Analysis Overview
SHA256
06875c91fb4e0e68efa3c3a32a50292d7ecdacde216795d6ef05de4983d19289
Threat Level: Shows suspicious behavior
The file _CRACKED__TokenXpert.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-04 02:17
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 02:17
Reported
2024-06-04 02:20
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI42242\assets\data.dll | N/A |
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe
"C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe"
C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe
"C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe"
C:\Users\Admin\AppData\Local\Temp\_MEI42242\assets\data.dll
"C:\Users\Admin\AppData\Local\Temp\_MEI42242\assets\data.dll"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI42242\python310.dll
| MD5 | deaf0c0cc3369363b800d2e8e756a402 |
| SHA1 | 3085778735dd8badad4e39df688139f4eed5f954 |
| SHA256 | 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d |
| SHA512 | 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\base_library.zip
| MD5 | ee93ce2f8261ba7510f041619bb2b6f2 |
| SHA1 | f1d5d2f4c0b10e862b4b0a5ea65c47645901f894 |
| SHA256 | 41ce839465cf935b821cafc3a98afe1c411bf4655ad596442eb66d140ccd502e |
| SHA512 | c410a0b9eb43b2d0b190f453ea3907cdc70bfcf190ecf80fb03ed906af381853153270fd824fe2e2ba703bceed79e973f330d5ec31dfabff0f5a9f0f162136e9 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\python3.dll
| MD5 | c17b7a4b853827f538576f4c3521c653 |
| SHA1 | 6115047d02fbbad4ff32afb4ebd439f5d529485a |
| SHA256 | d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68 |
| SHA512 | 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_ctypes.pyd
| MD5 | ca4cef051737b0e4e56b7d597238df94 |
| SHA1 | 583df3f7ecade0252fdff608eb969439956f5c4a |
| SHA256 | e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b |
| SHA512 | 17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_socket.pyd
| MD5 | 0f5e64e33f4d328ef11357635707d154 |
| SHA1 | 8b6dcb4b9952b362f739a3f16ae96c44bea94a0e |
| SHA256 | 8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe |
| SHA512 | 4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_ssl.pyd
| MD5 | 9ddb64354ef0b91c6999a4b244a0a011 |
| SHA1 | 86a9dc5ea931638699eb6d8d03355ad7992d2fee |
| SHA256 | e33b7a4aa5cdd5462ee66830636fdd38048575a43d06eb7e2f688358525ddeab |
| SHA512 | 4c86478861fa4220680a94699e7d55fbdc90d2785caee10619cecb058f833292ee7c3d6ac2ed1ef34b38fbff628b79d672194a337701727a54bb6bbc5bf9aeca |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_queue.pyd
| MD5 | 52d0a6009d3de40f4fa6ec61db98c45c |
| SHA1 | 5083a2aff5bcce07c80409646347c63d2a87bd25 |
| SHA256 | 007bcf19d9b036a7e73f5ef31f39bfb1910f72c9c10e4a1b0658352cfe7a8b75 |
| SHA512 | cd552a38efaa8720a342b60318f62320ce20c03871d2e50d3fa3a9a730b84dacdbb8eb4d0ab7a1c8a97215b537826c8dc532c9a55213bcd0c1d13d7d8a9ad824 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_lzma.pyd
| MD5 | 0a94c9f3d7728cf96326db3ab3646d40 |
| SHA1 | 8081df1dca4a8520604e134672c4be79eb202d14 |
| SHA256 | 0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31 |
| SHA512 | 6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_hashlib.pyd
| MD5 | d856a545a960bf2dca1e2d9be32e5369 |
| SHA1 | 67a15ecf763cdc2c2aa458a521db8a48d816d91e |
| SHA256 | cd33f823e608d3bda759ad441f583a20fc0198119b5a62a8964f172559acb7d3 |
