Malware Analysis Report

2025-05-05 21:32

Sample ID 240529-hy758aee3w
Target AAFK.exe
SHA256 c46467e9766eda6141c54e4306f6eff0417cb24c7a56c96834c83b3bb95f1369
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c46467e9766eda6141c54e4306f6eff0417cb24c7a56c96834c83b3bb95f1369

Threat Level: Shows suspicious behavior

The file AAFK.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 07:09

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 07:09

Reported

2024-05-29 07:12

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AAFK.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\AAFK.exe

"C:\Users\Admin\AppData\Local\Temp\AAFK.exe"

C:\Users\Admin\AppData\Local\Temp\AAFK.exe

"C:\Users\Admin\AppData\Local\Temp\AAFK.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23922\AAFK.exe.manifest

MD5 23c05a628bf3ab7fea10d3b003b2a361
SHA1 bb453b9f9a1acf85d9c28bac0ab9bc61aa915389
SHA256 822b987aca05525d355da813d7310c495b74332372dc9a72e71ecf9dc6d96e64
SHA512 e5d39d019dc4bf530ab442486c7b4920e72bac4bc1dd23b6b8962ee83e92fea0d7cef541dc946c5cde86e8549491a35470946656dd745138201aa9f5482df499

C:\Users\Admin\AppData\Local\Temp\_MEI23922\python37.dll

MD5 28f9065753cc9436305485567ce894b0
SHA1 36ebb3188a787b63fb17bd01a847511c7b15e88e
SHA256 6f2f87b74aea483a0636fc5c480b294a8103b427a3daf450c1e237c2a2271b1a
SHA512 c3bbc50afb4a0b625aff28650befd126481018bd0b1b9a56c107e3792641679c7d1bfc8be6c9d0760fff6853f8f114b62490cd3567b06abc76ab7db3f244ab54

C:\Users\Admin\AppData\Local\Temp\_MEI23922\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI23922\base_library.zip

MD5 eb671d3503e4e9bb11d953bba80aa04f
SHA1 e8236e2bdca2b6cc889ed0e57dd6879c27685992
SHA256 ca3d2485651dd58e22924d2e3ff269400a325f363657eb2980353ae82b2476e2
SHA512 d203cc1e2c3e205277a3a659c2908b186fbd5041985b62ee45445fb1853cb213e333159e3704a1b64ac2be528a46c41a07dfa3893b5a7282ac85d7f70dc747d3

\Users\Admin\AppData\Local\Temp\_MEI23922\_ctypes.pyd

MD5 985d2c5623def9d80d1408c01a8628be
SHA1 317c298cb2e1728f9c7f14de2f7764c9861be101
SHA256 7257178f704cd43e68cd7bc80f9814385b2e5d4f35d6e198ae99dce9f4118976
SHA512 be6a9d3465a5e00e6752a4b681fb8ef75126b132965624d4373b8817d68ed11337b068034ebedcfe59fb9486b86a03e67e81badc29375a776f366bf7f834f0dc

C:\Users\Admin\AppData\Local\Temp\_MEI23922\_queue.pyd

MD5 3f536949d0fcae286b08f6a90d4c5198
SHA1 04877dff7e8c994e4875a1b85b7388684b97da25
SHA256 613c0fc66b1f2f8dccb47f24f1578137a99c5a62550719f0402f13337ad5c60a
SHA512 cd59a4a2d839dec513b912e33bd92281a0fdfe0a210ae972cce8b77347e000bb87c8074d8b8cbfeba75158f2b8f3d0669f778fccec0dec936f055616cedbbb4c

C:\Users\Admin\AppData\Local\Temp\_MEI23922\unicodedata.pyd

MD5 2b2156a32b7ef46906517ae49a599c16
SHA1 892134a20f118d9326da6c1b98c01f31d771a5d1
SHA256 2c5f5abf982e8b4bb5e28d217a5e437907acfb7a7e9ee96cd9fa64c4ba304418
SHA512 d6aa25cdfca13db260110b3f34a3d731b325efcaccde5ec36b4f88406841b4ec9c9ab88ad54944eba476772bfd69c3975d9cb1a92994b0ae8e56278353214100

C:\Users\Admin\AppData\Local\Temp\_MEI23922\_hashlib.pyd

MD5 d61618c28373d7bbdf1dec7ec2b2b1c1
SHA1 51f4bab84620752aedf7d71dcccb577ed518e9fd
SHA256 33c4d06c91166db9ece6e6ad6b9fa1344316f995f7db268bf1b7f9c08ed3e6fb
SHA512 ca7ca581c8d8d67f43e7858d7b4859fec1228fd1ba6e63711d508c1ab3477a071d40090fdae6ec0c8d1445e15fbb2fc60154e32e03f8398056388f1148f920de

C:\Users\Admin\AppData\Local\Temp\_MEI23922\libcrypto-1_1-x64.dll

MD5 8c75bca5ea3bea4d63f52369e3694d01
SHA1 a0c0fd3d9e5688d75386094979171dbde2ce583a
SHA256 8513e629cd85a984e4a30dfe4b3b7502ab87c8bc920825c11035718cb0211ea0
SHA512 6d80d26d91b704d50ff3ad74f76d6b1afe98af3d7a18e43011dbe3809adc305b0e382c10868328eb82c9f8b4c77bca1522bdc023c7c8712057b65f6579c9dff5

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 07:09

Reported

2024-05-29 07:12

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AAFK.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\AAFK.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\AAFK.exe C:\Users\Admin\AppData\Local\Temp\AAFK.exe
PID 1528 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\AAFK.exe C:\Users\Admin\AppData\Local\Temp\AAFK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AAFK.exe

