Analysis Overview
SHA256
92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362
Threat Level: Known bad
The file 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Loads dropped DLL
Unsigned PE
Detects Pyinstaller
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-05-26 14:21
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 14:21
Reported
2024-05-26 14:23
Platform
win7-20240215-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
MetaSploit
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe
"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"
C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe
"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.188.128:5577 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI3842\1.exe.manifest
| MD5 | 0438cd033a562d3185f556f430fe722a |
| SHA1 | aa2b55ac2476df339f8d3136f20a5709bde0f69c |
| SHA256 | b49026e09006b519c4168f37c6311a92738592d5ba6451975c183caaa150f0e5 |
| SHA512 | f80657ed9481c38505fe1358fabb6b54e9b29cac28bf3219e0124420e30bec28a5c3e50e883d8465f6d7437a433b0ce730f1b37e8890acaded9f5bda4a817b43 |
C:\Users\Admin\AppData\Local\Temp\_MEI3842\python34.dll
| MD5 | 4ee1ea91b7263bed66ff01bc80649e90 |
| SHA1 | a93b548933b291c13bb2e7cbc0c17409d2f875a4 |
| SHA256 | 0f14047ea66eae192a9750f7b0e329873e8b554de58ca332c9acbdc4d63e10e3 |
| SHA512 | ef52f934aa39b5d6c6f152a9b5a159957e68471d117bd002330ee18d9143987d79dd7bce9208ce0ffb0699acb05169a15ed75d2ce4128e52e31b7f60f3ee51a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI3842\MSVCR100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\AppData\Local\Temp\_MEI3842\base_library.zip
| MD5 | cdf57168a1995b187681efea85b33500 |
| SHA1 | 1e852b89fbd1adf4abc5135dbf7fbba53d3f38ec |
| SHA256 | 18a0fa1644ac09334dae491a5be7973b927a95ab7fcc8e8828ccbb249a5ed369 |
| SHA512 | 9082951c3889d94e271f564893781f697ed2de5edfa9a033f7531a172d6349c14d23666f1b1857c09979d5518f19d7096bd7c3719d7e3302aa9eb92374c63e1e |
C:\Users\Admin\AppData\Local\Temp\_MEI3842\Crypto.Cipher._AES.pyd
| MD5 | 3c4ab2e06feb6e4ca1b7a1244055671a |
| SHA1 | a4c3c44b45248b7cf53881e6d8efa8d557e100a9 |
| SHA256 | c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23 |
| SHA512 | 7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c |
C:\Users\Admin\AppData\Local\Temp\_MEI3842\_ctypes.pyd
| MD5 | 5d1bc1be2f02b4a2890e921af15190d2 |
| SHA1 | 057c88438b40cd8e73554274171341244f107139 |
| SHA256 | 97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da |
| SHA512 | 9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9 |
memory/2056-25-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/384-27-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2056-28-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 14:21
Reported
2024-05-26 14:23
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
MetaSploit
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe
"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"
C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe
"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| N/A | 192.168.188.128:5577 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI6242\1.exe.manifest
| MD5 | 0438cd033a562d3185f556f430fe722a |
| SHA1 | aa2b55ac2476df339f8d3136f20a5709bde0f69c |
| SHA256 | b49026e09006b519c4168f37c6311a92738592d5ba6451975c183caaa150f0e5 |
| SHA512 | f80657ed9481c38505fe1358fabb6b54e9b29cac28bf3219e0124420e30bec28a5c3e50e883d8465f6d7437a433b0ce730f1b37e8890acaded9f5bda4a817b43 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\python34.dll
| MD5 | 4ee1ea91b7263bed66ff01bc80649e90 |
| SHA1 | a93b548933b291c13bb2e7cbc0c17409d2f875a4 |
| SHA256 | 0f14047ea66eae192a9750f7b0e329873e8b554de58ca332c9acbdc4d63e10e3 |
| SHA512 | ef52f934aa39b5d6c6f152a9b5a159957e68471d117bd002330ee18d9143987d79dd7bce9208ce0ffb0699acb05169a15ed75d2ce4128e52e31b7f60f3ee51a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\MSVCR100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\base_library.zip
| MD5 | cdf57168a1995b187681efea85b33500 |
| SHA1 | 1e852b89fbd1adf4abc5135dbf7fbba53d3f38ec |
| SHA256 | 18a0fa1644ac09334dae491a5be7973b927a95ab7fcc8e8828ccbb249a5ed369 |
| SHA512 | 9082951c3889d94e271f564893781f697ed2de5edfa9a033f7531a172d6349c14d23666f1b1857c09979d5518f19d7096bd7c3719d7e3302aa9eb92374c63e1e |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\Crypto.Cipher._AES.pyd
| MD5 | 3c4ab2e06feb6e4ca1b7a1244055671a |
| SHA1 | a4c3c44b45248b7cf53881e6d8efa8d557e100a9 |
| SHA256 | c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23 |
| SHA512 | 7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c |
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_ctypes.pyd
| MD5 | 5d1bc1be2f02b4a2890e921af15190d2 |
| SHA1 | 057c88438b40cd8e73554274171341244f107139 |
| SHA256 | 97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da |
| SHA512 | 9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9 |
memory/3152-25-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/624-27-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3152-28-0x0000000000400000-0x0000000000430000-memory.dmp