Malware Analysis Report

2024-11-15 07:50

Sample ID 240605-3zf4cacc7s
Target autoapagado.exe
SHA256 83fd9f2ac8ebbb8004c2683f14a8ae36ab8acb9a84651b270660fc77019b01c1
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

83fd9f2ac8ebbb8004c2683f14a8ae36ab8acb9a84651b270660fc77019b01c1

Threat Level: Shows suspicious behavior

The file autoapagado.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 23:57

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 23:56

Reported

2024-06-05 23:57

Platform

win7-20240508-en

Max time kernel

0s

Max time network

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\autoapagado.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\autoapagado.exe

"C:\Users\Admin\AppData\Local\Temp\autoapagado.exe"

C:\Users\Admin\AppData\Local\Temp\autoapagado.exe

"C:\Users\Admin\AppData\Local\Temp\autoapagado.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23802\ucrtbase.dll

MD5 849959a003fa63c5a42ae87929fcd18b
SHA1 d1b80b3265e31a2b5d8d7da6183146bbd5fb791b
SHA256 6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232
SHA512 64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

C:\Users\Admin\AppData\Local\Temp\_MEI23802\api-ms-win-core-localization-l1-2-0.dll

MD5 1ed0b196ab58edb58fcf84e1739c63ce
SHA1 ac7d6c77629bdee1df7e380cc9559e09d51d75b7
SHA256 8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2
SHA512 e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

C:\Users\Admin\AppData\Local\Temp\_MEI23802\api-ms-win-core-processthreads-l1-1-1.dll

MD5 7e8b61d27a9d04e28d4dae0bfa0902ed
SHA1 861a7b31022915f26fb49c79ac357c65782c9f4b
SHA256 1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c
SHA512 1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

C:\Users\Admin\AppData\Local\Temp\_MEI23802\api-ms-win-core-file-l1-2-0.dll

MD5 5a72a803df2b425d5aaff21f0f064011
SHA1 4b31963d981c07a7ab2a0d1a706067c539c55ec5
SHA256 629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086
SHA512 bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

C:\Users\Admin\AppData\Local\Temp\_MEI23802\api-ms-win-core-timezone-l1-1-0.dll

MD5 91a2ae3c4eb79cf748e15a58108409ad
SHA1 d402b9df99723ea26a141bfc640d78eaf0b0111b
SHA256 b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34
SHA512 8527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed

C:\Users\Admin\AppData\Local\Temp\_MEI23802\api-ms-win-core-file-l2-1-0.dll

MD5 721b60b85094851c06d572f0bd5d88cd
SHA1 4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7
SHA256 dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf
SHA512 430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

C:\Users\Admin\AppData\Local\Temp\_MEI23802\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 23:56

Reported

2024-06-05 23:59

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\autoapagado.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\autoapagado.exe

"C:\Users\Admin\AppData\Local\Temp\autoapagado.exe"

C:\Users\Admin\AppData\Local\Temp\autoapagado.exe

"C:\Users\Admin\AppData\Local\Temp\autoapagado.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 198.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI42522\ucrtbase.dll

MD5 849959a003fa63c5a42ae87929fcd18b
SHA1 d1b80b3265e31a2b5d8d7da6183146bbd5fb791b
SHA256 6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232
SHA512 64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

C:\Users\Admin\AppData\Local\Temp\_MEI42522\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI42522\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 9fa3fc24186d912b0694a572847d6d74
SHA1 93184e00cbddacab7f2ad78447d0eac1b764114d
SHA256 91508ab353b90b30ff2551020e9755d7ab0e860308f16c2f6417dfb2e9a75014
SHA512 95ad31c9082f57ea57f5b4c605331fcad62735a1862afb01ef8a67fea4e450154c1ae0c411cf3ac5b9cd35741f8100409cc1910f69c1b2d807d252389812f594

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI42522\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI42522\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI42522\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-utility-l1-1-0.dll

MD5 dbc27d384679916ba76316fb5e972ea6
SHA1 fb9f021f2220c852f6ff4ea94e8577368f0616a4
SHA256 dd14133adf5c534539298422f6c4b52739f80aca8c5a85ca8c966dea9964ceb1
SHA512 cc0d8c56749ccb9d007b6d3f5c4a8f1d4e368bb81446ebcd7cc7b40399bbd56d0acaba588ca172ecb7472a8cbddbd4c366ffa38094a832f6d7e343b813ba565e

