67a39ea40f48df416ed8b0633aea00022b31709541f2

memory/924-195-0x00007FFBE4DE0000-0x00007FFBE4DEB000-memory.dmp

memory/924-196-0x00007FFBE4DB0000-0x00007FFBE4DD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI8682\charset_normalizer\md.cp311-win_amd64.pyd

MD5 32062fd1796553acac7aa3d62ce4c4a5
SHA1 0c5e7deb9c11eeaf4799f1a677880fbaf930079c
SHA256 4910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae
SHA512 18c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758

memory/924-190-0x00007FFBE4DF0000-0x00007FFBE4E04000-memory.dmp

memory/924-188-0x00007FFBE5FA0000-0x00007FFBE5FD6000-memory.dmp

memory/924-182-0x00007FFBE4E70000-0x00007FFBE4FE6000-memory.dmp

memory/924-198-0x00007FFBE4C90000-0x00007FFBE4DAC000-memory.dmp

memory/924-200-0x00007FFBE5800000-0x00007FFBE5833000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI8682\Cryptodome\Cipher\_raw_ecb.pyd

MD5 b47c542168546fb875e74e49c84325b6
SHA1 2aecab080cc0507f9380756478eadad2d3697503
SHA256 55657830c9ab79875af923b5a92e7ee30e0560affc3baa236c38039b4ef987f2
SHA512 fc25087c859c76dff1126bbfe956ea6811dc3ca79e9bbfd237893144db8b7ce3cae3aeb0923f69e0bfffa5575b5442ad1891d7088dd3857b62be12b5326be50d

memory/924-202-0x00007FFBF6F40000-0x00007FFBF6F78000-memory.dmp

memory/924-204-0x00007FFBE5730000-0x00007FFBE57FD000-memory.dmp

memory/924-205-0x00000126CF820000-0x00000126CFD42000-memory.dmp

memory/924-206-0x00007FFBF6F30000-0x00007FFBF6F3B000-memory.dmp

memory/924-207-0x00007FFBF6F00000-0x00007FFBF6F0B000-memory.dmp

memory/924-208-0x00007FFBF6EE0000-0x00007FFBF6EEB000-memory.dmp

memory/924-209-0x00007FFBF6ED0000-0x00007FFBF6EDC000-memory.dmp

memory/924-210-0x00007FFBF6EC0000-0x00007FFBF6ECC000-memory.dmp

memory/924-211-0x00007FFBF6F20000-0x00007FFBF6F2B000-memory.dmp

memory/924-212-0x00007FFBF6F10000-0x00007FFBF6F1C000-memory.dmp

memory/924-213-0x00007FFBE5060000-0x00007FFBE5582000-memory.dmp

memory/924-214-0x00007FFBF6EF0000-0x00007FFBF6EFC000-memory.dmp

memory/924-215-0x00007FFBE5040000-0x00007FFBE5055000-memory.dmp

memory/924-216-0x00007FFBE46A0000-0x00007FFBE46AE000-memory.dmp

memory/924-217-0x00007FFBE4690000-0x00007FFBE469C000-memory.dmp

memory/924-218-0x00007FFBE4680000-0x00007FFBE468B000-memory.dmp

memory/924-219-0x00007FFBE4670000-0x00007FFBE467B000-memory.dmp

memory/924-220-0x00007FFBE4590000-0x00007FFBE459C000-memory.dmp

memory/924-228-0x00007FFBE4570000-0x00007FFBE457D000-memory.dmp

memory/924-229-0x00007FFBE4540000-0x00007FFBE454C000-memory.dmp

memory/924-231-0x00007FFBE4580000-0x00007FFBE458C000-memory.dmp

memory/924-232-0x00007FFBE4550000-0x00007FFBE4562000-memory.dmp

memory/924-236-0x00007FFBE42B0000-0x00007FFBE4533000-memory.dmp

memory/924-237-0x00007FFBE4E70000-0x00007FFBE4FE6000-memory.dmp

memory/924-238-0x00007FFBE4270000-0x00007FFBE4299000-memory.dmp

memory/924-240-0x00007FFBE6190000-0x00007FFBE677E000-memory.dmp

memory/924-241-0x00007FFBE8720000-0x00007FFBE8744000-memory.dmp

memory/924-248-0x00007FFBF6E70000-0x00007FFBF6E7D000-memory.dmp

memory/924-258-0x00007FFBE4E70000-0x00007FFBE4FE6000-memory.dmp

memory/924-262-0x00007FFBE4DB0000-0x00007FFBE4DD6000-memory.dmp

memory/924-264-0x00007FFBF6F40000-0x00007FFBF6F78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h26avKpxnG\Browser\history.txt

