Malware Analysis Report

2025-06-15 20:41

Sample ID 240508-zp39cafa8v
Target 4VGn41i.rar
SHA256 b2a909fe089d1e70a8e67b048dd1dcc9884bcedafd02a9a32135530088720f7e
Tags
pyinstaller
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

b2a909fe089d1e70a8e67b048dd1dcc9884bcedafd02a9a32135530088720f7e

Threat Level: Likely benign

The file 4VGn41i.rar was found to be: Likely benign.

Malicious Activity Summary

pyinstaller

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 20:54

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 20:54

Reported

2024-05-08 20:57

Platform

win7-20240508-en

Max time kernel

144s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\4VGn41i.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\4VGn41i.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\4VGn41i.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\4VGn41i.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\4VGn41i.rar"

Network

N/A

Files

memory/2576-30-0x000007FEFA8F0000-0x000007FEFA924000-memory.dmp

memory/2576-29-0x000000013F6B0000-0x000000013F7A8000-memory.dmp

memory/2576-33-0x000007FEFA8B0000-0x000007FEFA8C7000-memory.dmp

memory/2576-37-0x000007FEF78F0000-0x000007FEF790D000-memory.dmp

memory/2576-36-0x000007FEF7B70000-0x000007FEF7B81000-memory.dmp

memory/2576-35-0x000007FEFA870000-0x000007FEFA887000-memory.dmp

memory/2576-34-0x000007FEFA890000-0x000007FEFA8A1000-memory.dmp

memory/2576-31-0x000007FEF5A10000-0x000007FEF5CC6000-memory.dmp

memory/2576-32-0x000007FEFA8D0000-0x000007FEFA8E8000-memory.dmp

memory/2576-39-0x000007FEF78D0000-0x000007FEF78E1000-memory.dmp

memory/2576-38-0x000007FEF56D0000-0x000007FEF58DB000-memory.dmp

memory/2576-40-0x000007FEF6D80000-0x000007FEF6DC1000-memory.dmp

memory/2576-42-0x000007FEF6D50000-0x000007FEF6D71000-memory.dmp

memory/2576-43-0x000007FEF6D30000-0x000007FEF6D48000-memory.dmp

memory/2576-44-0x000007FEF6D10000-0x000007FEF6D21000-memory.dmp

memory/2576-45-0x000007FEF6120000-0x000007FEF6131000-memory.dmp

memory/2576-46-0x000007FEF6100000-0x000007FEF6111000-memory.dmp

memory/2576-47-0x000007FEF60E0000-0x000007FEF60FB000-memory.dmp

memory/2576-55-0x000007FEF5550000-0x000007FEF5578000-memory.dmp

memory/2576-48-0x000007FEF60C0000-0x000007FEF60D1000-memory.dmp

memory/2576-49-0x000007FEF60A0000-0x000007FEF60B8000-memory.dmp

memory/2576-62-0x000007FEF6E20000-0x000007FEF6E77000-memory.dmp

memory/2576-41-0x000007FEF3FE0000-0x000007FEF5090000-memory.dmp

memory/2576-61-0x000007FEF6E80000-0x000007FEF6E91000-memory.dmp

memory/2576-60-0x000007FEF5490000-0x000007FEF54A2000-memory.dmp

memory/2576-59-0x000007FEF54B0000-0x000007FEF54C1000-memory.dmp

memory/2576-58-0x000007FEF54D0000-0x000007FEF54F3000-memory.dmp

memory/2576-57-0x000007FEF5500000-0x000007FEF5518000-memory.dmp

memory/2576-56-0x000007FEF5520000-0x000007FEF5544000-memory.dmp

memory/2576-54-0x000007FEF5580000-0x000007FEF55D7000-memory.dmp

memory/2576-53-0x000007FEF6050000-0x000007FEF6061000-memory.dmp

memory/2576-52-0x000007FEF55E0000-0x000007FEF565C000-memory.dmp

memory/2576-51-0x000007FEF5660000-0x000007FEF56C7000-memory.dmp

memory/2576-50-0x000007FEF6070000-0x000007FEF60A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 20:54

Reported

2024-05-08 20:57

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\4VGn41i.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\4VGn41i.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A