Malware Analysis Report

2024-11-15 06:00

Sample ID 240409-h1mx3ahc23
Target Black Myth Wukong 64-bit.bin
SHA256 38ba384cdb7c9cfc9c6ab60138b1b62dc465fb60e5abab17500249b39827f124
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

38ba384cdb7c9cfc9c6ab60138b1b62dc465fb60e5abab17500249b39827f124

Threat Level: Shows suspicious behavior

The file Black Myth Wukong 64-bit.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 07:12

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 07:12

Reported

2024-04-09 07:12

Platform

win11-20240221-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Black Myth Wukong 64-bit.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Black Myth Wukong 64-bit.exe

"C:\Users\Admin\AppData\Local\Temp\Black Myth Wukong 64-bit.exe"

C:\Users\Admin\AppData\Local\Temp\Black Myth Wukong 64-bit.exe

"C:\Users\Admin\AppData\Local\Temp\Black Myth Wukong 64-bit.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI30882\python312.dll

MD5 6b6a180cd4d0258ba1f1482215b5ff02
SHA1 f991096b14cf25420064d443a31bd3185ba31661
SHA256 cac3864fb3fd40b9d32c34ff4f63794b80157d93557bf4bcd26b05ff4419b526
SHA512 849d043262edab7708cee9474fe5f2626cddfddc999d5f8d95c97d3ef42f5c2a14c468505e975ecf09451e3eb9a8dc6693b09b7e12e9c3c9a0c442e1cccc0156

C:\Users\Admin\AppData\Local\Temp\_MEI30882\VCRUNTIME140.dll

MD5 17f01742d17d9ffa7d8b3500978fc842
SHA1 2da2ff031da84ac8c2d063a964450642e849144d
SHA256 70dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512 c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0

C:\Users\Admin\AppData\Local\Temp\_MEI30882\base_library.zip

MD5 630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1 f901cd701fe081489b45d18157b4a15c83943d9d
SHA256 ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA512 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

C:\Users\Admin\AppData\Local\Temp\_MEI30882\_ctypes.pyd

MD5 911cf3bbd1bc0280b5105379e6d9dddd
SHA1 127fd9d7508c9c63b16dd5bb64bf893e8c252cdc
SHA256 cbf5248b652b56a071e2fd5b8870dbed8322138a7c374de3c3116df7e51ed4b3
SHA512 ef4d0549d575fff5dd6874f340618b1307701e1458ea8096a32790266c56e85a929533c2f08a88e550b48302c099e7739e1d856c2e9d64b4528ec5704f73fd23

C:\Users\Admin\AppData\Local\Temp\_MEI30882\libffi-8.dll

MD5 74d2b5e0120a6faae57042a9894c4430
SHA1 592f115016a964b7eb42860b589ed988e9fff314
SHA256 b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0
SHA512 f3c62f270488d224e24e29a078439736fa51c9ac7b0378dd8ac1b6987c8b8942a0131062bd117977a37046d4b1488f0f719f355039692bc21418fdfbb182e231

C:\Users\Admin\AppData\Local\Temp\_MEI30882\_socket.pyd

MD5 da77aa88903b13ebf6139d0aa6b2eaa3
SHA1 5c12270118338336e3ef44fc85d57c7fed4e8d56
SHA256 04d4649b658ca3f392af0634efc29dfc2abcddb92ec3397c9913a444268ce86e
SHA512 e192144d1ebeb63815c1d32c5239d78d88624801e1a745a6779e17f982d2a77e13374831381d00bc99c69060c016edf5ecf048c1f35e090296398ea4dc139b90

C:\Users\Admin\AppData\Local\Temp\_MEI30882\_lzma.pyd

MD5 f86b9f26e410a25cb8efda504702dd34
SHA1 5a4b7e39058133d8fb12492e90dd090be5fab735
SHA256 9234f38b7b514cdf8ce091dcc1f944385db2c908e7b852a8296492c1f7685eef
SHA512 a5af18aa013bdde18c09ff88a257519e5ce615ae61333fc8cecc4e219f48dafb2533c4e4c5ec42360c7885ac363d772370aa1c731b2b0a9ccb3ccd9b0ae02409

