Malware Analysis Report

2025-06-15 20:56

Sample ID 240525-zc5lmsaa39
Target MagicDorks.exe
SHA256 ca20b7876b3490e497f4448bc03166ddaa41ebae02aac80ab49ae315eed59229
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ca20b7876b3490e497f4448bc03166ddaa41ebae02aac80ab49ae315eed59229

Threat Level: Shows suspicious behavior

The file MagicDorks.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 20:35

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 20:35

Reported

2024-05-25 20:42

Platform

win7-20231129-en

Max time kernel

383s

Max time network

363s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe

"C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe"

C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe

"C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_MEI28482\python38.dll

MD5 1f2688b97f9827f1de7dfedb4ad2348c
SHA1 a9650970d38e30835336426f704579e87fcfc892
SHA256 169eeb1bdf99ed93ca26453d5ca49339e5ae092662cd94cde09fbb10046f83fc
SHA512 27e56b2d73226e36b0c473d8eb646813997cbdf955397d0b61fcae37ed1f2c3715e589f9a07d909a967009ed2c664d14007ccf37d83a7df7ce2a0fefca615503

C:\Users\Admin\AppData\Local\Temp\_MEI28482\MagicDorks.exe.manifest

MD5 e51c1b86f0850f1a9c3aabb61c019fda
SHA1 478274da912591d2b384a005b87b558f3e4cbe2e
SHA256 ad577f3c498a0c3e9b899a4492d333dde0f857faafc100261c59145b46d8078f
SHA512 60031380fa489d842588911aefd57f64c0af3e93ee32b05c6f3a8dce22ab753b17a3b6dd951c339e8793603eed5adb0cb2962b9b44886f585b1f239d21ae60b9

C:\Users\Admin\AppData\Local\Temp\_MEI28482\VCRUNTIME140.dll

MD5 18571d6663b7d9ac95f2821c203e471f
SHA1 3c186018df04e875d6b9f83521028a21f145e3be
SHA256 0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f
SHA512 c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

C:\Users\Admin\AppData\Local\Temp\_MEI28482\base_library.zip

MD5 50060b2f8f4495e066613801bce8059f
SHA1 3db6700c554d92663dc433ca3ba308a1a1fa3279
SHA256 5fae2dfe5188249b2e25080f8886a27a81bdcc9fe8b99d3c2bc3b3f7ad0f6236
SHA512 a3bd9cb1f0332aeb993cc4ca364df20e965aa896a14120b8de7863f71b66ad14ac2ebfe77985cde60b551685e21d23c6af0825af8bc514c896b10ffebda8e958

C:\Users\Admin\AppData\Local\Temp\_MEI28482\_ctypes.pyd

MD5 8adb1345c717e575e6614e163eb62328
SHA1 f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3
SHA256 65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8
SHA512 0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae

C:\Users\Admin\AppData\Local\Temp\_MEI28482\python3.DLL

MD5 9779c701be8e17867d1d92d470607948
SHA1 6aae834541ccc73d1c87c9f1a12df4ac0cf9001f
SHA256 59e6421802d30326c1704f15acc2b2888097241e291aba4860d1e1fc3d26d4bf
SHA512 4e34bcdd2093347d2b4e5c0f8c25f5d36d54097283faf5b2be1c75d717f716d459a45336647d3360457f25417952e62f8f21f5a720204fe5b894d5513e43e782

C:\Users\Admin\AppData\Local\Temp\_MEI28482\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI28482\_socket.pyd

MD5 1d53841bb21acdcc8742828c3aded891
SHA1 cdf15d4815820571684c1f720d0cba24129e79c8
SHA256 ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b
SHA512 0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9

\Users\Admin\AppData\Local\Temp\_MEI28482\select.pyd

MD5 a2ab334e18222738dcb05bf820725938
SHA1 2f75455a471f95ac814b8e4560a023034480b7b5
SHA256 7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7
SHA512 72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679

C:\Users\Admin\AppData\Local\Temp\_MEI28482\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

\Users\Admin\AppData\Local\Temp\_MEI28482\_ssl.pyd

MD5 84dea8d0acce4a707b094a3627b62eab
SHA1 d45dda99466ab08cc922e828729d0840ae2ddc18
SHA256 dcf6b3ff84b55c3859d0f176c4ce6904c0d7d4643a657b817c6322933dbf82f6
SHA512 fdaa7eb10f8bf7b42a5c9691f600eff48190041a8b28a5dab977170db717fff58dd0f64b02ca30d274552ff30ee02a6577f1465792cf6760366c2588bf373108

