Analysis Overview
SHA256
b20f4ee8eb36c3ab08e9be6201f151253eb782ab4a6eea5a22f6d5e685339618
Threat Level: Shows suspicious behavior
The file diabolic.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Unsigned PE
Detects Pyinstaller
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-10 21:43
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 21:43
Reported
2024-05-10 21:43
Platform
win7-20240221-en
Max time kernel
3s
Max time network
6s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1704 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | C:\Users\Admin\AppData\Local\Temp\diabolic.exe |
| PID 1704 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | C:\Users\Admin\AppData\Local\Temp\diabolic.exe |
| PID 1704 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | C:\Users\Admin\AppData\Local\Temp\diabolic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\diabolic.exe
"C:\Users\Admin\AppData\Local\Temp\diabolic.exe"
C:\Users\Admin\AppData\Local\Temp\diabolic.exe
"C:\Users\Admin\AppData\Local\Temp\diabolic.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI17042\python38.dll
| MD5 | eec355a6e9586f823a4f12bed11e6c80 |
| SHA1 | 33627398cb32f4fbb162f38f7c277ad5b13a99ba |
| SHA256 | 560a6a5f8b7afa99600cc47da26a802c342d7f50ffe23850372f2fcf536cd26f |
| SHA512 | 7b4b3c13383de62a17aa1aafabce657ea5f4aadd716430fcd6e0f3125b773ae1589b3eaa050ccd87b37f6fae2391c5e7a8a229c0b0fa135de8d0269e9752bea0 |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\VCRUNTIME140.dll
| MD5 | 7942be5474a095f673582997ae3054f1 |
| SHA1 | e982f6ebc74d31153ba9738741a7eec03a9fa5e8 |
| SHA256 | 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c |
| SHA512 | 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039 |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\base_library.zip
| MD5 | 877f89f4a141da5810ae8df658dae577 |
| SHA1 | df17d4bf2fa8bc3ce9a85f635ee8cfe640cdd3d2 |
| SHA256 | f009edc33aea2ee2dc1e9ed32e27ddda6204c45c87a6f722b883c76eb394555f |
| SHA512 | 988a3daf5df93fe509886c4af86039493667ba83957d41a48615101d3bbcd8b2c319ae59e59cc83a6765f33558e396294f8e9e349f8c21131c0f10a2bad6f212 |
\Users\Admin\AppData\Local\Temp\_MEI17042\_ctypes.pyd
| MD5 | 4786508ffadc542bd677f45af820fdb9 |
| SHA1 | fc0f7dae6e0d093594e4ff1c293ce004dbd16fd7 |
| SHA256 | 64f5072cd9536418ec0fd4b5c30c13b03cdddced1f9332d4d721c4b37ae3883e |
| SHA512 | ad4b0e6883c2f0c003c46b1b85f5fbc2c1f8366a212695b9e47664c8735a30d4c8a3c645b324d3d059582096a1fe78ac1043ba8a639ced0665ef8c5cc33d0b80 |
\Users\Admin\AppData\Local\Temp\_MEI17042\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\_socket.pyd
| MD5 | bc7b1b0112427976b83911e607213c37 |
| SHA1 | f4c7eb5b46ebe015a13de59f17ca158c01a377f4 |
| SHA256 | 85f200cb9adf0ef97d40b897868f6ad564211d3529f0b6dfe8e04c56a7b832bc |
| SHA512 | 18bc94c917ee894121241dcf65fab370a344caaf1120162fcb0966503c502b3e990a79553d2e4e1e3403e35d2b5e00cb365254c08f99c93c178e2e1fd7b2a040 |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\select.pyd
| MD5 | bb6e9825bd4a98e0700d96b59ec64f68 |
| SHA1 | afd51547dad9cd7fac0efbda76b5e2388a027681 |
| SHA256 | bb81d220db83d5276fccda137d430160b8eafd40f4d92d86ebc718b4dfd555ac |
| SHA512 | 2380a0a2bd625ff79b04bb9d4f6611150512d72f719a3cc73806ea979c29b01fc3d947fb2998e308796a32061e0f2d34d158876924c71350c759e2a841abf964 |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\_lzma.pyd
| MD5 | fea0e77f594207b8af1d240a16c6650e |
| SHA1 | dd48f108074eade8c0f84916d619bce4a97c07bb |
| SHA256 | d7acc95049c07298af56a316419e6548f3e6b56fb22dfb3382607a803dddb5e0 |
| SHA512 | 3b06abcf29bd93232afd6ae0b8fbded6cc75c5a5cdbd5b410d16e6f19e034d4f903252eda243f670173cc05e78e36e767553e065648ce7c3af330d10922d51ff |
\Users\Admin\AppData\Local\Temp\_MEI17042\_bz2.pyd
| MD5 | 712a8dba2916f0261a1290a8e3d85ebf |
| SHA1 | 27dbfa5de547c30c457855594272545dafaeb39d |
| SHA256 | d6e5763cecd267be0ff5355ff53e93428f3dd7ab20458fb1e7432dffa060cf82 |
| SHA512 | 662664189f3a426a2042c998a5396fcb660f1ec123fe8089ec740ae414e0da9173d2e1abb6a231b3271bba9c4cb2a3a0a6ea45c475531bb986a4d085e74de1d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\PIL\_imaging.cp38-win_amd64.pyd
| MD5 | 4bdf10382db4369c5f779bdf68d203ff |
| SHA1 | 5297002ae657d981c1dc9c67231da8371c6e4d6c |
| SHA256 | 334375da85840776cb4f663b6cd09297a6e3281ef43b1186bc61058e7699122a |
| SHA512 | 84afaae2eace1ec6fb50887495e7a08772bf54ca1453f15aa414c67ee94285b339d4e7da348faf5dee9e9a24b4371a9f65f1e5323cf5332c7e50274d4b4c1f58 |
\Users\Admin\AppData\Local\Temp\_MEI17042\MSVCP140.dll
| MD5 | c1b066f9e3e2f3a6785161a8c7e0346a |
| SHA1 | 8b3b943e79c40bc81fdac1e038a276d034bbe812 |
| SHA256 | 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd |
| SHA512 | 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728 |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\PIL\_imagingft.cp38-win_amd64.pyd
| MD5 | b45db71a9739ea4f9de8fc5b1d7eac57 |
| SHA1 | d0e31e671a181f4409644f421679626074580274 |
| SHA256 | d545aad2f89e1748a5178876ce1f058595ebb53694ba375fee9cf2ad2cbf2a88 |
| SHA512 | 3d4eec4befe319ea8245286f992b3a1f79fa67d04d1f5a1bf94bf45e93ef591b878e4188e54cba98c1b32ea96afb33c5b37e5e44543950edab93c80d02995715 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 21:43
Reported
2024-05-10 21:43
Platform
win10v2004-20240426-en
Max time kernel
9s
Max time network
13s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4580 wrote to memory of 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | C:\Users\Admin\AppData\Local\Temp\diabolic.exe |
| PID 4580 wrote to memory of 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\diabolic.exe | C:\Users\Admin\AppData\Local\Temp\diabolic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\diabolic.exe
"C:\Users\Admin\AppData\Local\Temp\diabolic.exe"
C:\Users\Admin\AppData\Local\Temp\diabolic.exe
"C:\Users\Admin\AppData\Local\Temp\diabolic.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI45802\python38.dll
| MD5 | eec355a6e9586f823a4f12bed11e6c80 |
| SHA1 | 33627398cb32f4fbb162f38f7c277ad5b13a99ba |
| SHA256 | 560a6a5f8b7afa99600cc47da26a802c342d7f50ffe23850372f2fcf536cd26f |
| SHA512 | 7b4b3c13383de62a17aa1aafabce657ea5f4aadd716430fcd6e0f3125b773ae1589b3eaa050ccd87b37f6fae2391c5e7a8a229c0b0fa135de8d0269e9752bea0 |
C:\Users\Admin\AppData\Local\Temp\_MEI45802\base_library.zip
| MD5 | 877f89f4a141da5810ae8df658dae577 |
| SHA1 | df17d4bf2fa8bc3ce9a85f635ee8cfe640cdd3d2 |
| SHA256 | f009edc33aea2ee2dc1e9ed32e27ddda6204c45c87a6f722b883c76eb394555f |
| SHA512 | 988a3daf5df93fe509886c4af86039493667ba83957d41a48615101d3bbcd8b2c319ae59e59cc83a6765f33558e396294f8e9e349f8c21131c0f10a2bad6f212 |
