Malware Analysis Report

2024-11-30 13:38

Sample ID 240603-xqek9sgd84
Target legendary.exe
SHA256 01ea22ea51749f46a0019657f64fc0d34429fb7cbf9b590c0848c0e0bd9c1f07
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

01ea22ea51749f46a0019657f64fc0d34429fb7cbf9b590c0848c0e0bd9c1f07

Threat Level: Shows suspicious behavior

The file legendary.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Unsigned PE

Detects Pyinstaller

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-03 19:03

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 19:03

Reported

2024-06-03 19:07

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\legendary.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\legendary.exe

"C:\Users\Admin\AppData\Local\Temp\legendary.exe"

C:\Users\Admin\AppData\Local\Temp\legendary.exe

"C:\Users\Admin\AppData\Local\Temp\legendary.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI30242\ucrtbase.dll

MD5 3b337c2d41069b0a1e43e30f891c3813
SHA1 ebee2827b5cb153cbbb51c9718da1549fa80fc5c
SHA256 c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7
SHA512 fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

C:\Users\Admin\AppData\Local\Temp\_MEI30242\api-ms-win-core-localization-l1-2-0.dll

MD5 de5695f26a0bcb54f59a8bc3f9a4ecef
SHA1 99c32595f3edc2c58bdb138c3384194831e901d6
SHA256 e9539fce90ad8be582b25ab2d5645772c2a5fb195e602ecdbf12b980656e436a
SHA512 df635d5d51cdea24885ae9f0406f317ddcf04ecb6bfa26579bb2e256c457057607844ded4b52ff1f5ca25abe29d1eb2b20f1709cf19035d3829f36bbe31f550f

C:\Users\Admin\AppData\Local\Temp\_MEI30242\api-ms-win-core-processthreads-l1-1-1.dll

MD5 74c264cffc09d183fcb1555b16ea7e4b
SHA1 0b5b08cdf6e749b48254ac811ca09ba95473d47c
SHA256 a8e2fc077d9a7d2faa85e1e6833047c90b22c6086487b98fc0e6a86b7bf8bf09
SHA512 285afbcc39717510ced2ed096d9f77fc438268ecaa59cff3cf167fcc538e90c73c67652046b0ee379e0507d6e346af79d43c51a571c6dd66034f9385a73d00d1

C:\Users\Admin\AppData\Local\Temp\_MEI30242\api-ms-win-core-file-l1-2-0.dll

MD5 d92e6a007fc22a1e218552ebfb65da93
SHA1 3c9909332e94f7b7386664a90f52730f4027a75a
SHA256 03bd3217eae0ef68521b39556e7491292db540f615da873dd8da538693b81862
SHA512 b8b0e6052e68c08e558e72c168e4ff318b1907c4dc5fc1cd1104f5cae7cc418293013dabbb30c835a5c35a456e1cb22cc352b7ae40f82b9b7311bb7419d854c7

C:\Users\Admin\AppData\Local\Temp\_MEI30242\api-ms-win-core-timezone-l1-1-0.dll

MD5 cb39eea2ef9ed3674c597d5f0667b5b4
SHA1 c133dc6416b3346fa5b0f449d7cc6f7dbf580432
SHA256 1627b921934053f1f7d2a19948aee06fac5db8ee8d4182e6f071718d0681f235
SHA512 2c65014dc045a2c1e5f52f3fea4967d2169e4a78d41fe56617ce9a4d5b30ebf25043112917ff3d7d152744ddef70475937ae0a7f96785f97dcefafe8e6f14d9c

C:\Users\Admin\AppData\Local\Temp\_MEI30242\api-ms-win-core-file-l2-1-0.dll

MD5 50abf0a7ee67f00f247bada185a7661c
SHA1 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1
SHA256 f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7
SHA512 c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

C:\Users\Admin\AppData\Local\Temp\_MEI30242\python39.dll

MD5 789b4ecbce732a7e8479e8909f097d16
SHA1 a79c2e1ca0ad675a48f3bba0fbdeff1b888f0e74
SHA256 8314174dacfc1c4f177be8266c78f147621cf577a39742642a76ec27e7b87b02
SHA512 b9b57ff21735c06f4b3957cdd5a3ab54602a7141f1792de52aea0e6fc41be957070b958ab75b1a26a302b6fb17a02e9a187ad289a6af0c72a5ade43b4bf06e6d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 19:03