C:\Users\Admin\AppData\Local\Temp\_MEI28482\libssl-1_1.dll

MD5 bc778f33480148efa5d62b2ec85aaa7d
SHA1 b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

\Users\Admin\AppData\Local\Temp\_MEI28482\_pytransform.dll

MD5 4fdf69f15ece51f7818cb525bd4189b5
SHA1 99df7e291b17bcd4fd17af9f727d40e81a7ba143
SHA256 5304bdb81e30053fe06ed232c05b87d0c5622f8886290e662296cda3fb4c3fe0
SHA512 60ae66392e7b8605a6477ebfa43cffb8ef4434e6220e6c17c92dbbd0471ab6c561c8470edb56614696f3408f790ef9f3f96a6d354b6653531e5ce89f7393d9bc

C:\Users\Admin\AppData\Local\Temp\_MEI28482\license.lic

MD5 2353cbf3f0e56f19ab81b9dd3a160e95
SHA1 3dcca8296e91da135b6c5b9346d02fd06f85900e
SHA256 4636adc8235f6af6d4ca13e77f12a1044e8511184cccef7031c8e24314bd9605
SHA512 27093980d5bb490d1cc828af46f0e40bb46d3a573651be91f4fade6303d2584d79b33ae8d24768b4e04adb1b7814589b2048d332b1716a4b0925275f8136e142

\Users\Admin\AppData\Local\Temp\_MEI28482\_tkinter.pyd

MD5 7577b428063ea0eda1e0937f4976b078
SHA1 6256415033aae978835fe3dc4523a462d5932873
SHA256 7fdbb5a713a3de7413564a2ec15c8715f3ba203bfe2b944c9cda610155c511d1
SHA512 a36e09535579e5cc2fcc86659ae60fa7a779bfd577b6dc9d27fec78e8be1e095f52320fe0822fcb080b96d71729e97c6f07c8728565e8aea708426289485147c

C:\Users\Admin\AppData\Local\Temp\_MEI28482\tcl86t.dll

MD5 c0b23815701dbae2a359cb8adb9ae730
SHA1 5be6736b645ed12e97b9462b77e5a43482673d90
SHA256 f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512 ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

C:\Users\Admin\AppData\Local\Temp\_MEI28482\tk86t.dll

MD5 fdc8a5d96f9576bd70aa1cadc2f21748
SHA1 bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

memory/1476-1050-0x000007FEF0000000-0x000007FEF0001000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28482\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

memory/1476-1049-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1047-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1045-0x0000000002990000-0x0000000002991000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28482\_queue.pyd

MD5 1fc2c6b80936efc502bfc30fc24caa56
SHA1 4e5b26ff3b225906c2b9e39e0f06126cfc43a257
SHA256 9c47a3b84012837c60b7feced86ed0a4f12910a85fd259a4483a48cd940e3514
SHA512 d07655d78aca969ccc0d7cedf9e337c7b20082d80be1d90d69c42be933fbab1c828316d2eb5461ded2ff35e52762e249fc0c2bccbc2b8436488fb6a270d3d9ee

memory/1476-1043-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1041-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1039-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1037-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1029-0x0000000002990000-0x0000000002991000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28482\_hashlib.pyd

MD5 5fa7c9d5e6068718c6010bbeb18fbeb3
SHA1 93e8875d6d0f943b4226e25452c2c7d63d22b790
SHA256 2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155
SHA512 3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5

\Users\Admin\AppData\Local\Temp\_MEI28482\_bz2.pyd

MD5 fc0d862a854993e0e51c00dee3eec777
SHA1 20203332c6f7bd51f6a5acbbc9f677c930d0669d
SHA256 e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863
SHA512 b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f

memory/1476-1027-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1025-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1023-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1021-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1019-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1017-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1008-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1006-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1004-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1002-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-1000-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-998-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-996-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-994-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-992-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-990-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1476-989-0x0000000002980000-0x0000000002981000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28482\pytransform.key

MD5 2bcf75f492f791ef1a45b9e54cbe3170
SHA1 8df4c5ccceda7bebdad76902ea9ca6604d5cfde9
SHA256 59449650714f8f34cbbceb9c4e4ac8070ba77b8b2ba42c18e8945b82de594455
SHA512 185576d8aba1e147ccfaeee4c99ee6d90c1a7aa73a1c14a0aaf9e8f9eef8aeec1f31b7c9c92136f5ab003ec4de64806816c276d5180464cc76416fd24da574f9

C:\Users\Admin\AppData\Local\Temp\_MEI28482\_lzma.pyd

MD5 60e215bb78fb9a40352980f4de818814
SHA1 ff750858c3352081514e2ae0d200f3b8c3d40096
SHA256 c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806
SHA512 398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230