| SHA512 | 34a074025c8b28f54c01a7fd44700fdedb391f55be39d578a003edb90732dec793c2b0d16da3da5cdbd8adbaa7b3b83fc8887872e284800e7a8389345a30a6a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_decimal.pyd
| MD5 | 6339fa92584252c3b24e4cce9d73ef50 |
| SHA1 | dccda9b641125b16e56c5b1530f3d04e302325cd |
| SHA256 | 4ae6f6fb3992bb878416211221b3d62515e994d78f72eab51e0126ca26d0ee96 |
| SHA512 | 428b62591d4eba3a4e12f7088c990c48e30b6423019bebf8ede3636f6708e1f4151f46d442516d2f96453694ebeef78618c0c8a72e234f679c6e4d52bebc1b84 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\_bz2.pyd
| MD5 | bbe89cf70b64f38c67b7bf23c0ea8a48 |
| SHA1 | 44577016e9c7b463a79b966b67c3ecc868957470 |
| SHA256 | 775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723 |
| SHA512 | 3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\VCRUNTIME140_1.dll
| MD5 | bba9680bc310d8d25e97b12463196c92 |
| SHA1 | 9a480c0cf9d377a4caedd4ea60e90fa79001f03a |
| SHA256 | e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab |
| SHA512 | 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\unicodedata.pyd
| MD5 | 4c8af8a30813e9380f5f54309325d6b8 |
| SHA1 | 169a80d8923fb28f89bc26ebf89ffe37f8545c88 |
| SHA256 | 4b6e3ba734c15ec789b5d7469a5097bd082bdfd8e55e636ded0d097cf6511e05 |
| SHA512 | ea127779901b10953a2bf9233e20a4fab2fba6f97d7baf40c1b314b7cd03549e0f4d2fb9bad0fbc23736e21eb391a418d79a51d64402245c1cd8899e4d765c5a |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\select.pyd
| MD5 | c119811a40667dca93dfe6faa418f47a |
| SHA1 | 113e792b7dcec4366fc273e80b1fc404c309074c |
| SHA256 | 8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7 |
| SHA512 | 107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\pywintypes310.dll
| MD5 | ceb06a956b276cea73098d145fa64712 |
| SHA1 | 6f0ba21f0325acc7cf6bf9f099d9a86470a786bf |
| SHA256 | c8ec6429d243aef1f78969863be23d59273fa6303760a173ab36ab71d5676005 |
| SHA512 | 05bab4a293e4c7efa85fa2491c32f299afd46fdb079dcb7ee2cc4c31024e01286daaf4aead5082fc1fd0d4169b2d1be589d1670fcf875b06c6f15f634e0c6f34 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\MSVCP140.dll
| MD5 | 6da7f4530edb350cf9d967d969ccecf8 |
| SHA1 | 3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9 |
| SHA256 | 9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da |
| SHA512 | 1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\mfc140u.dll
| MD5 | 03a161718f1d5e41897236d48c91ae3c |
| SHA1 | 32b10eb46bafb9f81a402cb7eff4767418956bd4 |
| SHA256 | e06c4bd078f4690aa8874a3deb38e802b2a16ccb602a7edc2e077e98c05b5807 |
| SHA512 | 7abcc90e845b43d264ee18c9565c7d0cbb383bfd72b9cebb198ba60c4a46f56da5480da51c90ff82957ad4c84a4799fa3eb0cedffaa6195f1315b3ff3da1be47 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\libssl-1_1.dll
| MD5 | 8769adafca3a6fc6ef26f01fd31afa84 |
| SHA1 | 38baef74bdd2e941ccd321f91bfd49dacc6a3cb6 |
| SHA256 | 2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071 |
| SHA512 | fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\libcrypto-1_1.dll
| MD5 | 6f4b8eb45a965372156086201207c81f |
| SHA1 | 8278f9539463f0a45009287f0516098cb7a15406 |
| SHA256 | 976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541 |
| SHA512 | 2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\charset_normalizer\md__mypyc.cp310-win_amd64.pyd
| MD5 | 1914bd95160cb04ace6f362ea3e2d02c |
| SHA1 | 21c0662bdc01c8b5990793e7faba330fcf015594 |
