Analysis Overview
SHA256
01ea22ea51749f46a0019657f64fc0d34429fb7cbf9b590c0848c0e0bd9c1f07
Threat Level: Shows suspicious behavior
The file legendary.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Unsigned PE
Detects Pyinstaller
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-03 19:03
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 19:03
Reported
2024-06-03 19:07
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3024 wrote to memory of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | C:\Users\Admin\AppData\Local\Temp\legendary.exe |
| PID 3024 wrote to memory of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | C:\Users\Admin\AppData\Local\Temp\legendary.exe |
| PID 3024 wrote to memory of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | C:\Users\Admin\AppData\Local\Temp\legendary.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\legendary.exe
"C:\Users\Admin\AppData\Local\Temp\legendary.exe"
C:\Users\Admin\AppData\Local\Temp\legendary.exe
"C:\Users\Admin\AppData\Local\Temp\legendary.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI30242\ucrtbase.dll
| MD5 | 3b337c2d41069b0a1e43e30f891c3813 |
| SHA1 | ebee2827b5cb153cbbb51c9718da1549fa80fc5c |
| SHA256 | c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7 |
| SHA512 | fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499 |
C:\Users\Admin\AppData\Local\Temp\_MEI30242\api-ms-win-core-localization-l1-2-0.dll
| MD5 | de5695f26a0bcb54f59a8bc3f9a4ecef |
| SHA1 | 99c32595f3edc2c58bdb138c3384194831e901d6 |
| SHA256 | e9539fce90ad8be582b25ab2d5645772c2a5fb195e602ecdbf12b980656e436a |
| SHA512 | df635d5d51cdea24885ae9f0406f317ddcf04ecb6bfa26579bb2e256c457057607844ded4b52ff1f5ca25abe29d1eb2b20f1709cf19035d3829f36bbe31f550f |
C:\Users\Admin\AppData\Local\Temp\_MEI30242\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 74c264cffc09d183fcb1555b16ea7e4b |
| SHA1 | 0b5b08cdf6e749b48254ac811ca09ba95473d47c |
| SHA256 | a8e2fc077d9a7d2faa85e1e6833047c90b22c6086487b98fc0e6a86b7bf8bf09 |
| SHA512 | 285afbcc39717510ced2ed096d9f77fc438268ecaa59cff3cf167fcc538e90c73c67652046b0ee379e0507d6e346af79d43c51a571c6dd66034f9385a73d00d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI30242\api-ms-win-core-file-l1-2-0.dll
| MD5 | d92e6a007fc22a1e218552ebfb65da93 |
| SHA1 | 3c9909332e94f7b7386664a90f52730f4027a75a |
| SHA256 | 03bd3217eae0ef68521b39556e7491292db540f615da873dd8da538693b81862 |
| SHA512 | b8b0e6052e68c08e558e72c168e4ff318b1907c4dc5fc1cd1104f5cae7cc418293013dabbb30c835a5c35a456e1cb22cc352b7ae40f82b9b7311bb7419d854c7 |
C:\Users\Admin\AppData\Local\Temp\_MEI30242\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | cb39eea2ef9ed3674c597d5f0667b5b4 |
| SHA1 | c133dc6416b3346fa5b0f449d7cc6f7dbf580432 |
| SHA256 | 1627b921934053f1f7d2a19948aee06fac5db8ee8d4182e6f071718d0681f235 |
| SHA512 | 2c65014dc045a2c1e5f52f3fea4967d2169e4a78d41fe56617ce9a4d5b30ebf25043112917ff3d7d152744ddef70475937ae0a7f96785f97dcefafe8e6f14d9c |
C:\Users\Admin\AppData\Local\Temp\_MEI30242\api-ms-win-core-file-l2-1-0.dll
| MD5 | 50abf0a7ee67f00f247bada185a7661c |
| SHA1 | 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1 |
| SHA256 | f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7 |
| SHA512 | c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528 |
C:\Users\Admin\AppData\Local\Temp\_MEI30242\python39.dll
| MD5 | 789b4ecbce732a7e8479e8909f097d16 |
| SHA1 | a79c2e1ca0ad675a48f3bba0fbdeff1b888f0e74 |
| SHA256 | 8314174dacfc1c4f177be8266c78f147621cf577a39742642a76ec27e7b87b02 |
| SHA512 | b9b57ff21735c06f4b3957cdd5a3ab54602a7141f1792de52aea0e6fc41be957070b958ab75b1a26a302b6fb17a02e9a187ad289a6af0c72a5ade43b4bf06e6d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 19:03
Reported
2024-06-03 19:06
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2004 wrote to memory of 2788 | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | C:\Users\Admin\AppData\Local\Temp\legendary.exe |
| PID 2004 wrote to memory of 2788 | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | C:\Users\Admin\AppData\Local\Temp\legendary.exe |
| PID 2788 wrote to memory of 3600 | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | C:\Windows\system32\cmd.exe |
| PID 2788 wrote to memory of 3600 | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | C:\Windows\system32\cmd.exe |
| PID 2788 wrote to memory of 3820 | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 2788 wrote to memory of 3820 | N/A | C:\Users\Admin\AppData\Local\Temp\legendary.exe | C:\Windows\SYSTEM32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\legendary.exe
"C:\Users\Admin\AppData\Local\Temp\legendary.exe"
C:\Users\Admin\AppData\Local\Temp\legendary.exe
"C:\Users\Admin\AppData\Local\Temp\legendary.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\SYSTEM32\cmd.exe
cmd /K echo>nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI20042\ucrtbase.dll
| MD5 | 3b337c2d41069b0a1e43e30f891c3813 |
| SHA1 | ebee2827b5cb153cbbb51c9718da1549fa80fc5c |
| SHA256 | c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7 |
| SHA512 | fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\python39.dll
| MD5 | 789b4ecbce732a7e8479e8909f097d16 |
| SHA1 | a79c2e1ca0ad675a48f3bba0fbdeff1b888f0e74 |
| SHA256 | 8314174dacfc1c4f177be8266c78f147621cf577a39742642a76ec27e7b87b02 |
| SHA512 | b9b57ff21735c06f4b3957cdd5a3ab54602a7141f1792de52aea0e6fc41be957070b958ab75b1a26a302b6fb17a02e9a187ad289a6af0c72a5ade43b4bf06e6d |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\VCRUNTIME140.dll
| MD5 | a87575e7cf8967e481241f13940ee4f7 |
| SHA1 | 879098b8a353a39e16c79e6479195d43ce98629e |
| SHA256 | ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e |
| SHA512 | e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\base_library.zip
| MD5 | 3ae15fe280ecda05eed0cab7624af175 |
| SHA1 | 17b9c742b740ac67674963a2e57a9a3a2cc90e48 |
| SHA256 | 5a189878f57afdcc6b45f03f641f58bf736ace225d5f7f0a4898b802bfabf090 |
| SHA512 | 750c11240a5df35edbdd1e45a4cb1d0aa67ba117fd0ce4bb999ac85940322d33694645f9c104c888f3e265bb476055aaa5d4f99fe991d594369f02d2b903a2ef |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ctypes.pyd
| MD5 | a1b81ce092c5a2c9afd13b5cae872441 |
| SHA1 | 05b695dbb5e62adb368d8bd142f667b2e7e9d437 |
| SHA256 | eb5ebeb25888ff124abd0db3e08577b84538e62610107fe4e008d7c188a78210 |
| SHA512 | 5158e462b0aeebf711e42363cf9ca1ac546958154257cc3063ba4575da28c2a7c95b1527a54adfa00d9b3c6f8832aedd97e6c79f5cd70a47146afb0f1afa288a |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_socket.pyd
| MD5 | 439b4d756cde64fba441e640df56dd60 |
| SHA1 | 881dbf2366915399b3bb8be6083f94f46eebaaf7 |
| SHA256 | acb377fd6967b2ce819601c7d6a102d30af570eaee9e312e383f34aecd5df142 |
| SHA512 | ef4b78e9f6cc740696836062dffa956ee5b9d1f0be8d809497ea778fea80761fc5b3baa938756344edc18dbaeeae6fe660f2ee8fcc25e0d7985e55f4461e3c33 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_bz2.pyd
| MD5 | 4fdf3bc5548f98264ccedca2e400e8ef |
| SHA1 | 9254a0a3f16a0dabc11504bbd8bd3b425702a0b6 |
| SHA256 | cb2b8853ccf149b0b175769cb8ed6e2f9c2cbec0af3d8835c43570fd91da1b4f |