C:\Users\Admin\AppData\Local\Temp\_MEI45802\VCRUNTIME140.dll
| MD5 | 7942be5474a095f673582997ae3054f1 |
| SHA1 | e982f6ebc74d31153ba9738741a7eec03a9fa5e8 |
| SHA256 | 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c |
| SHA512 | 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039 |
C:\Users\Admin\AppData\Local\Temp\_MEI45802\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_ctypes.pyd
| MD5 | 4786508ffadc542bd677f45af820fdb9 |
| SHA1 | fc0f7dae6e0d093594e4ff1c293ce004dbd16fd7 |
| SHA256 | 64f5072cd9536418ec0fd4b5c30c13b03cdddced1f9332d4d721c4b37ae3883e |
| SHA512 | ad4b0e6883c2f0c003c46b1b85f5fbc2c1f8366a212695b9e47664c8735a30d4c8a3c645b324d3d059582096a1fe78ac1043ba8a639ced0665ef8c5cc33d0b80 |
C:\Users\Admin\AppData\Local\Temp\_MEI45802\select.pyd
| MD5 | bb6e9825bd4a98e0700d96b59ec64f68 |
| SHA1 | afd51547dad9cd7fac0efbda76b5e2388a027681 |
| SHA256 | bb81d220db83d5276fccda137d430160b8eafd40f4d92d86ebc718b4dfd555ac |
| SHA512 | 2380a0a2bd625ff79b04bb9d4f6611150512d72f719a3cc73806ea979c29b01fc3d947fb2998e308796a32061e0f2d34d158876924c71350c759e2a841abf964 |
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_lzma.pyd
| MD5 | fea0e77f594207b8af1d240a16c6650e |
| SHA1 | dd48f108074eade8c0f84916d619bce4a97c07bb |
| SHA256 | d7acc95049c07298af56a316419e6548f3e6b56fb22dfb3382607a803dddb5e0 |
| SHA512 | 3b06abcf29bd93232afd6ae0b8fbded6cc75c5a5cdbd5b410d16e6f19e034d4f903252eda243f670173cc05e78e36e767553e065648ce7c3af330d10922d51ff |
C:\Users\Admin\AppData\Local\Temp\_MEI45802\PIL\_imaging.cp38-win_amd64.pyd
| MD5 | 4bdf10382db4369c5f779bdf68d203ff |
| SHA1 | 5297002ae657d981c1dc9c67231da8371c6e4d6c |
| SHA256 | 334375da85840776cb4f663b6cd09297a6e3281ef43b1186bc61058e7699122a |
| SHA512 | 84afaae2eace1ec6fb50887495e7a08772bf54ca1453f15aa414c67ee94285b339d4e7da348faf5dee9e9a24b4371a9f65f1e5323cf5332c7e50274d4b4c1f58 |
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_bz2.pyd
| MD5 | 712a8dba2916f0261a1290a8e3d85ebf |
| SHA1 | 27dbfa5de547c30c457855594272545dafaeb39d |
| SHA256 | d6e5763cecd267be0ff5355ff53e93428f3dd7ab20458fb1e7432dffa060cf82 |
| SHA512 | 662664189f3a426a2042c998a5396fcb660f1ec123fe8089ec740ae414e0da9173d2e1abb6a231b3271bba9c4cb2a3a0a6ea45c475531bb986a4d085e74de1d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_socket.pyd
| MD5 | bc7b1b0112427976b83911e607213c37 |
| SHA1 | f4c7eb5b46ebe015a13de59f17ca158c01a377f4 |
| SHA256 | 85f200cb9adf0ef97d40b897868f6ad564211d3529f0b6dfe8e04c56a7b832bc |
| SHA512 | 18bc94c917ee894121241dcf65fab370a344caaf1120162fcb0966503c502b3e990a79553d2e4e1e3403e35d2b5e00cb365254c08f99c93c178e2e1fd7b2a040 |
C:\Users\Admin\AppData\Local\Temp\_MEI45802\MSVCP140.dll
| MD5 | c1b066f9e3e2f3a6785161a8c7e0346a |
| SHA1 | 8b3b943e79c40bc81fdac1e038a276d034bbe812 |
| SHA256 | 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd |
| SHA512 | 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728 |
C:\Users\Admin\AppData\Local\Temp\_MEI45802\PIL\_imagingft.cp38-win_amd64.pyd
| MD5 | b45db71a9739ea4f9de8fc5b1d7eac57 |
| SHA1 | d0e31e671a181f4409644f421679626074580274 |
| SHA256 | d545aad2f89e1748a5178876ce1f058595ebb53694ba375fee9cf2ad2cbf2a88 |
| SHA512 | 3d4eec4befe319ea8245286f992b3a1f79fa67d04d1f5a1bf94bf45e93ef591b878e4188e54cba98c1b32ea96afb33c5b37e5e44543950edab93c80d02995715 |