C:\Users\Admin\AppData\Local\Temp\_MEI28482\certifi\cacert.pem

MD5 c760591283d5a4a987ad646b35de3717
SHA1 5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134
SHA256 1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e
SHA512 c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6

C:\Users\Admin\AppData\Local\Temp\_MEI28482\unicodedata.pyd

MD5 549c9eeda8546cd32d0713c723abd12a
SHA1 f84b2c529cff58b888cc99f566fcd2eba6ff2b8e
SHA256 5d5e733397ef7c4946cf26c84b07312cb12eaf339374613d4381e694ef38169b
SHA512 9432daf045bac3e322b1797f49afe50f76faf8b7d8db063a1d56578016c813881af3324e2529032a8644a04b58ccc9d2c363bf92b56115f06b9eefebfab08180

C:\Users\Admin\AppData\Local\Temp\_MEI28482\_asyncio.pyd

MD5 7dd62e9903d66377d49d592b6e6dac82
SHA1 2b6bec5d58cd4a7f0eaa809179461dbdb527d4f7
SHA256 29712c65138fc02208d8575a8ef188d69947464dd0dc2be53f34c8da81a82f06
SHA512 9bc8526c6c9eba3682848277079457bb443a516cdbf3f10d281763a37483e7c6929afeddd7d9663e3573dd03665230395cec7c60ea3f1671df93628a665822ad

C:\Users\Admin\AppData\Local\Temp\_MEI28482\_overlapped.pyd

MD5 da51560431c584706d9a9e3e40e82cfe
SHA1 e60c22a05fd6a34c95f46dc17292f8c4d5e8c332
SHA256 ef1bb6abedc9a6e156eca16aa53e836948deb224cdc0c5fc05e7816f860c38a9
SHA512 555aa6fd084b0675d629bf79711c91899d178735e4b1b9f9ac4c13d7f01e0a3d8f6436699e37922f04baffef32eff540ef4bace6b58e3bafafa021ddc12564eb

memory/1476-1073-0x0000000070A00000-0x0000000070ABC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 20:35

Reported

2024-05-25 20:43

Platform

win10v2004-20240508-en

Max time kernel

442s

Max time network

432s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 780 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe
PID 780 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe

"C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe"

C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe

"C:\Users\Admin\AppData\Local\Temp\MagicDorks.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4608,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI7802\python38.dll

MD5 1f2688b97f9827f1de7dfedb4ad2348c
SHA1 a9650970d38e30835336426f704579e87fcfc892
SHA256 169eeb1bdf99ed93ca26453d5ca49339e5ae092662cd94cde09fbb10046f83fc
SHA512 27e56b2d73226e36b0c473d8eb646813997cbdf955397d0b61fcae37ed1f2c3715e589f9a07d909a967009ed2c664d14007ccf37d83a7df7ce2a0fefca615503

C:\Users\Admin\AppData\Local\Temp\_MEI7802\MagicDorks.exe.manifest

MD5 e51c1b86f0850f1a9c3aabb61c019fda
SHA1 478274da912591d2b384a005b87b558f3e4cbe2e
SHA256 ad577f3c498a0c3e9b899a4492d333dde0f857faafc100261c59145b46d8078f
SHA512 60031380fa489d842588911aefd57f64c0af3e93ee32b05c6f3a8dce22ab753b17a3b6dd951c339e8793603eed5adb0cb2962b9b44886f585b1f239d21ae60b9

C:\Users\Admin\AppData\Local\Temp\_MEI7802\base_library.zip

MD5 50060b2f8f4495e066613801bce8059f
SHA1 3db6700c554d92663dc433ca3ba308a1a1fa3279
SHA256 5fae2dfe5188249b2e25080f8886a27a81bdcc9fe8b99d3c2bc3b3f7ad0f6236
SHA512 a3bd9cb1f0332aeb993cc4ca364df20e965aa896a14120b8de7863f71b66ad14ac2ebfe77985cde60b551685e21d23c6af0825af8bc514c896b10ffebda8e958

C:\Users\Admin\AppData\Local\Temp\_MEI7802\VCRUNTIME140.dll

MD5 18571d6663b7d9ac95f2821c203e471f
SHA1 3c186018df04e875d6b9f83521028a21f145e3be
SHA256 0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f
SHA512 c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

C:\Users\Admin\AppData\Local\Temp\_MEI7802\_socket.pyd

MD5 1d53841bb21acdcc8742828c3aded891
SHA1 cdf15d4815820571684c1f720d0cba24129e79c8
SHA256 ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b
SHA512 0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9