MD5 5638715e9aaa8d3f45999ec395e18e77
SHA1 4e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA256 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA512 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

C:\Users\Admin\AppData\Local\Temp\h26avKpxnG\Browser\cc's.txt

MD5 5aa796b6950a92a226cc5c98ed1c47e8
SHA1 6706a4082fc2c141272122f1ca424a446506c44d
SHA256 c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

memory/924-292-0x00007FFC00A60000-0x00007FFC00A6F000-memory.dmp

memory/924-296-0x00007FFBE6190000-0x00007FFBE677E000-memory.dmp

memory/924-297-0x00007FFBE8720000-0x00007FFBE8744000-memory.dmp

memory/924-299-0x00007FFBF6EA0000-0x00007FFBF6EB9000-memory.dmp

memory/924-298-0x00007FFBF78A0000-0x00007FFBF78AF000-memory.dmp

memory/924-300-0x00007FFBE60A0000-0x00007FFBE60CD000-memory.dmp

memory/924-301-0x00007FFBE5FA0000-0x00007FFBE5FD6000-memory.dmp

memory/924-303-0x00007FFBF75A0000-0x00007FFBF75AD000-memory.dmp

memory/924-302-0x00007FFBE5F80000-0x00007FFBE5F99000-memory.dmp

memory/924-304-0x00007FFBF6E70000-0x00007FFBF6E7D000-memory.dmp

memory/924-306-0x00007FFBE5B40000-0x00007FFBE5BFC000-memory.dmp

memory/924-305-0x00007FFBE5F50000-0x00007FFBE5F7E000-memory.dmp

memory/924-308-0x00007FFBE5800000-0x00007FFBE5833000-memory.dmp

memory/924-309-0x00007FFBE5730000-0x00007FFBE57FD000-memory.dmp

memory/924-307-0x00007FFBE5B10000-0x00007FFBE5B3B000-memory.dmp

memory/924-310-0x00007FFBE5060000-0x00007FFBE5582000-memory.dmp

memory/924-311-0x00007FFBE5040000-0x00007FFBE5055000-memory.dmp

memory/924-312-0x00007FFBE5020000-0x00007FFBE5032000-memory.dmp

memory/924-313-0x00007FFBE4FF0000-0x00007FFBE5013000-memory.dmp

memory/924-314-0x00007FFBE4E70000-0x00007FFBE4FE6000-memory.dmp

memory/924-315-0x00007FFBE4E50000-0x00007FFBE4E68000-memory.dmp

memory/924-324-0x00007FFBE42B0000-0x00007FFBE4533000-memory.dmp

memory/924-325-0x00007FFBE4DE0000-0x00007FFBE4DEB000-memory.dmp

memory/924-326-0x00007FFBE4DF0000-0x00007FFBE4E04000-memory.dmp

memory/924-328-0x00007FFBE4270000-0x00007FFBE4299000-memory.dmp

memory/924-329-0x00007FFBF6F40000-0x00007FFBF6F78000-memory.dmp

memory/924-327-0x00007FFBE4DB0000-0x00007FFBE4DD6000-memory.dmp

memory/924-330-0x00007FFBE4C90000-0x00007FFBE4DAC000-memory.dmp

memory/924-331-0x00007FFC00A60000-0x00007FFC00A6F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:36

Reported

2024-04-07 23:38

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\trueking_account.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\trueking_account.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\trueking_account.exe

"C:\Users\Admin\AppData\Local\Temp\trueking_account.exe"

C:\Users\Admin\AppData\Local\Temp\trueking_account.exe

"C:\Users\Admin\AppData\Local\Temp\trueking_account.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22402\python311.dll

MD5 76eb1ad615ba6600ce747bf1acde6679
SHA1 d3e1318077217372653be3947635b93df68156a4
SHA256 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1
SHA512 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

memory/1480-109-0x000007FEF56C0000-0x000007FEF5CAE000-memory.dmp