Analysis Overview
SHA256
dee87dd8a66a74a49ee27838c92cb8dfc9e206f636d100417bbf62f68deb8970
Threat Level: Shows suspicious behavior
The file pythonchatclient.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:06
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:06
Reported
2024-06-04 00:07
Platform
win10v2004-20240226-en
Max time kernel
31s
Max time network
36s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2132 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe | C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe |
| PID 2132 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe | C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe
"C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe"
C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe
"C:\Users\Admin\AppData\Local\Temp\pythonchatclient.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.0.7:5002 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.12.23.50:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.166.126.56:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21322\python39.dll
| MD5 | 2135da9f78a8ef80850fa582df2c7239 |
| SHA1 | aac6ad3054de6566851cae75215bdeda607821c4 |
| SHA256 | 324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3 |
| SHA512 | 423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369 |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\base_library.zip
| MD5 | 5d9963c6608f044f8428f4cb4dcd97e7 |
| SHA1 | f2a0f0d855a24c617e415107e4e3bf78e698bed8 |
| SHA256 | 3871003f4147b5b09dffb346514d7c0df2f2f4839101d4c08540b8e43eab4ca3 |
| SHA512 | 392df6637aa475a482fcd23eb84c4b2842bbe7e56cc49213403601c89930729b0ababb9791f99c4a1cd83283c44519367161a827e44c9bff9c988b47eee8919d |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_ctypes.pyd
| MD5 | a1e9b3cc6b942251568e59fd3c342205 |
| SHA1 | 3c5aaa6d011b04250f16986b3422f87a60326834 |
| SHA256 | a8703f949c9520b76cb1875d1176a23a2b3ef1d652d6dfac6e1de46dc08b2aa3 |
| SHA512 | 2015b2ae1b17afc0f28c4af9cedf7d0b6219c4c257dd0c89328e5bd3eee35e2df63ef4fccb3ee38e7e65f01233d7b97fc363c0eae0cfa7754612c80564360d6f |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\libcrypto-1_1.dll
| MD5 | ab01c808bed8164133e5279595437d3d |
| SHA1 | 0f512756a8db22576ec2e20cf0cafec7786fb12b |
| SHA256 | 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55 |
| SHA512 | 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_lzma.pyd
| MD5 | 77b78b43d58fe7ce9eb2fbb1420889fa |
| SHA1 | de55ce88854e314697fa54703a2cd6cc970f3111 |
| SHA256 | 6e571d93ce55d09583ec91c607883a43c1da3d4d36794d68c6ecd6bea4ab466a |
| SHA512 | 7b03b7d3f2fd9b51391de08e69ca9156a0232b56f210878a488b9d5a19492ab5880f45d9407331360fbe543a52c03d68f68da4387bf6a13b20ec903a7b081846 |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_hashlib.pyd
| MD5 | 69dc506cf2fa3da9d0caba05fca6a35d |
| SHA1 | 33b24abb7b1d68d3b0315be7f8f49de50c9bdcb6 |
| SHA256 | c5b8c4582e201fef2d8cb2c8672d07b86dec31afb4a17b758dbfb2cff163b12f |
| SHA512 | 0009ec88134e25325a47b8b358da0fed8bb34fe80602e08a60686f6029b80f4287d33adb66ef41435d11d6edff86a88916f776eeaf2d1cb72035783f109ca1ff |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_decimal.pyd
| MD5 | ff0bf710eb2d7817c49e1f4e21502073 |
| SHA1 | 26d4499af20aa2d154eb75835f6729004b4f079f |
| SHA256 | c6eb532da62a115ae75f58766b632e005140a2e7c9c67a77564f1804685a377f |
| SHA512 | 6cc6a2cc986c84c00a51e1823de4eb56672b36f6ff4c4b23f43c93fd39d68fd99d5b51df6374e7b7f89ac945c0b421bb6bade9a458dd43c3d9721aadbbcd2315 |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_bz2.pyd
| MD5 | b024a6f227eafa8d43edfc1a560fe651 |
| SHA1 | 92451be6a2a6bfc4a8de8ad3559ba4a25d409f2e |
| SHA256 | c0dd9496b19ba9536a78a43a97704e7d4bef3c901d196ed385e771366682819d |
| SHA512 | b9edb6d0f1472dd01969e6f160b41c1e7e935d4eebcaf08554195eb85d91c19ff1bfbc150773f197462e582c6d31f12bd0304f636eb4f189ed3ed976824b283e |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\unicodedata.pyd
| MD5 | 3ba2a20dda6d1b4670767455bbe32870 |
| SHA1 | 7c98221bc6ed763030087b1f33fb83eac2823ea4 |
| SHA256 | 3a0987025f1cf2111dc6e4f59402073ba123d7436d809ee4198b4e7bfb8cb868 |
| SHA512 | 0688f8af3359a8571bef2a89efabc2dbf26f3f5c6220932a4e7df2e33fac95cafee8b80796346ba698e6bf43630b8069f56538b95a8ff62ec21d629787ca5cd1 |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\select.pyd
| MD5 | 35bb285678b249770dda3f8a15724593 |
| SHA1 | a91031d56097a4cbf800a6960e229e689ba63099 |
| SHA256 | 71ed480da28968a7fd07934e222ae87d943677468936fd419803280d0cad07f3 |
| SHA512 | 956759742b4b47609a57273b1ea7489ce39e29ebced702245a9665bb0479ba7d42c053e40c6dc446d5b0f95f8cc3f2267af56ccaaaf06e6875c94d4e3f3b6094 |
C:\Users\Admin\AppData\Local\Temp\_MEI21322\_socket.pyd
| MD5 | cd56f508e7c305d4bfdeb820ecf3a323 |
| SHA1 | 711c499bcf780611a815afa7374358bbfd22fcc9 |
| SHA256 | 9e97b782b55400e5a914171817714bbbc713c0a396e30496c645fc82835e4b34 |
| SHA512 | e937c322c78e40947c70413404beba52d3425945b75255590dedf84ee429f685e0e5bc86ad468044925fbc59cf7ec8698a5472dd4f05b4363da30de04f9609a5 |