| SHA256 | 9a59405abec5f42fd6c8eb8205bf710317a311e988ae52837f31c6afa9a2d79e |
| SHA512 | 28643c00dbbbcd6f5c3f5ace09cb0137ded209ff5bc7df3e401da12a84fa62fc053f1872c7491b75de6c63cbc518c301c1f389c0f140939912cbd2625fcf664b |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\charset_normalizer\md.cp310-win_amd64.pyd
| MD5 | 2f5322f17436381cbdfab91507ec1dfb |
| SHA1 | 7129afbecafb8c2ced2af92558a83d466a9b5118 |
| SHA256 | 26a5693f387e99382015f063fc408214cb9678cd6e5d5144cdf763415caef949 |
| SHA512 | 238adcb787bacb270d1a938a6078cdc9484bfc4f264ed3ce8fdca084db1bbe60ef6d79257f1ed1336b0dfb4e9ffb17539fcebccf3e4f92ede945e0c3b0ce6898 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\pyinjector\injector.cp310-win_amd64.pyd
| MD5 | 1f17bae65dc492ab02670cece1c2160d |
| SHA1 | fced6c711eb358beae253ff2c478b5c00ddb9b5d |
| SHA256 | 10575c0fe3fa9dabeddb0f65beb38e3d99081245de46c6770994ed28dbba397e |
| SHA512 | 0f8b5b620bd932000c06dcb0d7e7ea36d18797c1c4159649ad2c3de2e91a2f5f872d73ae313ce889d78c2a562bb194bd9e271f86e0b7031123ec8f837557a951 |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\psutil\_psutil_windows.pyd
| MD5 | 2c62184e46ecc1641b8e09690f820405 |
| SHA1 | 953db2789d5eeab981558388a727bd4d42364dd6 |
| SHA256 | 43e09408673687a787415912336ac13fcca9a7d7945b73d0c84ac4bb071e9106 |
| SHA512 | 2df440a9bf87345a5a0727cf4ae68592b32324a3a4d4611d047fbca7984a9b8e55487d89e83e80df8e0580c2a1db26db9722dbf18d4b2c8fd2770a55309e573e |
C:\Users\Admin\AppData\Local\Temp\_MEI42242\assets\data.dll
| MD5 | 3e71921786e18b29d8afbd74a1c8c8c5 |
| SHA1 | 4ef7bd9913c7a741d052fe4292f30824342f579d |
| SHA256 | 574e3d1565ee72f5e4a7d955ce8f935c342aa5dc6678fa2ccaaad1280c889a30 |
| SHA512 | 82f4aeb0d2cd2b296071b541ac4271a7054b0814a0511ff0eccd451686c1e1b0de6864d2bffce37f100a3e852ab863b40b001fc877881fe1c552ccdbe6f99971 |
memory/2104-117-0x00000181B5460000-0x00000181B5462000-memory.dmp
memory/2104-116-0x00000181B5460000-0x00000181B5462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI42242\assets\xpert.dll
| MD5 | 43f591de2fa3b31fa353f75a9dc4c506 |
| SHA1 | 5653be34db2486bca2832086a31ac2b9c47cd7a1 |
| SHA256 | 426b433f5cda6dd71d87e7473e132a34ecb4ad5ffe0718db11422d30a5051af8 |
| SHA512 | f33ebe125e30b716e4a7dae72c15cfc0bd6bbe162a94c1009b2c8cb24117611bda5e9c9d232b73d1e6041e2368c8d52a9d2297b47b3ec6e1dd54c924d851638a |
memory/2104-124-0x00000181B5460000-0x00000181B5462000-memory.dmp
memory/2104-138-0x00007FFD4C860000-0x00007FFD4D707000-memory.dmp
memory/2104-137-0x00007FF68B2D0000-0x00007FF68DC54000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 02:17
Reported
2024-06-04 02:18
Platform
win7-20240508-en
Max time kernel
7s
Max time network
1s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe |
| PID 1264 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe |
| PID 1264 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe | C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe
"C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe"
C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe
"C:\Users\Admin\AppData\Local\Temp\[CRACKED] TokenXpert's Token Generator.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI12642\python310.dll
| MD5 | deaf0c0cc3369363b800d2e8e756a402 |
| SHA1 | 3085778735dd8badad4e39df688139f4eed5f954 |
| SHA256 | 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d |
| SHA512 | 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989 |