C:\Users\Admin\AppData\Local\Temp\_MEI7802\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI7802\tk86t.dll

MD5 fdc8a5d96f9576bd70aa1cadc2f21748
SHA1 bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

C:\Users\Admin\AppData\Local\Temp\_MEI7802\unicodedata.pyd

MD5 549c9eeda8546cd32d0713c723abd12a
SHA1 f84b2c529cff58b888cc99f566fcd2eba6ff2b8e
SHA256 5d5e733397ef7c4946cf26c84b07312cb12eaf339374613d4381e694ef38169b
SHA512 9432daf045bac3e322b1797f49afe50f76faf8b7d8db063a1d56578016c813881af3324e2529032a8644a04b58ccc9d2c363bf92b56115f06b9eefebfab08180

C:\Users\Admin\AppData\Local\Temp\_MEI7802\_overlapped.pyd

MD5 da51560431c584706d9a9e3e40e82cfe
SHA1 e60c22a05fd6a34c95f46dc17292f8c4d5e8c332
SHA256 ef1bb6abedc9a6e156eca16aa53e836948deb224cdc0c5fc05e7816f860c38a9
SHA512 555aa6fd084b0675d629bf79711c91899d178735e4b1b9f9ac4c13d7f01e0a3d8f6436699e37922f04baffef32eff540ef4bace6b58e3bafafa021ddc12564eb

C:\Users\Admin\AppData\Local\Temp\_MEI7802\_asyncio.pyd

MD5 7dd62e9903d66377d49d592b6e6dac82
SHA1 2b6bec5d58cd4a7f0eaa809179461dbdb527d4f7
SHA256 29712c65138fc02208d8575a8ef188d69947464dd0dc2be53f34c8da81a82f06
SHA512 9bc8526c6c9eba3682848277079457bb443a516cdbf3f10d281763a37483e7c6929afeddd7d9663e3573dd03665230395cec7c60ea3f1671df93628a665822ad

C:\Users\Admin\AppData\Local\Temp\_MEI7802\certifi\cacert.pem

MD5 c760591283d5a4a987ad646b35de3717
SHA1 5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134
SHA256 1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e
SHA512 c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6

C:\Users\Admin\AppData\Local\Temp\_MEI7802\_lzma.pyd

MD5 60e215bb78fb9a40352980f4de818814
SHA1 ff750858c3352081514e2ae0d200f3b8c3d40096
SHA256 c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806
SHA512 398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230

C:\Users\Admin\AppData\Local\Temp\_MEI7802\_bz2.pyd

MD5 fc0d862a854993e0e51c00dee3eec777
SHA1 20203332c6f7bd51f6a5acbbc9f677c930d0669d
SHA256 e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863
SHA512 b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f

C:\Users\Admin\AppData\Local\Temp\_MEI7802\_hashlib.pyd

MD5 5fa7c9d5e6068718c6010bbeb18fbeb3
SHA1 93e8875d6d0f943b4226e25452c2c7d63d22b790
SHA256 2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155
SHA512 3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5

C:\Users\Admin\AppData\Local\Temp\_MEI7802\_queue.pyd

MD5 1fc2c6b80936efc502bfc30fc24caa56
SHA1 4e5b26ff3b225906c2b9e39e0f06126cfc43a257
SHA256 9c47a3b84012837c60b7feced86ed0a4f12910a85fd259a4483a48cd940e3514
SHA512 d07655d78aca969ccc0d7cedf9e337c7b20082d80be1d90d69c42be933fbab1c828316d2eb5461ded2ff35e52762e249fc0c2bccbc2b8436488fb6a270d3d9ee

C:\Users\Admin\AppData\Local\Temp\_MEI7802\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\_MEI7802\tcl86t.dll

MD5 c0b23815701dbae2a359cb8adb9ae730
SHA1 5be6736b645ed12e97b9462b77e5a43482673d90
SHA256 f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512 ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

C:\Users\Admin\AppData\Local\Temp\_MEI7802\_tkinter.pyd

MD5 7577b428063ea0eda1e0937f4976b078
SHA1 6256415033aae978835fe3dc4523a462d5932873
SHA256 7fdbb5a713a3de7413564a2ec15c8715f3ba203bfe2b944c9cda610155c511d1
SHA512 a36e09535579e5cc2fcc86659ae60fa7a779bfd577b6dc9d27fec78e8be1e095f52320fe0822fcb080b96d71729e97c6f07c8728565e8aea708426289485147c

memory/5008-1051-0x00007FFC00000000-0x00007FFC00001000-memory.dmp

memory/5008-1050-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1048-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1046-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1044-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1042-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1040-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1038-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1030-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1028-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1026-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1024-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1022-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1020-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1018-0x00000144F6680000-0x00000144F6681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI7802\license.lic

