Analysis Overview
SHA256
b5eafc617e4b4d8e17d28c8bf5a920aba922bd538d4bcf537320cf0a20483fe8
Threat Level: Shows suspicious behavior
The file trueking_account.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Detects Pyinstaller
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:36
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:36
Reported
2024-04-07 23:39
Platform
win10v2004-20240319-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 868 wrote to memory of 924 | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe |
| PID 868 wrote to memory of 924 | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe |
| PID 924 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | C:\Windows\system32\cmd.exe |
| PID 924 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | C:\Windows\system32\cmd.exe |
| PID 924 wrote to memory of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | C:\Windows\system32\cmd.exe |
| PID 924 wrote to memory of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | C:\Windows\system32\cmd.exe |
| PID 2124 wrote to memory of 1136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\netsh.exe |
| PID 2124 wrote to memory of 1136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\trueking_account.exe
"C:\Users\Admin\AppData\Local\Temp\trueking_account.exe"
C:\Users\Admin\AppData\Local\Temp\trueking_account.exe
"C:\Users\Admin\AppData\Local\Temp\trueking_account.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
Network
| Country | Destination | Domain | Proto |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI8682\python311.dll
| MD5 | 76eb1ad615ba6600ce747bf1acde6679 |
| SHA1 | d3e1318077217372653be3947635b93df68156a4 |
| SHA256 | 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1 |
| SHA512 | 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/924-111-0x00007FFBE6190000-0x00007FFBE677E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8682\base_library.zip
| MD5 | 81cd6d012885629791a9e3d9320c444e |
| SHA1 | 53268184fdbddf8909c349ed3c6701abe8884c31 |
| SHA256 | a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd |
| SHA512 | d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\python3.DLL
| MD5 | ff319d24153238249adea18d8a3e54a7 |
| SHA1 | 0474faa64826a48821b7a82ad256525aa9c5315e |
| SHA256 | a462a21b5f0c05f0f7ec030c4fde032a13b34a8576d661a8e66f9ad23767e991 |
| SHA512 | 0e63fe4d5568cd2c54304183a29c7469f769816f517cd2d5b197049aa966c310cc13a7790560ef2edc36b9b6d99ff586698886f906e19645faeb89b0e65adfdd |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_ctypes.pyd
| MD5 | ee2d4cd284d6bad4f207195bf5de727f |
| SHA1 | 781344a403bbffa0afb080942cd9459d9b05a348 |
| SHA256 | 2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009 |
| SHA512 | a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/924-121-0x00007FFBE8720000-0x00007FFBE8744000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_bz2.pyd
| MD5 | 341a6188f375c6702de4f9d0e1de8c08 |
| SHA1 | 204a508ca6a13eb030ed7953595e9b79b9b9ba3b |
| SHA256 | 7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e |
| SHA512 | 5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24 |
memory/924-124-0x00007FFBF78A0000-0x00007FFBF78AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_lzma.pyd
| MD5 | 5eee7d45b8d89c291965a153d86592ee |
| SHA1 | 93562dcdb10bd93433c7275d991681b299f45660 |
| SHA256 | 7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9 |
| SHA512 | 0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_uuid.pyd
| MD5 | 4ba1fcf5f12ebc514e86d7e02901b3c3 |
| SHA1 | 0fd88df618da41cdeb4afdaded039932a66ce5f6 |
| SHA256 | 51cb69267f77c094d687af5b80c560eaf325d0990304baf20242d477d8b156a1 |
| SHA512 | 3601331a84a9dcf62bbdadfc5c273853acf229931e70f5ff6f541d5f23474373f9366c606534ffdbf73c1044e98e464877b395f2e285821f264a57cd90021705 |
memory/924-145-0x00007FFBE60A0000-0x00007FFBE60CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_ssl.pyd
| MD5 | 936919f3509b2a913bf9e05723bc7cd2 |
| SHA1 | 6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd |
| SHA256 | efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3 |
| SHA512 | 2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_sqlite3.pyd
| MD5 | c9d6ffa3798bb5ae9f1b082d66901350 |
| SHA1 | 25724fecf4369447e77283ece810def499318086 |
| SHA256 | 410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec |
| SHA512 | 878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_socket.pyd
| MD5 | 3ea95c5c76ea27ca44b7a55f6cfdcf53 |
| SHA1 | aace156795cfb6f418b6a68a254bb4adfc2afc56 |
| SHA256 | 7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923 |
| SHA512 | 916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_queue.pyd
| MD5 | 8b3ba5fb207d27eb3632486b936396a3 |
| SHA1 | 5ad45b469041d88ec7fd277d84b1e2093ec7f93e |
| SHA256 | 9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051 |
| SHA512 | 18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_overlapped.pyd
| MD5 | 7919f081d533849d3f58858399ea867c |
| SHA1 | 41a337fa0b5310a1854923fd8c2761f3b49643a5 |
| SHA256 | d995c5450045a7a31c94af6ddcc136cb50eb430b63671fd5cd3356268083a218 |
| SHA512 | f53d62c27191ae65d6506f5b0c98c25e193b7ce41e9ad8be3922d4a5a690b5a6f611b68d689881fdabafc1b2c4f30cce5a4c488f15b159cbea352b842ebd5861 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_multiprocessing.pyd
| MD5 | 51aaeaf339201ddf55f8ae969ce1e627 |
| SHA1 | e9202387f1daca089927b74d4afd8ebad38e981b |
| SHA256 | c2c8312ad293d4bff15f3da81915a017f4cfdd6578bd464e6a9c8cd7920d46c5 |
| SHA512 | 13b50fba96f71a4d6ce7b0ed7ed2ab88a7e4fff824f67237f802d2febcead6a7a99bb1f6c205200064775df1eb161ffa60bd725c38ae6b60b46095ef6938c65b |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_hashlib.pyd
| MD5 | 6d2132108825afd85763fc3b8f612b11 |
| SHA1 | af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0 |
| SHA256 | aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52 |
| SHA512 | 196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_decimal.pyd
| MD5 | 918e513c376a52a1046c4d4aee87042d |
| SHA1 | d54edc813f56c17700252f487ef978bde1e7f7e1 |
| SHA256 | f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29 |
| SHA512 | ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_cffi_backend.cp311-win_amd64.pyd
| MD5 | 1518035a65a45c274f1557ff5655e2d7 |
| SHA1 | 2676d452113c68aa316cba9a03565ec146088c3f |
| SHA256 | 9ca400d84a52ae61c5613403ba379d69c271e8e9e9c3f253f93434c9336bc6e8 |
| SHA512 | b5932a2eadd2981a3bbc0918643a9936c9aaafc606d833d5ef2758061e05a3148826060ed52a2d121fabfd719ad9736b3402683640a4c4846b6aaaa457366b66 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_asyncio.pyd
| MD5 | 23c2edc8008d8002b670e3a65ddc1508 |
| SHA1 | d8b412bad35d626aa21b8ed8930b328872f21271 |
| SHA256 | f1d270615e1ee539ade8c80a9653774bd73264a7413e49f50b4effc649730d93 |
| SHA512 | be019fda23a4acbc4c5f76595de058aa365b9fb47dd8e5a7bb1c2f1bda2ede2184da1e3effe845ad3cc8a87d77e714518d76aa92598282594b563f40833c35b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\pyexpat.pyd
| MD5 | 49b1519413c4a8ab3ee6690e35f44c0d |
| SHA1 | 5bab1083a4cf4bd856fbc93ced8ae4a3ce21b91e |
| SHA256 | 90da6edafae09ac17f49c53815ef61e15dabd4dadeb022a67940a947cf5042ce |
| SHA512 | 1eac266fc01114d38f4cd0197eff35de910269788022ecb6f55726ebd6b011e42118a5c08e67bdef1d0fe4b83878b7e98c92ec103f4f94846fcfd92bb30d2856 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\VCRUNTIME140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
memory/924-147-0x00007FFBE5FA0000-0x00007FFBE5FD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8682\unicodedata.pyd
| MD5 | 6279c26d085d1b2efd53e9c3e74d0285 |
| SHA1 | bd0d274fb9502406b6b9a5756760b78919fa2518 |
| SHA256 | 411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6 |
| SHA512 | 30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\sqlite3.dll
| MD5 | cc9d1869f9305b5a695fc5e76bd57b72 |
| SHA1 | c6a28791035e7e10cfae0ab51e9a5a8328ea55c1 |
| SHA256 | 31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee |
| SHA512 | e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\select.pyd
| MD5 | 2398a631bae547d1d33e91335e6d210b |
| SHA1 | f1f10f901da76323d68a4c9b57f5edfd3baf30f5 |
| SHA256 | 487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435 |
| SHA512 | 6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21 |
memory/924-150-0x00007FFBF75A0000-0x00007FFBF75AD000-memory.dmp
memory/924-152-0x00007FFBE5F80000-0x00007FFBE5F99000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8682\pywin32_system32\pywintypes311.dll
| MD5 | 3bf87b8d3995425b8ce60dce61bccf30 |
| SHA1 | a1a6312d007da5f7ff580871b56248c642b84491 |
| SHA256 | b5f75de7bfa298962b2e98e51d13fcd7bdfae54b3504453f560ea7f2d5676c81 |
| SHA512 | 7dce095647e6890e952c38328a745f467255af744c34cf104e95e73ec55b9a1b0823bdbba34e421e66cd66f247ed561e4f0f103238c914d4b4b1609fb6e139d3 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\pywin32_system32\pythoncom311.dll
| MD5 | e7fff204fe3d536ff7982337d9dd8ac2 |
| SHA1 | 1ba30434a94de4f2d3f4ecfcc9c8286449130f5b |
| SHA256 | 558452270fbec84ab2a5d1e8322952a4a962ac9edb96cbc10cf62a7d6b26fc4d |
| SHA512 | 1684b50e04f38bdd005f131ab0acfbc270f9cab51621b8b6eb8ae548f8fae3ca0d8458606968c88d3fed36601ef5ce66d0d06978cf303d096bc00deb23bf26a6 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\win32\win32api.pyd
| MD5 | 85642cb62201b351b19d5a8d0b4ab378 |
| SHA1 | 1a74b9e4116e71d01d2ece8bf89e205e5e491314 |
| SHA256 | 389ba902f34fb3290206970719740764371a693d53f3c71a150e06805aae8404 |
| SHA512 | 05d8e26e2316fba86e4e55310e14746f7165b159c22f40bb6d03fbdec35842f85cc6e618ed87fda9c1d236fd5b9ee4d26eb3886b740d6e67945f7e727b7d9f18 |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\libssl-3.dll
| MD5 | 6eda5a055b164e5e798429dcd94f5b88 |
| SHA1 | 2c5494379d1efe6b0a101801e09f10a7cb82dbe9 |
| SHA256 | 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8 |
| SHA512 | 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e |
C:\Users\Admin\AppData\Local\Temp\_MEI8682\libcrypto-3.dll
| MD5 | 27515b5bb912701abb4dfad186b1da1f |
| SHA1 | 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411 |
| SHA256 | fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a |
| SHA512 | 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c |
memory/924-126-0x00007FFBF6EA0000-0x00007FFBF6EB9000-memory.dmp
memory/924-160-0x00007FFBF6E70000-0x00007FFBF6E7D000-memory.dmp
memory/924-161-0x00007FFBE5B40000-0x00007FFBE5BFC000-memory.dmp
memory/924-164-0x00007FFBE5B10000-0x00007FFBE5B3B000-memory.dmp
memory/924-165-0x00007FFBE5F50000-0x00007FFBE5F7E000-memory.dmp
memory/924-167-0x00007FFBE5800000-0x00007FFBE5833000-memory.dmp
memory/924-169-0x00007FFBE5730000-0x00007FFBE57FD000-memory.dmp
memory/924-172-0x00007FFBE5060000-0x00007FFBE5582000-memory.dmp
memory/924-173-0x00000126CF820000-0x00000126CFD42000-memory.dmp
memory/924-175-0x00007FFBE5040000-0x00007FFBE5055000-memory.dmp
memory/924-178-0x00007FFBE6190000-0x00007FFBE677E000-memory.dmp
memory/924-180-0x00007FFBE8720000-0x00007FFBE8744000-memory.dmp
memory/924-181-0x00007FFBE5020000-0x00007FFBE5032000-memory.dmp
memory/924-186-0x00007FFBE4E50000-0x00007FFBE4E68000-memory.dmp
memory/924-185-0x00007FFBE4FF0000-0x00007FFBE5013000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8682\psutil\_psutil_windows.pyd
| MD5 | 937fa2077ad3fb82f9edc419627969a3 |
| SHA1 | 381011c5b575c03ab77ab943920b39ef8ec8e57b |
| SHA256 | 633fb691bc13e4d42b9caa0af3a0897e081c8cccdab37530745598fba597a4c2 |
| SHA512 | deb6f7f0dd850528aa78c32fdcb42e836507ed7dc1f198c4903810dbba47ef37b87cabae7f148f9017d6f628d93904250a11cdce05d5e29758a422285b01025a |
memory/924-193-0x00007FFBE5F80000-0x00007FFBE5F99000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8682\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
| MD5 | 1c52efd6568c7d95b83b885632ec7798 |
| SHA1 | cae9e800292cb7f328105495dd53fc20749741f8 |
| SHA256 | 2b2cad68bec8979fd577d692013a7981fdbc80a5a6e8f517c2467fdcee5d8939 |
| SHA512 | 35e619f996e823f59455b531f1872d7658b299c41e14d91cd13dcef20072971a437884fde4424fd9a10b67a39ea40f48df416ed8b0633aea00022b31709541f2 |
memory/924-195-0x00007FFBE4DE0000-0x00007FFBE4DEB000-memory.dmp
memory/924-196-0x00007FFBE4DB0000-0x00007FFBE4DD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8682\charset_normalizer\md.cp311-win_amd64.pyd
| MD5 | 32062fd1796553acac7aa3d62ce4c4a5 |
| SHA1 | 0c5e7deb9c11eeaf4799f1a677880fbaf930079c |
| SHA256 | 4910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae |
| SHA512 | 18c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758 |
memory/924-190-0x00007FFBE4DF0000-0x00007FFBE4E04000-memory.dmp
memory/924-188-0x00007FFBE5FA0000-0x00007FFBE5FD6000-memory.dmp
memory/924-182-0x00007FFBE4E70000-0x00007FFBE4FE6000-memory.dmp
memory/924-198-0x00007FFBE4C90000-0x00007FFBE4DAC000-memory.dmp
memory/924-200-0x00007FFBE5800000-0x00007FFBE5833000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8682\Cryptodome\Cipher\_raw_ecb.pyd
| MD5 | b47c542168546fb875e74e49c84325b6 |
| SHA1 | 2aecab080cc0507f9380756478eadad2d3697503 |
| SHA256 | 55657830c9ab79875af923b5a92e7ee30e0560affc3baa236c38039b4ef987f2 |
| SHA512 | fc25087c859c76dff1126bbfe956ea6811dc3ca79e9bbfd237893144db8b7ce3cae3aeb0923f69e0bfffa5575b5442ad1891d7088dd3857b62be12b5326be50d |
memory/924-202-0x00007FFBF6F40000-0x00007FFBF6F78000-memory.dmp
memory/924-204-0x00007FFBE5730000-0x00007FFBE57FD000-memory.dmp
memory/924-205-0x00000126CF820000-0x00000126CFD42000-memory.dmp
memory/924-206-0x00007FFBF6F30000-0x00007FFBF6F3B000-memory.dmp
memory/924-207-0x00007FFBF6F00000-0x00007FFBF6F0B000-memory.dmp
memory/924-208-0x00007FFBF6EE0000-0x00007FFBF6EEB000-memory.dmp
memory/924-209-0x00007FFBF6ED0000-0x00007FFBF6EDC000-memory.dmp
memory/924-210-0x00007FFBF6EC0000-0x00007FFBF6ECC000-memory.dmp
memory/924-211-0x00007FFBF6F20000-0x00007FFBF6F2B000-memory.dmp
memory/924-212-0x00007FFBF6F10000-0x00007FFBF6F1C000-memory.dmp
memory/924-213-0x00007FFBE5060000-0x00007FFBE5582000-memory.dmp
memory/924-214-0x00007FFBF6EF0000-0x00007FFBF6EFC000-memory.dmp
memory/924-215-0x00007FFBE5040000-0x00007FFBE5055000-memory.dmp
memory/924-216-0x00007FFBE46A0000-0x00007FFBE46AE000-memory.dmp
memory/924-217-0x00007FFBE4690000-0x00007FFBE469C000-memory.dmp
memory/924-218-0x00007FFBE4680000-0x00007FFBE468B000-memory.dmp
memory/924-219-0x00007FFBE4670000-0x00007FFBE467B000-memory.dmp
memory/924-220-0x00007FFBE4590000-0x00007FFBE459C000-memory.dmp
memory/924-228-0x00007FFBE4570000-0x00007FFBE457D000-memory.dmp
memory/924-229-0x00007FFBE4540000-0x00007FFBE454C000-memory.dmp
memory/924-231-0x00007FFBE4580000-0x00007FFBE458C000-memory.dmp
memory/924-232-0x00007FFBE4550000-0x00007FFBE4562000-memory.dmp
memory/924-236-0x00007FFBE42B0000-0x00007FFBE4533000-memory.dmp
memory/924-237-0x00007FFBE4E70000-0x00007FFBE4FE6000-memory.dmp
memory/924-238-0x00007FFBE4270000-0x00007FFBE4299000-memory.dmp
memory/924-240-0x00007FFBE6190000-0x00007FFBE677E000-memory.dmp
