Analysis Overview
SHA256
2a8ba4d283359a72510de1816c834ee0b1274fc9cf8d04e1a44b13f5888f6c00
Threat Level: Shows suspicious behavior
The file Multitool.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 10:47
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 10:47
Reported
2024-06-06 10:51
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Multitool.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2956 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\Multitool.exe | C:\Users\Admin\AppData\Local\Temp\Multitool.exe |
| PID 2956 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\Multitool.exe | C:\Users\Admin\AppData\Local\Temp\Multitool.exe |
| PID 2956 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\Multitool.exe | C:\Users\Admin\AppData\Local\Temp\Multitool.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Multitool.exe
"C:\Users\Admin\AppData\Local\Temp\Multitool.exe"
C:\Users\Admin\AppData\Local\Temp\Multitool.exe
"C:\Users\Admin\AppData\Local\Temp\Multitool.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI29562\python312.dll
| MD5 | 3c388ce47c0d9117d2a50b3fa5ac981d |
| SHA1 | 038484ff7460d03d1d36c23f0de4874cbaea2c48 |
| SHA256 | c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb |
| SHA512 | e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 10:47
Reported
2024-06-06 10:51
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
101s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3388 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\Multitool.exe | C:\Users\Admin\AppData\Local\Temp\Multitool.exe |
| PID 3388 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\Multitool.exe | C:\Users\Admin\AppData\Local\Temp\Multitool.exe |
| PID 4528 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\Multitool.exe | C:\Windows\system32\cmd.exe |
| PID 4528 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\Multitool.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Multitool.exe
"C:\Users\Admin\AppData\Local\Temp\Multitool.exe"
C:\Users\Admin\AppData\Local\Temp\Multitool.exe
"C:\Users\Admin\AppData\Local\Temp\Multitool.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls & title Vertex Multi
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI33882\python312.dll
| MD5 | 3c388ce47c0d9117d2a50b3fa5ac981d |
| SHA1 | 038484ff7460d03d1d36c23f0de4874cbaea2c48 |
| SHA256 | c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb |
| SHA512 | e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\base_library.zip
| MD5 | 08332a62eb782d03b959ba64013ac5bc |
| SHA1 | b70b6ae91f1bded398ca3f62e883ae75e9966041 |
| SHA256 | 8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288 |
| SHA512 | a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\_ctypes.pyd
| MD5 | bbd5533fc875a4a075097a7c6aba865e |
| SHA1 | ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00 |
| SHA256 | be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570 |
| SHA512 | 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\_wmi.pyd
| MD5 | 7ec3fc12c75268972078b1c50c133e9b |
| SHA1 | 73f9cf237fe773178a997ad8ec6cd3ac0757c71e |
| SHA256 | 1a105311a5ed88a31472b141b4b6daa388a1cd359fe705d9a7a4aba793c5749f |
| SHA512 | 441f18e8ce07498bc65575e1ae86c1636e1ceb126af937e2547710131376be7b4cb0792403409a81b5c6d897b239f26ec9f36388069e324249778a052746795e |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\_uuid.pyd
| MD5 | 353e11301ea38261e6b1cb261a81e0fe |
| SHA1 | 607c5ebe67e29eabc61978fb52e4ec23b9a3348e |
| SHA256 | d132f754471bd8a6f6d7816453c2e542f250a4d8089b657392fe61a500ae7899 |
| SHA512 | fa990b3e9619d59ae3ad0aeffca7a3513ab143bfd0ac9277e711519010f7c453258a4b041be86a275f3c365e980fc857c23563f3b393d1e3a223973a673e88c5 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\_ssl.pyd
| MD5 | 5b9b3f978d07e5a9d701f832463fc29d |
| SHA1 | 0fcd7342772ad0797c9cb891bf17e6a10c2b155b |
| SHA256 | d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa |
| SHA512 | e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\_socket.pyd
| MD5 | dc06f8d5508be059eae9e29d5ba7e9ec |
| SHA1 | d666c88979075d3b0c6fd3be7c595e83e0cb4e82 |
| SHA256 | 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a |
| SHA512 | 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\_queue.pyd
| MD5 | 6e0cb85dc94e351474d7625f63e49b22 |
| SHA1 | 66737402f76862eb2278e822b94e0d12dcb063c5 |
| SHA256 | 3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b |
| SHA512 | 1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\_lzma.pyd
| MD5 | 05e8b2c429aff98b3ae6adc842fb56a3 |
| SHA1 | 834ddbced68db4fe17c283ab63b2faa2e4163824 |
| SHA256 | a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c |
| SHA512 | badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\_hashlib.pyd
| MD5 | eedb6d834d96a3dffffb1f65b5f7e5be |
| SHA1 | ed6735cfdd0d1ec21c7568a9923eb377e54b308d |
| SHA256 | 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2 |
| SHA512 | 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\_decimal.pyd
| MD5 | 3055edf761508190b576e9bf904003aa |
| SHA1 | f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890 |
| SHA256 | e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577 |
| SHA512 | 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\_bz2.pyd
| MD5 | 223fd6748cae86e8c2d5618085c768ac |
| SHA1 | dcb589f2265728fe97156814cbe6ff3303cd05d3 |
| SHA256 | f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb |
| SHA512 | 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\VCRUNTIME140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\unicodedata.pyd
| MD5 | 16be9a6f941f1a2cb6b5fca766309b2c |
| SHA1 | 17b23ae0e6a11d5b8159c748073e36a936f3316a |
| SHA256 | 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04 |
| SHA512 | 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\select.pyd
| MD5 | 92b440ca45447ec33e884752e4c65b07 |
| SHA1 | 5477e21bb511cc33c988140521a4f8c11a427bcc |
| SHA256 | 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3 |
| SHA512 | 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\requirements.txt
| MD5 | beaf4eef32cd964f7f2a06efb7f8bbce |
| SHA1 | bfaadd6bdbe7102a34df949c282e6ed409d44900 |
| SHA256 | 2b34709ebb78a2fc11f627914fa25fdc48f8bbf14a0f52d9924cb7d4a21978c5 |
| SHA512 | 0a5153be4579674e886978c854e2650c927256443a8c6d65ea1c1b72a9c03ddc28ff2fc5af6711ae2747c4ab7272621992ef5ad7692be374a249a05f62c0b860 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\libssl-3.dll
| MD5 | 19a2aba25456181d5fb572d88ac0e73e |
| SHA1 | 656ca8cdfc9c3a6379536e2027e93408851483db |
| SHA256 | 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006 |
| SHA512 | df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\libcrypto-3.dll
| MD5 | e547cf6d296a88f5b1c352c116df7c0c |
| SHA1 | cafa14e0367f7c13ad140fd556f10f320a039783 |
| SHA256 | 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de |
| SHA512 | 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\keyauth.py
| MD5 | e9fe20ffffaab33fd117be60590a8c09 |
| SHA1 | 14eab8a49487748685b6f5528b985581fca8ee20 |
| SHA256 | 1129d1665951a2294fdbb6b7cfc4652812a62dcb8dc94398068cf135f0eebc08 |
| SHA512 | b57fb901ae5cc8470491b7eb1be6c3e6ac4322d2c8b7721dd4c835e62fc2a364ec65aeec620978be6df9382fc0311e4192d5cbdbceee280cbde424b818b62a4a |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\charset_normalizer\md__mypyc.cp312-win_amd64.pyd
| MD5 | bf9a9da1cf3c98346002648c3eae6dcf |
| SHA1 | db16c09fdc1722631a7a9c465bfe173d94eb5d8b |
| SHA256 | 4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637 |
| SHA512 | 7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\certifi\cacert.pem
| MD5 | 2a6bef11d1f4672f86d3321b38f81220 |
| SHA1 | b4146c66e7e24312882d33b16b2ee140cb764b0e |
| SHA256 | 1605d0d39c5e25d67e7838da6a17dcf2e8c6cfa79030e8fb0318e35f5495493c |
| SHA512 | 500dfff929d803b0121796e8c1a30bdfcb149318a4a4de460451e093e4cbd568cd12ab20d0294e0bfa7efbd001de968cca4c61072218441d4fa7fd9edf7236d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\charset_normalizer\md.cp312-win_amd64.pyd
| MD5 | d9e0217a89d9b9d1d778f7e197e0c191 |
| SHA1 | ec692661fcc0b89e0c3bde1773a6168d285b4f0d |
| SHA256 | ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0 |
| SHA512 | 3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\win32\win32security.pyd
| MD5 | 76ee72ec1b9c2aca5a2386a18d48861d |
| SHA1 | f9fb5ee06c3a629d8efedf3877594006b7441961 |
| SHA256 | 5dfe8a5ca163a200fb4d2912be97877a5bdf571539db8718b8b467d92c3adb91 |
| SHA512 | 6bf9e38a62f92b54e64d18725bf76fdfc6ae2ad1c6d94a9ce52e6e038a8092530fc20f497250fb693c74857a237aa33992deb3320b5fe1aa8be856d1cc1e3c54 |
C:\Users\Admin\AppData\Local\Temp\_MEI33882\pywin32_system32\pywintypes312.dll
| MD5 | 26d752c8896b324ffd12827a5e4b2808 |
| SHA1 | 447979fa03f78cb7210a4e4ba365085ab2f42c22 |
| SHA256 | bd33548dbdbb178873be92901b282bad9c6817e3eac154ca50a666d5753fd7ec |
| SHA512 | 99c87ab9920e79a03169b29a2f838d568ca4d4056b54a67bc51caf5c0ff5a4897ed02533ba504f884c6f983ebc400743e6ad52ac451821385b1e25c3b1ebcee0 |