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-time-l1-1-0.dll

MD5 1d48a3189a55b632798f0e859628b0fb
SHA1 61569a8e4f37adc353986d83efc90dc043cdc673
SHA256 b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0
SHA512 47f329102b703bfbb1ebaeb5203d1c8404a0c912019193c93d150a95bb0c5ba8dc101ac56d3283285f9f91239fc64a66a5357afe428a919b0be7194bada1f64f

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-string-l1-1-0.dll

MD5 9b79965f06fd756a5efde11e8d373108
SHA1 3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50
SHA256 1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6
SHA512 7d4155c00d65c3554e90575178a80d20dc7c80d543c4b5c4c3f508f0811482515638fe513e291b82f958b4d7a63c9876be4e368557b07ff062961197ed4286fb

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-stdio-l1-1-0.dll

MD5 55b2eb7f17f82b2096e94bca9d2db901
SHA1 44d85f1b1134ee7a609165e9c142188c0f0b17e0
SHA256 f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb
SHA512 0cf0770f5965a83f546253decfa967d8f85c340b5f6ea220d3caa14245f3cdb37c53bf8d3da6c35297b22a3fa88e7621202634f6b3649d7d9c166a221d3456a5

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-runtime-l1-1-0.dll

MD5 f1a23c251fcbb7041496352ec9bcffbe
SHA1 be4a00642ec82465bc7b3d0cc07d4e8df72094e8
SHA256 d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198
SHA512 31f8c5cd3b6e153073e2e2edf0ca8072d0f787784f1611a57219349c1d57d6798a3adbd6942b0f16cef781634dd8691a5ec0b506df21b24cb70aee5523a03fd9

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-process-l1-1-0.dll

MD5 074b81a625fb68159431bb556d28fab5
SHA1 20f8ead66d548cfa861bc366bb1250ced165be24
SHA256 3af38920e767bd9ebc08f88eaf2d08c748a267c7ec60eab41c49b3f282a4cf65
SHA512 36388c3effa0d94cf626decaa1da427801cc5607a2106abdadf92252c6f6fd2ce5bf0802f5d0a4245a1ffdb4481464c99d60510cf95e83ebaf17bd3d6acbc3dc

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-math-l1-1-0.dll

MD5 a6a3d6d11d623e16866f38185853facd
SHA1 fbeadd1e9016908ecce5753de1d435d6fcf3d0b5
SHA256 a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0
SHA512 abbf32ceb35e5ec6c1562f9f3b2652b96b7dbd97bfc08d918f987c0ec0503e8390dd697476b2a2389f0172cd8cf16029fd2ec5f32a9ba3688bf2ebeefb081b2c

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-locale-l1-1-0.dll

MD5 dd8176e132eedea3322443046ac35ca2
SHA1 d13587c7cc52b2c6fbcaa548c8ed2c771a260769
SHA256 2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e
SHA512 77cb8c44c8cc8dd29997fba4424407579ac91176482db3cf7bc37e1f9f6aa4c4f5ba14862d2f3a9c05d1fdd7ca5a043b5f566bd0e9a9e1ed837da9c11803b253

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-heap-l1-1-0.dll

MD5 8906279245f7385b189a6b0b67df2d7c
SHA1 fcf03d9043a2daafe8e28dee0b130513677227e4
SHA256 f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f
SHA512 67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 972544ade7e32bfdeb28b39bc734cdee
SHA1 87816f4afabbdec0ec2cfeb417748398505c5aa9
SHA256 7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86
SHA512 5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-environment-l1-1-0.dll

MD5 7a859e91fdcf78a584ac93aa85371bc9
SHA1 1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7
SHA256 b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607
SHA512 a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-convert-l1-1-0.dll

MD5 4ec4790281017e616af632da1dc624e1
SHA1 342b15c5d3e34ab4ac0b9904b95d0d5b074447b7
SHA256 5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639
SHA512 80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-crt-conio-l1-1-0.dll

MD5 fa770bcd70208a479bde8086d02c22da
SHA1 28ee5f3ce3732a55ca60aee781212f117c6f3b26
SHA256 e677497c1baefffb33a17d22a99b76b7fa7ae7a0c84e12fda27d9be5c3d104cf
SHA512 f8d81e350cebdba5afb579a072bad7986691e9f3d4c9febca8756b807301782ee6eb5ba16b045cfa29b6e4f4696e0554c718d36d4e64431f46d1e4b1f42dc2b8

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-util-l1-1-0.dll

MD5 1e4c4c8e643de249401e954488744997
SHA1 db1c4c0fc907100f204b21474e8cd2db0135bc61
SHA256 f28a8fe2cd7e8e00b6d2ec273c16db6e6eea9b6b16f7f69887154b6228af981e
SHA512 ef8411fd321c0e363c2e5742312cc566e616d4b0a65eff4fb6f1b22fdbea3410e1d75b99e889939ff70ad4629c84cedc88f6794896428c5f0355143443fdc3a3

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-timezone-l1-1-0.dll

MD5 91a2ae3c4eb79cf748e15a58108409ad
SHA1 d402b9df99723ea26a141bfc640d78eaf0b0111b
SHA256 b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34
SHA512 8527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 206adcb409a1c9a026f7afdfc2933202
SHA1 bb67e1232a536a4d1ae63370bd1a9b5431335e77
SHA256 76d8e4ed946deefeefa0d0012c276f0b61f3d1c84af00533f4931546cbb2f99e
SHA512 727aa0c4cd1a0b7e2affdced5da3a0e898e9bae3c731ff804406ad13864cee2b27e5baac653bab9a0d2d961489915d4fcad18557d4383ecb0a066902276955a7

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-synch-l1-2-0.dll

MD5 e86cfc5e1147c25972a5eefed7be989f
SHA1 0075091c0b1f2809393c5b8b5921586bdd389b29
SHA256 72c639d1afda32a65143bcbe016fe5d8b46d17924f5f5190eb04efe954c1199a
SHA512 ea58a8d5aa587b7f5bde74b4d394921902412617100ed161a7e0bef6b3c91c5dae657065ea7805a152dd76992997017e070f5415ef120812b0d61a401aa8c110

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-synch-l1-1-0.dll

MD5 4ccde2d1681217e282996e27f3d9ed2e
SHA1 8eda134b0294ed35e4bbac4911da620301a3f34d
SHA256 d6708d1254ed88a948871771d6d1296945e1aa3aeb7e33e16cc378f396c61045
SHA512 93fe6ae9a947ac88cc5ed78996e555700340e110d12b2651f11956db7cee66322c269717d31fccb31744f4c572a455b156b368f08b70eda9effec6de01dbab23

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-string-l1-1-0.dll

MD5 c9cbad5632d4d42a1bc25ccfa8833601
SHA1 09f37353a89f1bfe49f7508559da2922b8efeb05
SHA256 f3a7a9c98ebe915b1b57c16e27fffd4ddf31a82f0f21c06fe292878e48f5883e
SHA512 2412e0affdc6db069de7bd9666b7baa1cd76aa8d976c9649a4c2f1ffce27f8269c9b02da5fd486ec86b54231b1a5ebf6a1c72790815b7c253fee1f211086892f

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-profile-l1-1-0.dll

MD5 8d12ffd920314b71f2c32614cc124fec
SHA1 251a98f2c75c2e25ffd0580f90657a3ea7895f30
SHA256 e63550608dd58040304ea85367e9e0722038ba8e7dc7bf9d91c4d84f0ec65887
SHA512 5084c739d7de465a9a78bcdbb8a3bd063b84a68dcfd3c9ef1bfa224c1cc06580e2a2523fd4696cfc48e9fd068a2c44dbc794dd9bdb43dc74b4e854c82ecd3ea5

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-processthreads-l1-1-1.dll

MD5 7e8b61d27a9d04e28d4dae0bfa0902ed
SHA1 861a7b31022915f26fb49c79ac357c65782c9f4b
SHA256 1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c
SHA512 1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-processthreads-l1-1-0.dll

