Analysis Overview
SHA256
624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030
Threat Level: Shows suspicious behavior
The file 624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 11:33
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 11:33
Reported
2024-06-06 11:36
Platform
win7-20240419-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1996 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe | C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe |
| PID 1996 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe | C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe |
| PID 1996 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe | C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe
"C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe"
C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe
"C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bbaa10.oss-cn-beijing.aliyuncs.com | udp |
| CN | 39.97.203.5:443 | bbaa10.oss-cn-beijing.aliyuncs.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI19962\1.exe.manifest
| MD5 | 218a6c7378d73f3be8fe34a295ff7114 |
| SHA1 | 7df05e25e19f6c543edc25a7eb47bb40355edcb6 |
| SHA256 | 6f3ba388b3393c3bf33a321cf748b4e3b744e15245a3db706cd1e155cb58a767 |
| SHA512 | efec9e64ffb130a289573863f2f3645412af6dcffe7e54828832a5c58a52489b04be46bb9f05d7ff324371f762532353fb89b1d5ee4c0618ea1df674cb2a4e7d |
C:\Users\Admin\AppData\Local\Temp\_MEI19962\python27.dll
| MD5 | 4fc438493188550ea7dfb0cc153b4983 |
| SHA1 | 2e7e79cee5ca14a584c49d7222cecd4a53beac41 |
| SHA256 | 2ae1f70a99a8f760d3883258f0f69ae759b48270b07036e41b1e887add0c3cfc |
| SHA512 | 5f91ddf65fa94129c2e483400327d564a8ce3e3b9dea3a5294fdb6bbd5ee599f89003da8922d1f3904dbab7bd0d4b23fc355f1854e6b34a7f012c1065e88053e |
C:\Users\Admin\AppData\Local\Temp\_MEI19962\MSVCR90.dll
| MD5 | 552cf56353af11ce8e0d10ee12fdcd85 |
| SHA1 | 6ab062b709f851a9576685fe0410ff9f1a4af670 |
| SHA256 | e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012 |
| SHA512 | 122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457 |
\Users\Admin\AppData\Local\Temp\_MEI19962\Crypto.Cipher._AES.pyd
| MD5 | 08f34628635dfc6494a8a71232d42826 |
| SHA1 | 68d17b2697c953204dca06e726f18a8f50029daf |
| SHA256 | 2eacb1a87c4ad07873e27a9a40bf87d8b10041d1a4c9768de4eac7248244c4a7 |
| SHA512 | 12c32435ca8e16996a4788059aed452097380e4b76347f41b0c5979b0131fdd8854e2d3816b6fdac679491dff32a33df932b1527a42e11889032ce10c9ae7531 |
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_hashlib.pyd
| MD5 | 6f784c403e2097d11331f8778f6d9d2c |
| SHA1 | 64ecd6ee875f89a88204e673acae9547992fd085 |
| SHA256 | cda9a6478417629cb40809aad57bd5a884f183333506d00008d16e47368fd633 |
| SHA512 | c1fbd548f03a46ee19cd003831bcb53df204cd1c71ab672955a2ff19267c523a17970f8fb9586e712665c09b54c19338037a38a425dacb857aae5b6162fa282c |
\Users\Admin\AppData\Local\Temp\_MEI19962\_ssl.pyd
| MD5 | 9c6d526768f8395aecff0af0d27f0063 |
| SHA1 | a580e2782c31ffb9365ea31dce8b337aae9eee07 |
| SHA256 | 2c4cb4459c37a2152698e19f27350a7dbf56c51509689b1d7a65c60fb5a75751 |
| SHA512 | 52bc14aa9f6bb6822740b7be98187fba1adf86f484e130ac6df3fad6e456b41288cbb9c8abf9d7af8730e9c0f7438ed362582ee7f39a5cab9cf471bb5b84b9eb |
\Users\Admin\AppData\Local\Temp\_MEI19962\_socket.pyd
| MD5 | f28dc3a4451c29fea272d7ae063425c5 |
| SHA1 | ece376146a7115cd5b1ad141a59fff25b6da6a5d |
| SHA256 | a75aa54781de3c97f5b4c2e0389d5ad39602cda6fcd5a3810667a4cf24f4286a |
| SHA512 | 746b1b608c457cdf8aa784683533e1220c60dd689f7f5266013f1194e9fd091123eb11d697119b9de65686019176062eb9aba04d2845930369829182a399b5e5 |
\Users\Admin\AppData\Local\Temp\_MEI19962\_ctypes.pyd
| MD5 | 28e5d05ab42adb1e7ada35f1eef1b32b |
| SHA1 | 0792867716c8a933305455a2c7f39d30807dad65 |
| SHA256 | a93e3bfe62afa5062c6257a7f347d715af346ac3aec7999b8d86a9f2580ec176 |