"C:\Users\Admin\AppData\Local\Temp\AAFK.exe"

C:\Users\Admin\AppData\Local\Temp\AAFK.exe

"C:\Users\Admin\AppData\Local\Temp\AAFK.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3888,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 54.242.123.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI15282\python37.dll

MD5 28f9065753cc9436305485567ce894b0
SHA1 36ebb3188a787b63fb17bd01a847511c7b15e88e
SHA256 6f2f87b74aea483a0636fc5c480b294a8103b427a3daf450c1e237c2a2271b1a
SHA512 c3bbc50afb4a0b625aff28650befd126481018bd0b1b9a56c107e3792641679c7d1bfc8be6c9d0760fff6853f8f114b62490cd3567b06abc76ab7db3f244ab54

C:\Users\Admin\AppData\Local\Temp\_MEI15282\AAFK.exe.manifest

MD5 23c05a628bf3ab7fea10d3b003b2a361
SHA1 bb453b9f9a1acf85d9c28bac0ab9bc61aa915389
SHA256 822b987aca05525d355da813d7310c495b74332372dc9a72e71ecf9dc6d96e64
SHA512 e5d39d019dc4bf530ab442486c7b4920e72bac4bc1dd23b6b8962ee83e92fea0d7cef541dc946c5cde86e8549491a35470946656dd745138201aa9f5482df499

C:\Users\Admin\AppData\Local\Temp\_MEI15282\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI15282\base_library.zip

MD5 eb671d3503e4e9bb11d953bba80aa04f
SHA1 e8236e2bdca2b6cc889ed0e57dd6879c27685992
SHA256 ca3d2485651dd58e22924d2e3ff269400a325f363657eb2980353ae82b2476e2
SHA512 d203cc1e2c3e205277a3a659c2908b186fbd5041985b62ee45445fb1853cb213e333159e3704a1b64ac2be528a46c41a07dfa3893b5a7282ac85d7f70dc747d3

C:\Users\Admin\AppData\Local\Temp\_MEI15282\_ctypes.pyd

MD5 985d2c5623def9d80d1408c01a8628be
SHA1 317c298cb2e1728f9c7f14de2f7764c9861be101
SHA256 7257178f704cd43e68cd7bc80f9814385b2e5d4f35d6e198ae99dce9f4118976
SHA512 be6a9d3465a5e00e6752a4b681fb8ef75126b132965624d4373b8817d68ed11337b068034ebedcfe59fb9486b86a03e67e81badc29375a776f366bf7f834f0dc

C:\Users\Admin\AppData\Local\Temp\_MEI15282\_hashlib.pyd

MD5 d61618c28373d7bbdf1dec7ec2b2b1c1
SHA1 51f4bab84620752aedf7d71dcccb577ed518e9fd
SHA256 33c4d06c91166db9ece6e6ad6b9fa1344316f995f7db268bf1b7f9c08ed3e6fb
SHA512 ca7ca581c8d8d67f43e7858d7b4859fec1228fd1ba6e63711d508c1ab3477a071d40090fdae6ec0c8d1445e15fbb2fc60154e32e03f8398056388f1148f920de

C:\Users\Admin\AppData\Local\Temp\_MEI15282\libcrypto-1_1-x64.dll

MD5 8c75bca5ea3bea4d63f52369e3694d01
SHA1 a0c0fd3d9e5688d75386094979171dbde2ce583a
SHA256 8513e629cd85a984e4a30dfe4b3b7502ab87c8bc920825c11035718cb0211ea0
SHA512 6d80d26d91b704d50ff3ad74f76d6b1afe98af3d7a18e43011dbe3809adc305b0e382c10868328eb82c9f8b4c77bca1522bdc023c7c8712057b65f6579c9dff5

C:\Users\Admin\AppData\Local\Temp\_MEI15282\unicodedata.pyd

MD5 2b2156a32b7ef46906517ae49a599c16
SHA1 892134a20f118d9326da6c1b98c01f31d771a5d1
SHA256 2c5f5abf982e8b4bb5e28d217a5e437907acfb7a7e9ee96cd9fa64c4ba304418
SHA512 d6aa25cdfca13db260110b3f34a3d731b325efcaccde5ec36b4f88406841b4ec9c9ab88ad54944eba476772bfd69c3975d9cb1a92994b0ae8e56278353214100

C:\Users\Admin\AppData\Local\Temp\_MEI15282\_queue.pyd

MD5 3f536949d0fcae286b08f6a90d4c5198
SHA1 04877dff7e8c994e4875a1b85b7388684b97da25
SHA256 613c0fc66b1f2f8dccb47f24f1578137a99c5a62550719f0402f13337ad5c60a
SHA512 cd59a4a2d839dec513b912e33bd92281a0fdfe0a210ae972cce8b77347e000bb87c8074d8b8cbfeba75158f2b8f3d0669f778fccec0dec936f055616cedbbb4c

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-29 07:09

Reported

2024-05-29 07:12

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\AAFK.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\AAFK.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AAFK.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\AAFK.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 b8cf8f8d1e95ee0eeeefeefba3856ec3
SHA1 cb1543dea8416197bf4aefb77aadbac83f1f8aca
SHA256 05cd24299c39fac2cc6754c2b7fd432cf9ca8b905052850202df7fc6e75eae20
SHA512 cde45639a2e58835749d8b15bee1c79b2233701158447af89cfa5525d27c0d922dedc5e58e0e609501c0256ab61c911453355a6ed2c2f0b2fb7ac713eb2463ef

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-29 07:09

Reported

2024-05-29 07:12

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\AAFK.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\AAFK.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A