Analysis Overview
SHA256
203b1ecdbcd0747b3c8e3fdd19a92e49a7e35054ae85b615b12eb8cb7248bed0
Threat Level: Shows suspicious behavior
The file SOSA.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 22:05
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 22:05
Reported
2024-06-06 22:17
Platform
win11-20240426-en
Max time kernel
92s
Max time network
100s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOSA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOSA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOSA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOSA.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3080 wrote to memory of 456 | N/A | C:\Users\Admin\AppData\Local\Temp\SOSA.exe | C:\Users\Admin\AppData\Local\Temp\SOSA.exe |
| PID 3080 wrote to memory of 456 | N/A | C:\Users\Admin\AppData\Local\Temp\SOSA.exe | C:\Users\Admin\AppData\Local\Temp\SOSA.exe |
| PID 456 wrote to memory of 3188 | N/A | C:\Users\Admin\AppData\Local\Temp\SOSA.exe | C:\Windows\system32\cmd.exe |
| PID 456 wrote to memory of 3188 | N/A | C:\Users\Admin\AppData\Local\Temp\SOSA.exe | C:\Windows\system32\cmd.exe |
| PID 456 wrote to memory of 3176 | N/A | C:\Users\Admin\AppData\Local\Temp\SOSA.exe | C:\Windows\system32\cmd.exe |
| PID 456 wrote to memory of 3176 | N/A | C:\Users\Admin\AppData\Local\Temp\SOSA.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SOSA.exe
"C:\Users\Admin\AppData\Local\Temp\SOSA.exe"
C:\Users\Admin\AppData\Local\Temp\SOSA.exe
"C:\Users\Admin\AppData\Local\Temp\SOSA.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls & title SOSA CARD GEN BY lcm_2080
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI30802\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_socket.pyd
| MD5 | 26dd19a1f5285712068b9e41808e8fa0 |
| SHA1 | 90c9a112dd34d45256b4f2ed38c1cbbc9f24dba5 |
| SHA256 | eaabf6b78840daeaf96b5bdbf06adf0e4e2994dfeee5c5e27fefd824dbda5220 |
| SHA512 | 173e1eda05d297d7da2193e8566201f05428437adcac80aecefe80f82d46295b15ce10990b5c080325dc59a432a587eef84a15ec688a62b82493ad501a1e4520 |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_lzma.pyd
| MD5 | 0c7ea68ca88c07ae6b0a725497067891 |
| SHA1 | c2b61a3e230b30416bc283d1f3ea25678670eb74 |
| SHA256 | f74aaf0aa08cf90eb1eb23a474ccb7cb706b1ede7f911daf7ae68480765bdf11 |
| SHA512 | fd52f20496a12e6b20279646663d880b1354cffea10793506fe4560ed7da53e4efba900ae65c9996fbb3179c83844a9674051385e6e3c26fb2622917351846b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_hashlib.pyd
| MD5 | 787b82d4466f393366657b8f1bc5f1a9 |
| SHA1 | 658639cddda55ac3bfc452db4ec9cf88851e606b |
| SHA256 | 241322647ba9f94bdc3ae387413ffb57ae14c8cf88bd564a31fe193c6ca43e37 |
| SHA512 | afcf66962958f38eec8b591aa30d380eb0e1b41028836058ff91b4d1472658de9fba3262f5c27ba688bd73da018e938f398e45911cd37584f623073067f575b6 |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_decimal.pyd
| MD5 | 8a2ee9274d90698478e4f2f56d8b532e |
| SHA1 | 1a8f9adcd1cb707e247fb06c30e3e79317088f67 |
| SHA256 | 6d940fa068c93f295c3ac63ad6cc54a500db5f24b3c0840dbfb383b92519c35a |
| SHA512 | a85241481a67fe295f6b6a1b9b5a59a7b2a18b75050068fcd16ba048564d5aa774896953241b574084e477dc198fbefdc8c6004d120d95085b88aca42b38ce9b |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_bz2.pyd
| MD5 | a62207fc33140de460444e191ae19b74 |
| SHA1 | 9327d3d4f9d56f1846781bcb0a05719dea462d74 |
| SHA256 | ebcac51449f323ae3ae961a33843029c34b6a82138ccd9214cf99f98dd2148c2 |
| SHA512 | 90f9db9ee225958cb3e872b79f2c70cb1fd2248ebaa8f3282afff9250285852156bf668f5cfec49a4591b416ce7ebaaac62d2d887152f5356512f2347e3762b7 |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\unicodedata.pyd
| MD5 | 50c7d2568ee2a46fd2f53d12437225d8 |
| SHA1 | 76de26495be7d4bda80dfea97e22adb6fc715ad1 |
| SHA256 | 9bb7b54602322c15eb62c38af3c4abcce3b51789cd5b6cce82260b857e0fad28 |
| SHA512 | b3068468ad9f8472e38c24da47b8b00da54dec0be854b42c72940ba23b3d5f8a03222a4bb5896fa75306a453cee8e8d61d14f304f63d25a50df03d359cfd6b19 |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\select.pyd
| MD5 | 756c95d4d9b7820b00a3099faf3f4f51 |
| SHA1 | 893954a45c75fb45fe8048a804990ca33f7c072d |
| SHA256 | 13e4d9a734a453a3613e11b6a518430099ad7e3d874ea407d1f9625b7f60268a |
| SHA512 | 0f54f0262cf8d71f00bf5666eb15541c6ecc5246cd298efd3b7dd39cdd29553a8242d204c42cfb28c537c3d61580153200373c34a94769f102b3baa288f6c398 |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\libcrypto-1_1.dll
| MD5 | 1f548445456ea9e3c43bb690d60eeada |
| SHA1 | efb7165f99cc2934ae83a3758b346280d7852949 |
| SHA256 | a16b8368869b3e5a0d66ce5b2e1a181d3b13ec3fb9305b6247dd5656a78c4f29 |
| SHA512 | e6d5d419efdd6963f8e7cc33906e1f7eaddc37815419a494a8d601727d78a0f8947de156bf1a330314a825fa6962fa412fbd2d1e8f8918a8635b982086d1d4f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_ctypes.pyd
| MD5 | 9b344f8d7ce5b57e397a475847cc5f66 |
| SHA1 | aff1ccc2608da022ecc8d0aba65d304fe74cdf71 |
| SHA256 | b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf |
| SHA512 | 2b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41 |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\base_library.zip
| MD5 | 90dd02c9ce097f0b486ee6cb4348a520 |
| SHA1 | 6c0438f7ed3f7bde81c8545958219eb3d964110d |
| SHA256 | 740c9f22a3656455a76e4983010bc5d542b2c13e2a34c2d3470f5bceffed31ce |
| SHA512 | 3658ce031c123cf0cde3721232a0470d4371e7bf2bed0a1d4881d21e8aed632778f774d45feb6cb7d5c2c3c32747f94bbb80682901356a2e62717f123b6a5d62 |
C:\Users\Admin\AppData\Local\Temp\_MEI30802\python311.dll
| MD5 | 582833144e887168774f56a01fdf1457 |
| SHA1 | ec47e48a6c4be7faada062c3b092c966ee4af962 |
| SHA256 | 3ef32179471862e13d1b5069b4691038f96d6a923b02fba6ee4933c001d568fc |
| SHA512 | 036fa5db6a719b4bdda259e2e0ca8d1d5a8c55d43df1f69876dcba5e86b78d671573eee702f60748b1a8ba53cbf3d3a7e2b06816b2e508ec72627e86cd087a92 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 22:05
Reported
2024-06-06 22:16
Platform
win11-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SOSA.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding