Malware Analysis Report

2024-11-13 15:29

Sample ID 240606-1zgnrsdg69
Target SOSA.exe
SHA256 203b1ecdbcd0747b3c8e3fdd19a92e49a7e35054ae85b615b12eb8cb7248bed0
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

203b1ecdbcd0747b3c8e3fdd19a92e49a7e35054ae85b615b12eb8cb7248bed0

Threat Level: Shows suspicious behavior

The file SOSA.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 22:05

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 22:05

Reported

2024-06-06 22:17

Platform

win11-20240426-en

Max time kernel

92s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SOSA.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\SOSA.exe

"C:\Users\Admin\AppData\Local\Temp\SOSA.exe"

C:\Users\Admin\AppData\Local\Temp\SOSA.exe

"C:\Users\Admin\AppData\Local\Temp\SOSA.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls & title SOSA CARD GEN BY lcm_2080

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI30802\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI30802\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI30802\_socket.pyd

MD5 26dd19a1f5285712068b9e41808e8fa0
SHA1 90c9a112dd34d45256b4f2ed38c1cbbc9f24dba5
SHA256 eaabf6b78840daeaf96b5bdbf06adf0e4e2994dfeee5c5e27fefd824dbda5220
SHA512 173e1eda05d297d7da2193e8566201f05428437adcac80aecefe80f82d46295b15ce10990b5c080325dc59a432a587eef84a15ec688a62b82493ad501a1e4520

C:\Users\Admin\AppData\Local\Temp\_MEI30802\_lzma.pyd

MD5 0c7ea68ca88c07ae6b0a725497067891
SHA1 c2b61a3e230b30416bc283d1f3ea25678670eb74
SHA256 f74aaf0aa08cf90eb1eb23a474ccb7cb706b1ede7f911daf7ae68480765bdf11
SHA512 fd52f20496a12e6b20279646663d880b1354cffea10793506fe4560ed7da53e4efba900ae65c9996fbb3179c83844a9674051385e6e3c26fb2622917351846b9

C:\Users\Admin\AppData\Local\Temp\_MEI30802\_hashlib.pyd

MD5 787b82d4466f393366657b8f1bc5f1a9
SHA1 658639cddda55ac3bfc452db4ec9cf88851e606b
SHA256 241322647ba9f94bdc3ae387413ffb57ae14c8cf88bd564a31fe193c6ca43e37
SHA512 afcf66962958f38eec8b591aa30d380eb0e1b41028836058ff91b4d1472658de9fba3262f5c27ba688bd73da018e938f398e45911cd37584f623073067f575b6

C:\Users\Admin\AppData\Local\Temp\_MEI30802\_decimal.pyd

MD5 8a2ee9274d90698478e4f2f56d8b532e
SHA1 1a8f9adcd1cb707e247fb06c30e3e79317088f67
SHA256 6d940fa068c93f295c3ac63ad6cc54a500db5f24b3c0840dbfb383b92519c35a
SHA512 a85241481a67fe295f6b6a1b9b5a59a7b2a18b75050068fcd16ba048564d5aa774896953241b574084e477dc198fbefdc8c6004d120d95085b88aca42b38ce9b

C:\Users\Admin\AppData\Local\Temp\_MEI30802\_bz2.pyd

MD5 a62207fc33140de460444e191ae19b74
SHA1 9327d3d4f9d56f1846781bcb0a05719dea462d74
SHA256 ebcac51449f323ae3ae961a33843029c34b6a82138ccd9214cf99f98dd2148c2
SHA512 90f9db9ee225958cb3e872b79f2c70cb1fd2248ebaa8f3282afff9250285852156bf668f5cfec49a4591b416ce7ebaaac62d2d887152f5356512f2347e3762b7

C:\Users\Admin\AppData\Local\Temp\_MEI30802\unicodedata.pyd

MD5 50c7d2568ee2a46fd2f53d12437225d8
SHA1 76de26495be7d4bda80dfea97e22adb6fc715ad1
SHA256 9bb7b54602322c15eb62c38af3c4abcce3b51789cd5b6cce82260b857e0fad28
SHA512 b3068468ad9f8472e38c24da47b8b00da54dec0be854b42c72940ba23b3d5f8a03222a4bb5896fa75306a453cee8e8d61d14f304f63d25a50df03d359cfd6b19

C:\Users\Admin\AppData\Local\Temp\_MEI30802\select.pyd

MD5 756c95d4d9b7820b00a3099faf3f4f51
SHA1 893954a45c75fb45fe8048a804990ca33f7c072d
SHA256 13e4d9a734a453a3613e11b6a518430099ad7e3d874ea407d1f9625b7f60268a
SHA512 0f54f0262cf8d71f00bf5666eb15541c6ecc5246cd298efd3b7dd39cdd29553a8242d204c42cfb28c537c3d61580153200373c34a94769f102b3baa288f6c398

C:\Users\Admin\AppData\Local\Temp\_MEI30802\libcrypto-1_1.dll

MD5 1f548445456ea9e3c43bb690d60eeada
SHA1 efb7165f99cc2934ae83a3758b346280d7852949
SHA256 a16b8368869b3e5a0d66ce5b2e1a181d3b13ec3fb9305b6247dd5656a78c4f29
SHA512 e6d5d419efdd6963f8e7cc33906e1f7eaddc37815419a494a8d601727d78a0f8947de156bf1a330314a825fa6962fa412fbd2d1e8f8918a8635b982086d1d4f5

C:\Users\Admin\AppData\Local\Temp\_MEI30802\_ctypes.pyd

MD5 9b344f8d7ce5b57e397a475847cc5f66
SHA1 aff1ccc2608da022ecc8d0aba65d304fe74cdf71
SHA256 b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf
SHA512 2b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41

C:\Users\Admin\AppData\Local\Temp\_MEI30802\base_library.zip

MD5 90dd02c9ce097f0b486ee6cb4348a520
SHA1 6c0438f7ed3f7bde81c8545958219eb3d964110d
SHA256 740c9f22a3656455a76e4983010bc5d542b2c13e2a34c2d3470f5bceffed31ce
SHA512 3658ce031c123cf0cde3721232a0470d4371e7bf2bed0a1d4881d21e8aed632778f774d45feb6cb7d5c2c3c32747f94bbb80682901356a2e62717f123b6a5d62

C:\Users\Admin\AppData\Local\Temp\_MEI30802\python311.dll

MD5 582833144e887168774f56a01fdf1457
SHA1 ec47e48a6c4be7faada062c3b092c966ee4af962
SHA256 3ef32179471862e13d1b5069b4691038f96d6a923b02fba6ee4933c001d568fc
SHA512 036fa5db6a719b4bdda259e2e0ca8d1d5a8c55d43df1f69876dcba5e86b78d671573eee702f60748b1a8ba53cbf3d3a7e2b06816b2e508ec72627e86cd087a92

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 22:05

Reported

2024-06-06 22:16

Platform

win11-20240508-en

Max time kernel

146s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\SOSA.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\SOSA.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A