Reported

2024-06-03 19:06

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\legendary.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\legendary.exe

"C:\Users\Admin\AppData\Local\Temp\legendary.exe"

C:\Users\Admin\AppData\Local\Temp\legendary.exe

"C:\Users\Admin\AppData\Local\Temp\legendary.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\SYSTEM32\cmd.exe

cmd /K echo>nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI20042\ucrtbase.dll

MD5 3b337c2d41069b0a1e43e30f891c3813
SHA1 ebee2827b5cb153cbbb51c9718da1549fa80fc5c
SHA256 c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7
SHA512 fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

C:\Users\Admin\AppData\Local\Temp\_MEI20042\python39.dll

MD5 789b4ecbce732a7e8479e8909f097d16
SHA1 a79c2e1ca0ad675a48f3bba0fbdeff1b888f0e74
SHA256 8314174dacfc1c4f177be8266c78f147621cf577a39742642a76ec27e7b87b02
SHA512 b9b57ff21735c06f4b3957cdd5a3ab54602a7141f1792de52aea0e6fc41be957070b958ab75b1a26a302b6fb17a02e9a187ad289a6af0c72a5ade43b4bf06e6d

C:\Users\Admin\AppData\Local\Temp\_MEI20042\VCRUNTIME140.dll

MD5 a87575e7cf8967e481241f13940ee4f7
SHA1 879098b8a353a39e16c79e6479195d43ce98629e
SHA256 ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
SHA512 e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

C:\Users\Admin\AppData\Local\Temp\_MEI20042\base_library.zip

MD5 3ae15fe280ecda05eed0cab7624af175
SHA1 17b9c742b740ac67674963a2e57a9a3a2cc90e48
SHA256 5a189878f57afdcc6b45f03f641f58bf736ace225d5f7f0a4898b802bfabf090
SHA512 750c11240a5df35edbdd1e45a4cb1d0aa67ba117fd0ce4bb999ac85940322d33694645f9c104c888f3e265bb476055aaa5d4f99fe991d594369f02d2b903a2ef

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ctypes.pyd

MD5 a1b81ce092c5a2c9afd13b5cae872441
SHA1 05b695dbb5e62adb368d8bd142f667b2e7e9d437
SHA256 eb5ebeb25888ff124abd0db3e08577b84538e62610107fe4e008d7c188a78210
SHA512 5158e462b0aeebf711e42363cf9ca1ac546958154257cc3063ba4575da28c2a7c95b1527a54adfa00d9b3c6f8832aedd97e6c79f5cd70a47146afb0f1afa288a

C:\Users\Admin\AppData\Local\Temp\_MEI20042\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_socket.pyd

MD5 439b4d756cde64fba441e640df56dd60
SHA1 881dbf2366915399b3bb8be6083f94f46eebaaf7
SHA256 acb377fd6967b2ce819601c7d6a102d30af570eaee9e312e383f34aecd5df142
SHA512 ef4b78e9f6cc740696836062dffa956ee5b9d1f0be8d809497ea778fea80761fc5b3baa938756344edc18dbaeeae6fe660f2ee8fcc25e0d7985e55f4461e3c33

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_bz2.pyd

MD5 4fdf3bc5548f98264ccedca2e400e8ef
SHA1 9254a0a3f16a0dabc11504bbd8bd3b425702a0b6
SHA256 cb2b8853ccf149b0b175769cb8ed6e2f9c2cbec0af3d8835c43570fd91da1b4f
SHA512 3bc15f142da4708c9e564fded1207f9502c5efb93c63e9db34caa931ee3d628c3eef66dc2adb42d796f7a2e1908bbe26d917aecd151fbc241d9efc67c8a7f63d

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_queue.pyd

MD5 1b1a7cb8fd95c0d9741462de11abd43d
SHA1 6ec962cfd0d9f0dc69c9c1d424fe6fee591fe278
SHA256 3c907316271b15935ff400b65d24f229feb980a5be9cb4ad9f79f210ff0b884c
SHA512 8136ec741210ce8be2d2bccd013ee29d154f61f41188faff81c16fa8cfd143870200a757cda7d0f5da738409339c87d6b5c80517c8596fd5d6291dd8164a57cf

C:\Users\Admin\AppData\Local\Temp\_MEI20042\libcrypto-1_1.dll

MD5 63c4f445b6998e63a1414f5765c18217
SHA1 8c1ac1b4290b122e62f706f7434517077974f40e
SHA256 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2
SHA512 aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_hashlib.pyd

MD5 cc06750ac9811e6b0ebe1482c032b0cf
SHA1 db0e43e4c0082d44b9385d6d94a68ecc72fd99e7
SHA256 9a1ffa72a808fdfe88dd8f9e7083b285edf246df07c35ac032dc45d905f58fce
SHA512 ededec073f5651cdf2f0ed6a74278b0df630871f2ccad7d831a908a7e3efa4e5bed96d38647706add29963a515c9a13051f1457ae934d5ff75129e41bb4cd8dd

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ssl.pyd

MD5 5e2ee0a0277ffe2bd854abb898310d43
SHA1 774cf06c1e6f68c86bf107353e3f4e9df0ec40dd
SHA256 75ae15b70eaa1950cf259fed95ade499d7c6dfefffdf4c3292c46bd24da25902
SHA512 4b593b35373d69b59dd01164e09919862ac76f0e38a97fec458265add610a0dc9bca7287462668eea5b312c741e3c3644019df2f31b20bc6f764c95c968792bd

C:\Users\Admin\AppData\Local\Temp\_MEI20042\libssl-1_1.dll

MD5 bd857f444ebbf147a8fcd1215efe79fc
SHA1 1550e0d241c27f41c63f197b1bd669591a20c15b
SHA256 b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf
SHA512 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_lzma.pyd

MD5 ce4a35fc25d50497e8be0e75ff8d61b3
SHA1 19325e4bfe74289f062b657df082e47ac7bc14eb
SHA256 e352c77f7810ea83617ed096626ac9c3d628726def47551f90741d201c1f3b3d
SHA512 380b2be74d440b44c0abad4cfe3cddffbb36ca53d844dfe262b869cff0309f0758a86d220eb8c19eea4f18e823906c90ca2c8566e8e59e5c3e25ddc9d149cdb9

C:\Users\Admin\AppData\Local\Temp\_MEI20042\select.pyd

MD5 db414debf94abe8d159f42f71fd4c292
SHA1 1b585a565d6c769a9323885d0f3af2038fb06dfe
SHA256 2a451074afe05260fc274fba6851f8f96cd46ad32b657d876dd55f237244b6e3
SHA512 16a35bacd1511a327dd490304b48d7b2b87e906e693283950c46b3ae4da5db1f68d50b937f3e31329d106e92751456a9f31637495b2b8190b5f2a4a49c9146a5

C:\Users\Admin\AppData\Local\Temp\_MEI20042\unicodedata.pyd

MD5 8a888fc01d0ed182f4c6e3ddc27665eb
SHA1 1c5af90831ca65c4ece4c0b23110ad81c28d281c
SHA256 3efd2cfb8f29e914e002a244b2072ad9ed595abcb9179759020f3a10c9089204
SHA512 e3f85f612a02681d972f26683ee69b9f454497e0c32e8d44a8cc63fa496604467a3be3cd924fdb503d1eb6c9af030d44c462da0bdffed3d83e6b42c211ddc19a

C:\Users\Admin\AppData\Local\Temp\_MEI20042\_uuid.pyd

MD5 c6ced76f58eb9bcc88dfea9b4a11d974
SHA1 de636f32fa2e32785b2dbbd697ae8e0bce3c6540
SHA256 e4cd5a2b7be54e858592f451b84280397aa8d6546906bc6834170a24a3857fae
SHA512 7fc5d18ed6165713164aaa6e84377517d5f8c3129bbf65659952a5ee108bebd4da27b1a40053885577bc2cf478fa60cf73e0c97f5b0b2cb0fe63b5712385c80b

C:\Users\Admin\AppData\Local\Temp\_MEI20042\pyexpat.pyd

MD5 ea357d1bb9d07864ed9328273d903ab7
SHA1 68ca51aa0d6bc2f127e3d1203449ad28115c1099
SHA256 395540306001f1b0efc4cdb3a061d851cb0ea13279fc470428379c7ad04402a7
SHA512 abb990e33c205b8aa513ffbb13e2caf8027cb69e7ca57ed4dcef011e87dd6e328862e708e007684d0e5bb191ecbc34bfeb55cfb0f8fc731672fff4fb8b02d6ae