Analysis Overview
SHA256
d21818fd57079745bbf23df611070c6a4fee748d6cc7d8ab4db509689b604594
Threat Level: Shows suspicious behavior
The file winspace_latest.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Detects Pyinstaller
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 16:50
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 16:50
Reported
2024-06-04 16:52
Platform
win10v2004-20240226-en
Max time kernel
27s
Max time network
46s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winspace_latest.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winspace_latest.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winspace_latest.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\winspace_latest.exe
"C:\Users\Admin\AppData\Local\Temp\winspace_latest.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe
"C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe"
C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe
"C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title WinSpace [Elyx] [1.0]
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "winspace_api.exe -e 2344aiusdefplk"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gh auth status > lg/lg_status.lg
C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe
gh auth status
C:\Users\Admin\AppData\Roaming\WinSpace\winspace_api.exe
winspace_api.exe -e 2344aiusdefplk
C:\Windows\system32\tzutil.exe
tzutil /g
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gh auth login -p ssh -w --insecure-storage --skip-ssh-key
C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe
gh auth login -p ssh -w --insecure-storage --skip-ssh-key
C:\Windows\system32\tzutil.exe
tzutil /g
C:\Windows\system32\tzutil.exe
tzutil /g
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsv2C5B.tmp\InstallOptions.dll
| MD5 | d1eefb07abc2577dfb92eb2e95a975e4 |
| SHA1 | 0584c2b1807bc3bd10d4b60d2d23eeb0e6832ca2 |
| SHA256 | 89dd7d646278d8bfc41d5446bdc348b9a9afaa832abf02c1396272bb7ac7262a |
| SHA512 | eaffd9940b1df59e95e2adb79b3b6415fff5bf196ebea5fe625a6c52e552a00b44d985a36a8dd9eb33eba2425ffea4244ed07a75d87284ff51ec9f9a5e1ac65e |
C:\Users\Admin\AppData\Local\Temp\nsv2C5B.tmp\ioSpecial.ini
| MD5 | 08aeeeec86b845a0d4a54846bb2739bc |
| SHA1 | 1afc8f1ca0b912be049295feaef138464a257551 |
| SHA256 | 77b88f6f8e30cbbe4f557bb2edd12940bbd5a5c28e810cb591797cf5d78327d3 |
| SHA512 | ffb3db88de263a70018ceba23ac59713f0d91e07f60a31de260c4db4405bcd7500327d90db7eb7d9a950f3842ac5eed8befcbd53f38abaaf75c8a8d4eb735208 |
memory/444-81-0x00000186079B0000-0x00000186079B1000-memory.dmp
memory/444-80-0x00000186079B0000-0x00000186079B1000-memory.dmp
memory/444-79-0x00000186079B0000-0x00000186079B1000-memory.dmp
memory/444-89-0x00000186079B0000-0x00000186079B1000-memory.dmp
memory/444-91-0x00000186079B0000-0x00000186079B1000-memory.dmp
memory/444-90-0x00000186079B0000-0x00000186079B1000-memory.dmp
memory/444-88-0x00000186079B0000-0x00000186079B1000-memory.dmp
memory/444-87-0x00000186079B0000-0x00000186079B1000-memory.dmp
memory/444-86-0x00000186079B0000-0x00000186079B1000-memory.dmp
memory/444-85-0x00000186079B0000-0x00000186079B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe
| MD5 | ee23014e2a607eab2887bdbfbd1b2033 |
| SHA1 | 6693d015a5a13c243e8b574254a0bdbc3c0b5be1 |
| SHA256 | e01c68fbcee4c013c852c5dcbc89867835f029663dbe055cc827368bb44533d4 |
| SHA512 | 8ced593d9bb7270edff419bd6944d288752dabb30cee996a948d2660069c4c774765b98e966c03f4be1da4dac818022d2763d5aa12aa37a4eac95ba5ba5a1f00 |
C:\Users\Admin\AppData\Local\Temp\nsv2C5B.tmp\ioSpecial.ini
| MD5 | 0db66ac676ace02ed02769521bb01ea8 |
| SHA1 | f3eef89bcfa94feb44895cf1dfa3eed7257a8e97 |
| SHA256 | 259830a64766b2a9fe7d2276e6a1f769e899f1b969ca9cdbf24b4b14292b9bfa |
| SHA512 | d91849ef4164349afd37de65633e64735a427fc76591f1ca9fbf5cfe044a387b240aadc96a623a22c3aaf3021aa10e53f55e9c9ae429cb65e9f2dcda23cca1c2 |
C:\Users\Admin\AppData\Local\Temp\nsv2C5B.tmp\System.dll
| MD5 | 192639861e3dc2dc5c08bb8f8c7260d5 |
| SHA1 | 58d30e460609e22fa0098bc27d928b689ef9af78 |
| SHA256 | 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6 |
| SHA512 | 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc |
C:\Users\Admin\AppData\Local\Temp\nsv2C5B.tmp\ioSpecial.ini
| MD5 | 4d69423fceb90bc4fef0f932e008ed8b |
| SHA1 | 57fc4acabf265d25cff6fd273425eef3f6ea02f3 |
| SHA256 | 7a8c2332a2bd547a864f3f0ab8f54fffc6056f98dc986fe3e3c59f8cc2dfa398 |