MD5 2353cbf3f0e56f19ab81b9dd3a160e95
SHA1 3dcca8296e91da135b6c5b9346d02fd06f85900e
SHA256 4636adc8235f6af6d4ca13e77f12a1044e8511184cccef7031c8e24314bd9605
SHA512 27093980d5bb490d1cc828af46f0e40bb46d3a573651be91f4fade6303d2584d79b33ae8d24768b4e04adb1b7814589b2048d332b1716a4b0925275f8136e142

memory/5008-1009-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1007-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1005-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1003-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-1001-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-999-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-997-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-995-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-993-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-991-0x00000144F6680000-0x00000144F6681000-memory.dmp

memory/5008-990-0x00000144F6670000-0x00000144F6671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI7802\pytransform.key

MD5 2bcf75f492f791ef1a45b9e54cbe3170
SHA1 8df4c5ccceda7bebdad76902ea9ca6604d5cfde9
SHA256 59449650714f8f34cbbceb9c4e4ac8070ba77b8b2ba42c18e8945b82de594455
SHA512 185576d8aba1e147ccfaeee4c99ee6d90c1a7aa73a1c14a0aaf9e8f9eef8aeec1f31b7c9c92136f5ab003ec4de64806816c276d5180464cc76416fd24da574f9

C:\Users\Admin\AppData\Local\Temp\_MEI7802\_pytransform.dll

MD5 4fdf69f15ece51f7818cb525bd4189b5
SHA1 99df7e291b17bcd4fd17af9f727d40e81a7ba143
SHA256 5304bdb81e30053fe06ed232c05b87d0c5622f8886290e662296cda3fb4c3fe0
SHA512 60ae66392e7b8605a6477ebfa43cffb8ef4434e6220e6c17c92dbbd0471ab6c561c8470edb56614696f3408f790ef9f3f96a6d354b6653531e5ce89f7393d9bc

C:\Users\Admin\AppData\Local\Temp\_MEI7802\libssl-1_1.dll

MD5 bc778f33480148efa5d62b2ec85aaa7d
SHA1 b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI7802\_ssl.pyd

MD5 84dea8d0acce4a707b094a3627b62eab
SHA1 d45dda99466ab08cc922e828729d0840ae2ddc18
SHA256 dcf6b3ff84b55c3859d0f176c4ce6904c0d7d4643a657b817c6322933dbf82f6
SHA512 fdaa7eb10f8bf7b42a5c9691f600eff48190041a8b28a5dab977170db717fff58dd0f64b02ca30d274552ff30ee02a6577f1465792cf6760366c2588bf373108

C:\Users\Admin\AppData\Local\Temp\_MEI7802\select.pyd

MD5 a2ab334e18222738dcb05bf820725938
SHA1 2f75455a471f95ac814b8e4560a023034480b7b5
SHA256 7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7
SHA512 72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679

C:\Users\Admin\AppData\Local\Temp\_MEI7802\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI7802\_ctypes.pyd

MD5 8adb1345c717e575e6614e163eb62328
SHA1 f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3
SHA256 65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8
SHA512 0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae

C:\Users\Admin\AppData\Local\Temp\_MEI7802\python3.dll

MD5 9779c701be8e17867d1d92d470607948
SHA1 6aae834541ccc73d1c87c9f1a12df4ac0cf9001f
SHA256 59e6421802d30326c1704f15acc2b2888097241e291aba4860d1e1fc3d26d4bf
SHA512 4e34bcdd2093347d2b4e5c0f8c25f5d36d54097283faf5b2be1c75d717f716d459a45336647d3360457f25417952e62f8f21f5a720204fe5b894d5513e43e782

memory/5008-1074-0x0000000070A00000-0x0000000070ABC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-25 20:35

Reported

2024-05-25 20:38

Platform

win7-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\MagicDorks.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\MagicDorks.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MagicDorks.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MagicDorks.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 30a8fed278f8e28504470fa153db5ac4
SHA1 0b92add4675a742cea108566e33ad73bfa7a9f3f
SHA256 148bfab838d077ff8dfbf34a4bad38d34445e385a556d76141e8b16e1b9b7bce
SHA512 38811521e12f6765e788f95829b2df26bf9cebf26a95cd1321ddf6850e27c1325fbe674f37e8a3fabde0539faf0a45b65c558a200dba2e3bb0e63b9d125bfbb7

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-25 20:35

Reported

2024-05-25 20:38

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\MagicDorks.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\MagicDorks.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A