| SHA512 | 3bc15f142da4708c9e564fded1207f9502c5efb93c63e9db34caa931ee3d628c3eef66dc2adb42d796f7a2e1908bbe26d917aecd151fbc241d9efc67c8a7f63d |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_queue.pyd
| MD5 | 1b1a7cb8fd95c0d9741462de11abd43d |
| SHA1 | 6ec962cfd0d9f0dc69c9c1d424fe6fee591fe278 |
| SHA256 | 3c907316271b15935ff400b65d24f229feb980a5be9cb4ad9f79f210ff0b884c |
| SHA512 | 8136ec741210ce8be2d2bccd013ee29d154f61f41188faff81c16fa8cfd143870200a757cda7d0f5da738409339c87d6b5c80517c8596fd5d6291dd8164a57cf |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libcrypto-1_1.dll
| MD5 | 63c4f445b6998e63a1414f5765c18217 |
| SHA1 | 8c1ac1b4290b122e62f706f7434517077974f40e |
| SHA256 | 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2 |
| SHA512 | aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_hashlib.pyd
| MD5 | cc06750ac9811e6b0ebe1482c032b0cf |
| SHA1 | db0e43e4c0082d44b9385d6d94a68ecc72fd99e7 |
| SHA256 | 9a1ffa72a808fdfe88dd8f9e7083b285edf246df07c35ac032dc45d905f58fce |
| SHA512 | ededec073f5651cdf2f0ed6a74278b0df630871f2ccad7d831a908a7e3efa4e5bed96d38647706add29963a515c9a13051f1457ae934d5ff75129e41bb4cd8dd |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ssl.pyd
| MD5 | 5e2ee0a0277ffe2bd854abb898310d43 |
| SHA1 | 774cf06c1e6f68c86bf107353e3f4e9df0ec40dd |
| SHA256 | 75ae15b70eaa1950cf259fed95ade499d7c6dfefffdf4c3292c46bd24da25902 |
| SHA512 | 4b593b35373d69b59dd01164e09919862ac76f0e38a97fec458265add610a0dc9bca7287462668eea5b312c741e3c3644019df2f31b20bc6f764c95c968792bd |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libssl-1_1.dll
| MD5 | bd857f444ebbf147a8fcd1215efe79fc |
| SHA1 | 1550e0d241c27f41c63f197b1bd669591a20c15b |
| SHA256 | b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf |
| SHA512 | 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_lzma.pyd
| MD5 | ce4a35fc25d50497e8be0e75ff8d61b3 |
| SHA1 | 19325e4bfe74289f062b657df082e47ac7bc14eb |
| SHA256 | e352c77f7810ea83617ed096626ac9c3d628726def47551f90741d201c1f3b3d |
| SHA512 | 380b2be74d440b44c0abad4cfe3cddffbb36ca53d844dfe262b869cff0309f0758a86d220eb8c19eea4f18e823906c90ca2c8566e8e59e5c3e25ddc9d149cdb9 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\select.pyd
| MD5 | db414debf94abe8d159f42f71fd4c292 |
| SHA1 | 1b585a565d6c769a9323885d0f3af2038fb06dfe |
| SHA256 | 2a451074afe05260fc274fba6851f8f96cd46ad32b657d876dd55f237244b6e3 |
| SHA512 | 16a35bacd1511a327dd490304b48d7b2b87e906e693283950c46b3ae4da5db1f68d50b937f3e31329d106e92751456a9f31637495b2b8190b5f2a4a49c9146a5 |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\unicodedata.pyd
| MD5 | 8a888fc01d0ed182f4c6e3ddc27665eb |
| SHA1 | 1c5af90831ca65c4ece4c0b23110ad81c28d281c |
| SHA256 | 3efd2cfb8f29e914e002a244b2072ad9ed595abcb9179759020f3a10c9089204 |
| SHA512 | e3f85f612a02681d972f26683ee69b9f454497e0c32e8d44a8cc63fa496604467a3be3cd924fdb503d1eb6c9af030d44c462da0bdffed3d83e6b42c211ddc19a |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_uuid.pyd
| MD5 | c6ced76f58eb9bcc88dfea9b4a11d974 |
| SHA1 | de636f32fa2e32785b2dbbd697ae8e0bce3c6540 |
| SHA256 | e4cd5a2b7be54e858592f451b84280397aa8d6546906bc6834170a24a3857fae |
| SHA512 | 7fc5d18ed6165713164aaa6e84377517d5f8c3129bbf65659952a5ee108bebd4da27b1a40053885577bc2cf478fa60cf73e0c97f5b0b2cb0fe63b5712385c80b |
C:\Users\Admin\AppData\Local\Temp\_MEI20042\pyexpat.pyd
| MD5 | ea357d1bb9d07864ed9328273d903ab7 |
| SHA1 | 68ca51aa0d6bc2f127e3d1203449ad28115c1099 |
| SHA256 | 395540306001f1b0efc4cdb3a061d851cb0ea13279fc470428379c7ad04402a7 |
| SHA512 | abb990e33c205b8aa513ffbb13e2caf8027cb69e7ca57ed4dcef011e87dd6e328862e708e007684d0e5bb191ecbc34bfeb55cfb0f8fc731672fff4fb8b02d6ae |