C:\Users\Admin\AppData\Local\Temp\_MEI30882\_hashlib.pyd

MD5 7a9548fa712b1ad8a023ae1253a2793a
SHA1 b90a45c35426d8a3ac6c106f932a93f1efffa865
SHA256 0de6c73d4334d01de7d38bcf1648ed42354c170e7c765b9995d4bf40823bc5fc
SHA512 6f517e4853548bc709192d66c433f0b8f51b73ab0839f4f2fea5c3820f82256d525f00ec5f78adc5660c80aadd88068625e2b6b60f25f3787942a4e3422e378c

C:\Users\Admin\AppData\Local\Temp\_MEI30882\_decimal.pyd

MD5 f3f47709cb9449473c1158f10b949a1d
SHA1 d44c8798d5d096e0fa24a7f113983190d59be3d0
SHA256 7b734f4f8e29ad8eb1eb03ebced277299be839727ee645f7eefaa93b7ff23d24
SHA512 8e22838b2457403f681fa23c467433d2db3cbb67e90e4f9350fcc0dd52755a60eb33236b06b29b099f95d64ba2c2ead2788ce38c57a86c7c82524b701cd4dd7c

C:\Users\Admin\AppData\Local\Temp\_MEI30882\_bz2.pyd

MD5 8cb92a62222c203a9a5d1ba7cca4f1aa
SHA1 da58d20fedc582d9d1fed4611c6c059de5868f33
SHA256 1985dface64121d35d8288d62b909f4196a608a4e5b83cbfc5695e53c3e63935
SHA512 9289450ced220f1b9166cfa6d3596c50995e7f15cabd6ffa137f371b7952b0775bc1f850d4581473ad842d77c9dfb83cb85ee6d3cd92374b716d62e8d06f1976

C:\Users\Admin\AppData\Local\Temp\_MEI30882\unicodedata.pyd

MD5 860e9244e11536bba7aa8c2441b3c726
SHA1 bf3be8d8123b0cfe9027dcd63ab913fe863d20e5
SHA256 583719afaaa86d6136db250972080592fa2785a0861e836c402d5950bd45ae53
SHA512 05a18d2af244d312f15f2d8b4e14b4f863262ae809af77345ce3b3abc830600cfb06711008a9dd966d0ee5b4866a9493c2eac63715bf84d92b838062df3e3092

C:\Users\Admin\AppData\Local\Temp\_MEI30882\select.pyd

MD5 42be65fc2b54263b72cf1fd319b3059e
SHA1 daeebbedfad3ba64da00e3ecee7242e15807073b
SHA256 dc4baa048c6453580a199c76fd0f8d6d9c9ec272e40eb7eee5168bec00b43b12
SHA512 9b8fb9650cbae70f10171637cb9fa9e52e1be43bbcb8aed0e86ca9c80c403fe6a5a5113c4790ea25707b7cd7f18b30d7ce79ab1e27500006c299b9aed39ef693

C:\Users\Admin\AppData\Local\Temp\_MEI30882\libcrypto-3.dll

MD5 2e9277a5dd088949086d450da0e5f4e8
SHA1 c939886464bb65dc4667d8e477d97a619eadddfc
SHA256 7de51a1913ca3b10027f83d99ccccb166d6a3c06ca5d6358f260342dbacdbf6a
SHA512 9f16c77cd90e1b6657f3d2cbd131273bf24becff01c198690ebadb2c454e3f84b88a7e9c6fecdb7f564e1aa99a5583bbd1933e5db408efce3a9095776fa1a056

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 07:12

Reported

2024-04-09 07:13

Platform

win11-20240214-en

Max time kernel

1s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BSR.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BSR.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

N/A

Files

N/A