Malware Analysis Report

2024-11-30 13:31

Sample ID 240604-vcd2gadb9w
Target winspace_latest.exe
SHA256 d21818fd57079745bbf23df611070c6a4fee748d6cc7d8ab4db509689b604594
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d21818fd57079745bbf23df611070c6a4fee748d6cc7d8ab4db509689b604594

Threat Level: Shows suspicious behavior

The file winspace_latest.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Detects Pyinstaller

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 16:50

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 16:50

Reported

2024-06-04 16:52

Platform

win10v2004-20240226-en

Max time kernel

27s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\winspace_latest.exe"

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\winspace_latest.exe C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe
PID 2980 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\winspace_latest.exe C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe
PID 4208 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe
PID 4208 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe
PID 3676 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe
PID 2908 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\winspace_latest.exe

"C:\Users\Admin\AppData\Local\Temp\winspace_latest.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe

"C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe"

C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe

"C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title WinSpace [Elyx] [1.0]

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "winspace_api.exe -e 2344aiusdefplk"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gh auth status > lg/lg_status.lg

C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe

gh auth status

C:\Users\Admin\AppData\Roaming\WinSpace\winspace_api.exe

winspace_api.exe -e 2344aiusdefplk

C:\Windows\system32\tzutil.exe

tzutil /g

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gh auth login -p ssh -w --insecure-storage --skip-ssh-key

C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe

gh auth login -p ssh -w --insecure-storage --skip-ssh-key

C:\Windows\system32\tzutil.exe

tzutil /g

C:\Windows\system32\tzutil.exe

tzutil /g

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsv2C5B.tmp\InstallOptions.dll

MD5 d1eefb07abc2577dfb92eb2e95a975e4
SHA1 0584c2b1807bc3bd10d4b60d2d23eeb0e6832ca2
SHA256 89dd7d646278d8bfc41d5446bdc348b9a9afaa832abf02c1396272bb7ac7262a
SHA512 eaffd9940b1df59e95e2adb79b3b6415fff5bf196ebea5fe625a6c52e552a00b44d985a36a8dd9eb33eba2425ffea4244ed07a75d87284ff51ec9f9a5e1ac65e

C:\Users\Admin\AppData\Local\Temp\nsv2C5B.tmp\ioSpecial.ini

MD5 08aeeeec86b845a0d4a54846bb2739bc
SHA1 1afc8f1ca0b912be049295feaef138464a257551
SHA256 77b88f6f8e30cbbe4f557bb2edd12940bbd5a5c28e810cb591797cf5d78327d3
SHA512 ffb3db88de263a70018ceba23ac59713f0d91e07f60a31de260c4db4405bcd7500327d90db7eb7d9a950f3842ac5eed8befcbd53f38abaaf75c8a8d4eb735208

memory/444-81-0x00000186079B0000-0x00000186079B1000-memory.dmp

memory/444-80-0x00000186079B0000-0x00000186079B1000-memory.dmp

memory/444-79-0x00000186079B0000-0x00000186079B1000-memory.dmp

memory/444-89-0x00000186079B0000-0x00000186079B1000-memory.dmp

memory/444-91-0x00000186079B0000-0x00000186079B1000-memory.dmp

memory/444-90-0x00000186079B0000-0x00000186079B1000-memory.dmp

memory/444-88-0x00000186079B0000-0x00000186079B1000-memory.dmp

memory/444-87-0x00000186079B0000-0x00000186079B1000-memory.dmp

memory/444-86-0x00000186079B0000-0x00000186079B1000-memory.dmp

memory/444-85-0x00000186079B0000-0x00000186079B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSpace\WinSpace.exe

MD5 ee23014e2a607eab2887bdbfbd1b2033
SHA1 6693d015a5a13c243e8b574254a0bdbc3c0b5be1
SHA256 e01c68fbcee4c013c852c5dcbc89867835f029663dbe055cc827368bb44533d4
SHA512 8ced593d9bb7270edff419bd6944d288752dabb30cee996a948d2660069c4c774765b98e966c03f4be1da4dac818022d2763d5aa12aa37a4eac95ba5ba5a1f00

C:\Users\Admin\AppData\Local\Temp\nsv2C5B.tmp\ioSpecial.ini

MD5 0db66ac676ace02ed02769521bb01ea8
SHA1 f3eef89bcfa94feb44895cf1dfa3eed7257a8e97
SHA256 259830a64766b2a9fe7d2276e6a1f769e899f1b969ca9cdbf24b4b14292b9bfa
SHA512 d91849ef4164349afd37de65633e64735a427fc76591f1ca9fbf5cfe044a387b240aadc96a623a22c3aaf3021aa10e53f55e9c9ae429cb65e9f2dcda23cca1c2

C:\Users\Admin\AppData\Local\Temp\nsv2C5B.tmp\System.dll

MD5 192639861e3dc2dc5c08bb8f8c7260d5
SHA1 58d30e460609e22fa0098bc27d928b689ef9af78
SHA256 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA512 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

C:\Users\Admin\AppData\Local\Temp\nsv2C5B.tmp\ioSpecial.ini

MD5 4d69423fceb90bc4fef0f932e008ed8b
SHA1 57fc4acabf265d25cff6fd273425eef3f6ea02f3
SHA256 7a8c2332a2bd547a864f3f0ab8f54fffc6056f98dc986fe3e3c59f8cc2dfa398
SHA512 2574fc86c41eff64e0f307d5a86bee378b71d3a617a6e3f4dfc69da4cb66f980a9c7cc84da597c77cbd8f2c50cdd34cb602efd3cccbe6cdcb007471a0be7acd5

C:\Users\Admin\AppData\Local\Temp\_MEI42082\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI42082\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI42082\base_library.zip

MD5 8dad91add129dca41dd17a332a64d593
SHA1 70a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA256 8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA512 2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

C:\Users\Admin\AppData\Local\Temp\_MEI42082\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI42082\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI42082\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI42082\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI42082\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI42082\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI42082\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI42082\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI42082\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI42082\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe

MD5 e62fa8a621ad1e386fa0de04cf4a5313
SHA1 653bf2433636f9443d9463b17fe1537a9c7f60f9
SHA256 eb7643f211fc9dc381855c97c0101a34ae7a3bce11b74a8786405b44cfabd0fd
SHA512 9cb2998e6013c3b9566dc87bee01afdc663b9affa16b8a1f0ee013ae80991bb217eab1d67a9839f2cc8eff9403cf1c73f90f0372b63156d543e872171d9a1602

C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe

MD5 9a9495f588d839eb7df1ac15e3ed174b
SHA1 c4be5682b66e32a8c87059d413aa535fd8e1d0ae
SHA256 d5d52599ecb49bf5e07c7bae8bc6556781d8118bc89b014949819f061391abd9
SHA512 cf759559d1775ad8be25ec613f67ef14793893ed024659f5cc8cb6ca128ca0a88bbddc93bb1b2107b018c63f358d2478a4a84dbbb18c2097e101da04b33be33b

C:\Users\Admin\AppData\Roaming\WinSpace\gh.exe

MD5 ea7ae601f84ff4115516897dad6b17cb
SHA1 e0237f5fe046e242e905e3871d673958e2c0bf59
SHA256 66df465e023b80992f937220f530242b5fac13bcd443d25fdc07bed8e4791543
SHA512 33a0bfeac761c6aaeeb253083abc0a9e38021328a8fcdda7e26b164d9016b26e315b32352c038beb69e30f255e2158c9f4ca1c903da78cb080fa948514c74e71