memory/924-241-0x00007FFBE8720000-0x00007FFBE8744000-memory.dmp
memory/924-248-0x00007FFBF6E70000-0x00007FFBF6E7D000-memory.dmp
memory/924-258-0x00007FFBE4E70000-0x00007FFBE4FE6000-memory.dmp
memory/924-262-0x00007FFBE4DB0000-0x00007FFBE4DD6000-memory.dmp
memory/924-264-0x00007FFBF6F40000-0x00007FFBF6F78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h26avKpxnG\Browser\history.txt
| MD5 | 5638715e9aaa8d3f45999ec395e18e77 |
| SHA1 | 4e3dc4a1123edddf06d92575a033b42a662fe4ad |
| SHA256 | 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6 |
| SHA512 | 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b |
C:\Users\Admin\AppData\Local\Temp\h26avKpxnG\Browser\cc's.txt
| MD5 | 5aa796b6950a92a226cc5c98ed1c47e8 |
| SHA1 | 6706a4082fc2c141272122f1ca424a446506c44d |
| SHA256 | c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c |
| SHA512 | 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad |
memory/924-292-0x00007FFC00A60000-0x00007FFC00A6F000-memory.dmp
memory/924-296-0x00007FFBE6190000-0x00007FFBE677E000-memory.dmp
memory/924-297-0x00007FFBE8720000-0x00007FFBE8744000-memory.dmp
memory/924-299-0x00007FFBF6EA0000-0x00007FFBF6EB9000-memory.dmp
memory/924-298-0x00007FFBF78A0000-0x00007FFBF78AF000-memory.dmp
memory/924-300-0x00007FFBE60A0000-0x00007FFBE60CD000-memory.dmp
memory/924-301-0x00007FFBE5FA0000-0x00007FFBE5FD6000-memory.dmp
memory/924-303-0x00007FFBF75A0000-0x00007FFBF75AD000-memory.dmp
memory/924-302-0x00007FFBE5F80000-0x00007FFBE5F99000-memory.dmp
memory/924-304-0x00007FFBF6E70000-0x00007FFBF6E7D000-memory.dmp
memory/924-306-0x00007FFBE5B40000-0x00007FFBE5BFC000-memory.dmp
memory/924-305-0x00007FFBE5F50000-0x00007FFBE5F7E000-memory.dmp
memory/924-308-0x00007FFBE5800000-0x00007FFBE5833000-memory.dmp
memory/924-309-0x00007FFBE5730000-0x00007FFBE57FD000-memory.dmp
memory/924-307-0x00007FFBE5B10000-0x00007FFBE5B3B000-memory.dmp
memory/924-310-0x00007FFBE5060000-0x00007FFBE5582000-memory.dmp
memory/924-311-0x00007FFBE5040000-0x00007FFBE5055000-memory.dmp
memory/924-312-0x00007FFBE5020000-0x00007FFBE5032000-memory.dmp
memory/924-313-0x00007FFBE4FF0000-0x00007FFBE5013000-memory.dmp
memory/924-314-0x00007FFBE4E70000-0x00007FFBE4FE6000-memory.dmp
memory/924-315-0x00007FFBE4E50000-0x00007FFBE4E68000-memory.dmp
memory/924-324-0x00007FFBE42B0000-0x00007FFBE4533000-memory.dmp
memory/924-325-0x00007FFBE4DE0000-0x00007FFBE4DEB000-memory.dmp
memory/924-326-0x00007FFBE4DF0000-0x00007FFBE4E04000-memory.dmp
memory/924-328-0x00007FFBE4270000-0x00007FFBE4299000-memory.dmp
memory/924-329-0x00007FFBF6F40000-0x00007FFBF6F78000-memory.dmp
memory/924-327-0x00007FFBE4DB0000-0x00007FFBE4DD6000-memory.dmp
memory/924-330-0x00007FFBE4C90000-0x00007FFBE4DAC000-memory.dmp
memory/924-331-0x00007FFC00A60000-0x00007FFC00A6F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:36
Reported
2024-04-07 23:38
Platform
win7-20240221-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe |
| PID 2240 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe |
| PID 2240 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe | C:\Users\Admin\AppData\Local\Temp\trueking_account.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\trueking_account.exe
"C:\Users\Admin\AppData\Local\Temp\trueking_account.exe"
C:\Users\Admin\AppData\Local\Temp\trueking_account.exe
"C:\Users\Admin\AppData\Local\Temp\trueking_account.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI22402\python311.dll
| MD5 | 76eb1ad615ba6600ce747bf1acde6679 |
| SHA1 | d3e1318077217372653be3947635b93df68156a4 |
| SHA256 | 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1 |
| SHA512 | 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb |
memory/1480-109-0x000007FEF56C0000-0x000007FEF5CAE000-memory.dmp