Analysis Overview
SHA256
2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd
Threat Level: Known bad
The file 2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 10:19
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 10:19
Reported
2024-05-20 10:22
Platform
win7-20231129-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
MetaSploit
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"
C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.13.1.24:5656 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21522\payload.exe.manifest
| MD5 | fdae7492d1832efe2dc4baeaa92a4514 |
| SHA1 | c78c6f7bf029f6fd004322f579321e83b5071873 |
| SHA256 | 80a743012f5fb4dd39aaa3de75d919812ff75754940582bbf12627fb8a31f40b |
| SHA512 | 5ae0d6be6d6d84f82741bb9f5e5b4c5ce5d8def1d14b279941c71f81c2b38be20fe5f94454c26930a245afec93bc792de3e168abbc87acc55a5881898c3c84f1 |
C:\Users\Admin\AppData\Local\Temp\_MEI21522\python34.dll
| MD5 | 10f32f75b689d2a513865800f4d2f541 |
| SHA1 | 369186600de0ee1f51edaa4943b87382237107a3 |
| SHA256 | 9f3d6960d2a502ea6f2e108556597ec7c1fe1b590ee40d46662ce5fc0ddc9391 |
| SHA512 | f0f1d3b4b4d77320d148a332e224ac203b0adf24f744825bcf19012d08ec83ed91ac5ab5e5e0eecad5d13a7898302b7ccc393460caa4c837d4a896863fc8f5c7 |
C:\Users\Admin\AppData\Local\Temp\_MEI21522\MSVCR100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
\Users\Admin\AppData\Local\Temp\_MEI21522\_ctypes.pyd
| MD5 | 5d1bc1be2f02b4a2890e921af15190d2 |
| SHA1 | 057c88438b40cd8e73554274171341244f107139 |
| SHA256 | 97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da |
| SHA512 | 9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9 |
\Users\Admin\AppData\Local\Temp\_MEI21522\Crypto.Cipher._AES.pyd
| MD5 | 3c4ab2e06feb6e4ca1b7a1244055671a |
| SHA1 | a4c3c44b45248b7cf53881e6d8efa8d557e100a9 |
| SHA256 | c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23 |
| SHA512 | 7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c |
memory/2176-25-0x0000000000530000-0x0000000000531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21522\base_library.zip
| MD5 | df1d3f647a03d12f51b2639d21d8f3f5 |
| SHA1 | 3297a097bff9cdff5ddbf89053f08d78dbf97d04 |
| SHA256 | 186b2cc73b338daf2472c93b5de24292bc5828d22e6ba0ad8f9e7422ad69a3b7 |
| SHA512 | c5a19e716ae5b9e18f5906df8d92c87bd213760caf22930a77d9e8324d80a3d072775e6df5f05581e96545c81f0cf3acbafd390a4968c6a2ffb133094c2d1bcb |
memory/2152-27-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2176-28-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 10:19
Reported
2024-05-20 10:22
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
MetaSploit
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4780 wrote to memory of 4784 | N/A | C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe | C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe |
| PID 4780 wrote to memory of 4784 | N/A | C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe | C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe |
| PID 4780 wrote to memory of 4784 | N/A | C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe | C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"
C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| N/A | 10.13.1.24:5656 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI47802\payload.exe.manifest
| MD5 | fdae7492d1832efe2dc4baeaa92a4514 |
| SHA1 | c78c6f7bf029f6fd004322f579321e83b5071873 |
| SHA256 | 80a743012f5fb4dd39aaa3de75d919812ff75754940582bbf12627fb8a31f40b |
| SHA512 | 5ae0d6be6d6d84f82741bb9f5e5b4c5ce5d8def1d14b279941c71f81c2b38be20fe5f94454c26930a245afec93bc792de3e168abbc87acc55a5881898c3c84f1 |
C:\Users\Admin\AppData\Local\Temp\_MEI47802\python34.dll
| MD5 | 10f32f75b689d2a513865800f4d2f541 |
| SHA1 | 369186600de0ee1f51edaa4943b87382237107a3 |
| SHA256 | 9f3d6960d2a502ea6f2e108556597ec7c1fe1b590ee40d46662ce5fc0ddc9391 |
| SHA512 | f0f1d3b4b4d77320d148a332e224ac203b0adf24f744825bcf19012d08ec83ed91ac5ab5e5e0eecad5d13a7898302b7ccc393460caa4c837d4a896863fc8f5c7 |
C:\Users\Admin\AppData\Local\Temp\_MEI47802\MSVCR100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\AppData\Local\Temp\_MEI47802\Crypto.Cipher._AES.pyd
| MD5 | 3c4ab2e06feb6e4ca1b7a1244055671a |
| SHA1 | a4c3c44b45248b7cf53881e6d8efa8d557e100a9 |
| SHA256 | c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23 |
| SHA512 | 7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c |
C:\Users\Admin\AppData\Local\Temp\_MEI47802\_ctypes.pyd
| MD5 | 5d1bc1be2f02b4a2890e921af15190d2 |
| SHA1 | 057c88438b40cd8e73554274171341244f107139 |
| SHA256 | 97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da |
| SHA512 | 9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9 |
C:\Users\Admin\AppData\Local\Temp\_MEI47802\base_library.zip
| MD5 | df1d3f647a03d12f51b2639d21d8f3f5 |
| SHA1 | 3297a097bff9cdff5ddbf89053f08d78dbf97d04 |
| SHA256 | 186b2cc73b338daf2472c93b5de24292bc5828d22e6ba0ad8f9e7422ad69a3b7 |
| SHA512 | c5a19e716ae5b9e18f5906df8d92c87bd213760caf22930a77d9e8324d80a3d072775e6df5f05581e96545c81f0cf3acbafd390a4968c6a2ffb133094c2d1bcb |
memory/4784-25-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/4780-27-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4784-28-0x0000000000400000-0x0000000000430000-memory.dmp