| SHA512 | 2574fc86c41eff64e0f307d5a86bee378b71d3a617a6e3f4dfc69da4cb66f980a9c7cc84da597c77cbd8f2c50cdd34cb602efd3cccbe6cdcb007471a0be7acd5 |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\python312.dll
| MD5 | 3c388ce47c0d9117d2a50b3fa5ac981d |
| SHA1 | 038484ff7460d03d1d36c23f0de4874cbaea2c48 |
| SHA256 | c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb |
| SHA512 | e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35 |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\base_library.zip
| MD5 | 8dad91add129dca41dd17a332a64d593 |
| SHA1 | 70a4ec5a17ed63caf2407bd76dc116aca7765c0d |
| SHA256 | 8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783 |
| SHA512 | 2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50 |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\_ctypes.pyd
| MD5 | bbd5533fc875a4a075097a7c6aba865e |
| SHA1 | ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00 |
| SHA256 | be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570 |
| SHA512 | 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\_bz2.pyd
| MD5 | 223fd6748cae86e8c2d5618085c768ac |
| SHA1 | dcb589f2265728fe97156814cbe6ff3303cd05d3 |
| SHA256 | f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb |
| SHA512 | 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6 |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\_lzma.pyd
| MD5 | 05e8b2c429aff98b3ae6adc842fb56a3 |
| SHA1 | 834ddbced68db4fe17c283ab63b2faa2e4163824 |
| SHA256 | a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c |
| SHA512 | badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\_hashlib.pyd
| MD5 | eedb6d834d96a3dffffb1f65b5f7e5be |
| SHA1 | ed6735cfdd0d1ec21c7568a9923eb377e54b308d |
| SHA256 | 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2 |
| SHA512 | 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\_decimal.pyd
| MD5 | 3055edf761508190b576e9bf904003aa |
| SHA1 | f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890 |
| SHA256 | e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577 |
| SHA512 | 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248 |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\unicodedata.pyd
| MD5 | 16be9a6f941f1a2cb6b5fca766309b2c |
| SHA1 | 17b23ae0e6a11d5b8159c748073e36a936f3316a |
| SHA256 | 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04 |
| SHA512 | 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\select.pyd
| MD5 | 92b440ca45447ec33e884752e4c65b07 |
| SHA1 | 5477e21bb511cc33c988140521a4f8c11a427bcc |
| SHA256 | 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3 |
| SHA512 | 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191 |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\libcrypto-3.dll
| MD5 | e547cf6d296a88f5b1c352c116df7c0c |
| SHA1 | cafa14e0367f7c13ad140fd556f10f320a039783 |
| SHA256 | 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de |
| SHA512 | 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d |
C:\Users\Admin\AppData\Local\Temp\_MEI42082\_socket.pyd
| MD5 | dc06f8d5508be059eae9e29d5ba7e9ec |
| SHA1 | d666c88979075d3b0c6fd3be7c595e83e0cb4e82 |
| SHA256 | 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a |
| SHA512 | 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3 |
C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe
| MD5 | e62fa8a621ad1e386fa0de04cf4a5313 |
| SHA1 | 653bf2433636f9443d9463b17fe1537a9c7f60f9 |
| SHA256 | eb7643f211fc9dc381855c97c0101a34ae7a3bce11b74a8786405b44cfabd0fd |
| SHA512 | 9cb2998e6013c3b9566dc87bee01afdc663b9affa16b8a1f0ee013ae80991bb217eab1d67a9839f2cc8eff9403cf1c73f90f0372b63156d543e872171d9a1602 |
C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe
| MD5 | 9a9495f588d839eb7df1ac15e3ed174b |
| SHA1 | c4be5682b66e32a8c87059d413aa535fd8e1d0ae |
| SHA256 | d5d52599ecb49bf5e07c7bae8bc6556781d8118bc89b014949819f061391abd9 |
| SHA512 | cf759559d1775ad8be25ec613f67ef14793893ed024659f5cc8cb6ca128ca0a88bbddc93bb1b2107b018c63f358d2478a4a84dbbb18c2097e101da04b33be33b |
C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe
| MD5 | ea7ae601f84ff4115516897dad6b17cb |
| SHA1 | e0237f5fe046e242e905e3871d673958e2c0bf59 |
| SHA256 | 66df465e023b80992f937220f530242b5fac13bcd443d25fdc07bed8e4791543 |
| SHA512 | 33a0bfeac761c6aaeeb253083abc0a9e38021328a8fcdda7e26b164d9016b26e315b32352c038beb69e30f255e2158c9f4ca1c903da78cb080fa948514c74e71 |