MD5 0c933a4b3c2fcf1f805edd849428c732
SHA1 b8b19318dbb1d2b7d262527abd1468d099de3fb6
SHA256 a5b733e3dce21ab62bd4010f151b3578c6f1246da4a96d51ac60817865648dd3
SHA512 b25ed54345a5b14e06aa9dadd07b465c14c23225023d7225e04fbd8a439e184a7d43ab40df80e3f8a3c0f2d5c7a79b402ddc6b9093d0d798e612f4406284e39d

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 89f35cb1212a1fd8fbe960795c92d6e8
SHA1 061ae273a75324885dd098ee1ff4246a97e1e60c
SHA256 058eb7ce88c22d2ff7d3e61e6593ca4e3d6df449f984bf251d9432665e1517d1
SHA512 f9e81f1feab1535128b16e9ff389bd3daaab8d1dabf64270f9e563be9d370c023de5d5306dd0de6d27a5a099e7c073d17499442f058ec1d20b9d37f56bcfe6d2

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 b3f887142f40cb176b59e58458f8c46d
SHA1 a05948aba6f58eb99bbac54fa3ed0338d40cbfad
SHA256 8e015cdf2561450ed9a0773be1159463163c19eab2b6976155117d16c36519da
SHA512 7b762319ec58e3fcb84b215ae142699b766fa9d5a26e1a727572ee6ed4f5d19c859efb568c0268846b4aa5506422d6dd9b4854da2c9b419bfec754f547203f7e

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-memory-l1-1-0.dll

MD5 721baea26a27134792c5ccc613f212b2
SHA1 2a27dcd2436df656a8264a949d9ce00eab4e35e8
SHA256 5d9767d8cca0fbfd5801bff2e0c2adddd1baaaa8175543625609abce1a9257bd
SHA512 9fd6058407aa95058ed2fda9d391b7a35fa99395ec719b83c5116e91c9b448a6d853ecc731d0bdf448d1436382eecc1fa9101f73fa242d826cc13c4fd881d9bd

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-localization-l1-2-0.dll

MD5 1ed0b196ab58edb58fcf84e1739c63ce
SHA1 ac7d6c77629bdee1df7e380cc9559e09d51d75b7
SHA256 8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2
SHA512 e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 6d0550d3a64bd3fd1d1b739133efb133
SHA1 c7596fde7ea1c676f0cc679ced8ba810d15a4afe
SHA256 f320f9c0463de641b396ce7561af995de32211e144407828b117088cf289df91
SHA512 5da9d490ef54a1129c94ce51349399b9012fc0d4b575ae6c9f1bafcfcf7f65266f797c539489f882d4ad924c94428b72f5137009a851ecb541fe7fb9de12feb2

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-interlocked-l1-1-0.dll

MD5 7c7b61ffa29209b13d2506418746780b
SHA1 08f3a819b5229734d98d58291be4bfa0bec8f761
SHA256 c23fe8d5c3ca89189d11ec8df983cc144d168cb54d9eab5d9532767bcb2f1fa3
SHA512 6e5e3485d980e7e2824665cbfe4f1619b3e61ce3bcbf103979532e2b1c3d22c89f65bcfbddbb5fe88cddd096f8fd72d498e8ee35c3c2307bacecc6debbc1c97f

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-heap-l1-1-0.dll

MD5 73433ebfc9a47ed16ea544ddd308eaf8
SHA1 ac1da1378dd79762c6619c9a63fd1ebe4d360c6f
SHA256 c43075b1d2386a8a262de628c93a65350e52eae82582b27f879708364b978e29
SHA512 1c28cc0d3d02d4c308a86e9d0bc2da88333dfa8c92305ec706f3e389f7bb6d15053040afd1c4f0aa3383f3549495343a537d09fe882db6ed12b7507115e5a263

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-handle-l1-1-0.dll

MD5 d1df480505f2d23c0b5c53df2e0e2a1a
SHA1 207db9568afd273e864b05c87282987e7e81d0ba
SHA256 0b3dfb8554ead94d5da7859a12db353942406f9d1dfe3fac3d48663c233ea99d
SHA512 f14239420f5dd84a15ff5fca2fad81d0aa9280c566fa581122a018e10ebdf308ac0bf1d3fcfc08634c1058c395c767130c5abca55540295c68df24ffd931ca0a

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-file-l2-1-0.dll

MD5 721b60b85094851c06d572f0bd5d88cd
SHA1 4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7
SHA256 dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf
SHA512 430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-file-l1-2-0.dll

MD5 5a72a803df2b425d5aaff21f0f064011
SHA1 4b31963d981c07a7ab2a0d1a706067c539c55ec5
SHA256 629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086
SHA512 bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-file-l1-1-0.dll

MD5 0f7d418c05128246afa335a1fb400cb9
SHA1 f6313e371ed5a1dffe35815cc5d25981184d0368
SHA256 5c9bc70586ad538b0df1fcf5d6f1f3527450ae16935aa34bd7eb494b4f1b2db9
SHA512 7555d9d3311c8622df6782748c2186a3738c4807fc58df2f75e539729fc4069db23739f391950303f12e0d25df9f065b4c52e13b2ebb6d417ca4c12cfdeca631

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 2db5666d3600a4abce86be0099c6b881
SHA1 63d5dda4cec0076884bc678c691bdd2a4fa1d906
SHA256 46079c0a1b660fc187aafd760707f369d0b60d424d878c57685545a3fce95819
SHA512 7c6e1e022db4217a85a4012c8e4daee0a0f987e4fba8a4c952424ef28e250bac38b088c242d72b4641157b7cc882161aefa177765a2e23afcdc627188a084345

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-debug-l1-1-0.dll

MD5 624401f31a706b1ae2245eb19264dc7f
SHA1 8d9def3750c18ddfc044d5568e3406d5d0fb9285
SHA256 58a8d69df60ecbee776cd9a74b2a32b14bf2b0bd92d527ec5f19502a0d3eb8e9
SHA512 3353734b556d6eebc57734827450ce3b34d010e0c033e95a6e60800c0fda79a1958ebf9053f12054026525d95d24eec541633186f00f162475cec19f07a0d817

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-datetime-l1-1-0.dll

MD5 557405c47613de66b111d0e2b01f2fdb
SHA1 de116ed5de1ffaa900732709e5e4eef921ead63c
SHA256 913eaaa7997a6aee53574cffb83f9c9c1700b1d8b46744a5e12d76a1e53376fd
SHA512 c2b326f555b2b7acb7849402ac85922880105857c616ef98f7fb4bbbdc2cd7f2af010f4a747875646fcc272ab8aa4ce290b6e09a9896ce1587e638502bd4befb

C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-console-l1-1-0.dll

MD5 07ebe4d5cef3301ccf07430f4c3e32d8
SHA1 3b878b2b2720915773f16dba6d493dab0680ac5f
SHA256 8f8b79150e850acc92fd6aab614f6e3759bea875134a62087d5dd65581e3001f
SHA512 6c7e4df62ebae9934b698f231cf51f54743cf3303cd758573d00f872b8ecc2af1f556b094503aae91100189c0d0a93eaf1b7cafec677f384a1d7b4fda2eee598

C:\Users\Admin\AppData\Local\Temp\_MEI42522\base_library.zip

MD5 0ab7d46cb03d2de53d00c1708019792f
SHA1 6cbb4ee4523336936e2ea3965c86f88038b07d20
SHA256 2ff6280506de120684a213eb1aeb4763b878c6000498285ae75541315be9bbc9
SHA512 f9a2040256564a02a12f97d6b2ad17c4b06c5d2955824fea09958811e5ff914d7945559e8b1d678416ef216bb3daeb69a1b2d5378d0098ae05197236954e96e0

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-05 23:56

Reported

2024-06-05 23:59

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\autoapagado.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\autoapagado.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\autoapagado.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\autoapagado.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 dbeb42cf78d583fafb8ca73ecb5031de
SHA1 248bc24930cd23648716027b240f81b4bdf8d37a
SHA256 8b03fa1ee651389db7c067a5d588695f3de5245d0a4be98969b268e12871e68d
SHA512 19e60386553197378ea2f28ca5e5f6b5ee326a9838c0aa07a03e2dad717a3e8d9b1d05bf3f4c04645e405de30576642f24be1ec1eb14665ebbeb01fa904755fa

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-05 23:56

Reported

2024-06-05 23:59

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\autoapagado.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\autoapagado.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A