| SHA512 | 0cb08ec46068e20a2df3fc0e69bceba5b8a807aeb580002e846d9272fea7a6ee24b8f2c571571677b61dd8c58eb998c26a656193798de5075c6943f6d701c569 |
C:\Users\Admin\AppData\Local\Temp\_MEI19962\select.pyd
| MD5 | c76ccf3e7883917832c3b2fa2b980aa1 |
| SHA1 | f35f0424522f3986f5917725b8c0b515bd80bf46 |
| SHA256 | 417ecb5fe0caf271ae53fd9132f4a6d50cb5304d586548f964a546cd5858f347 |
| SHA512 | 44e15c8b0d61c2b7f9dba92d0c43acb8d0a27b1c7fc58b9f1a89d39ae7ceabc5b7df5d8b2592949f014e34a04b0592189a5d1fe7551a0b59bd9499c0a7d16d8b |
\Users\Admin\AppData\Local\Temp\_MEI19962\unicodedata.pyd
| MD5 | 6c38211cc951d7800cb961f4bb16716c |
| SHA1 | fe49ce52862fa87fc6c2ae8731a3c22b69dcd3ba |
| SHA256 | 45edce458a292465d784e07a3ffd46580aab0a4f925c40704bc45a60325e7537 |
| SHA512 | 4eb5daabfdb599e466b17ef541809cae9fb83994be28ba2b3401a79e5b94e6d991aa1821c22f54c6ea90b866ce4f6f9c857053eb4f37b3751dcf25806ed4e674 |
\Users\Admin\AppData\Local\Temp\_MEI19962\bz2.pyd
| MD5 | 51fdb7790e680a394e9936498d3a73fa |
| SHA1 | fab9f97feee68fbd9225de051349ac3258920fa2 |
| SHA256 | 985902e0813564981059c2f57282614f5a907dc3df0273ba7bef2ad64123c921 |
| SHA512 | 594153dd913a3369d310980b0e53bc6a10174e18b0b416dc1b86b2401b4bd94546bee9fbde7421e102490ccba4c8a8d7b91b3df5e3c0506cc98b51bc63e15c50 |
memory/1996-36-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1052-37-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1052-40-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1996-45-0x0000000000400000-0x0000000000444000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 11:33
Reported
2024-06-06 11:36
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4764 wrote to memory of 5112 | N/A | C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe | C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe |
| PID 4764 wrote to memory of 5112 | N/A | C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe | C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe
"C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe"
C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe
"C:\Users\Admin\AppData\Local\Temp\624221975d061efb6924a4508d891756d1a915ff13ecf1e47a2651a96c5ee030.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4368 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bbaa10.oss-cn-beijing.aliyuncs.com | udp |
| CN | 39.97.203.5:443 | bbaa10.oss-cn-beijing.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI47642\1.exe.manifest
| MD5 | 218a6c7378d73f3be8fe34a295ff7114 |
| SHA1 | 7df05e25e19f6c543edc25a7eb47bb40355edcb6 |
| SHA256 | 6f3ba388b3393c3bf33a321cf748b4e3b744e15245a3db706cd1e155cb58a767 |
| SHA512 | efec9e64ffb130a289573863f2f3645412af6dcffe7e54828832a5c58a52489b04be46bb9f05d7ff324371f762532353fb89b1d5ee4c0618ea1df674cb2a4e7d |
C:\Users\Admin\AppData\Local\Temp\_MEI47642\python27.dll
| MD5 | 4fc438493188550ea7dfb0cc153b4983 |
| SHA1 | 2e7e79cee5ca14a584c49d7222cecd4a53beac41 |
| SHA256 | 2ae1f70a99a8f760d3883258f0f69ae759b48270b07036e41b1e887add0c3cfc |
| SHA512 | 5f91ddf65fa94129c2e483400327d564a8ce3e3b9dea3a5294fdb6bbd5ee599f89003da8922d1f3904dbab7bd0d4b23fc355f1854e6b34a7f012c1065e88053e |
C:\Users\Admin\AppData\Local\Temp\_MEI47642\Crypto.Cipher._AES.pyd
| MD5 | 08f34628635dfc6494a8a71232d42826 |
| SHA1 | 68d17b2697c953204dca06e726f18a8f50029daf |
| SHA256 | 2eacb1a87c4ad07873e27a9a40bf87d8b10041d1a4c9768de4eac7248244c4a7 |
| SHA512 | 12c32435ca8e16996a4788059aed452097380e4b76347f41b0c5979b0131fdd8854e2d3816b6fdac679491dff32a33df932b1527a42e11889032ce10c9ae7531 |
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_ctypes.pyd
| MD5 | 28e5d05ab42adb1e7ada35f1eef1b32b |
| SHA1 | 0792867716c8a933305455a2c7f39d30807dad65 |
| SHA256 | a93e3bfe62afa5062c6257a7f347d715af346ac3aec7999b8d86a9f2580ec176 |
| SHA512 | 0cb08ec46068e20a2df3fc0e69bceba5b8a807aeb580002e846d9272fea7a6ee24b8f2c571571677b61dd8c58eb998c26a656193798de5075c6943f6d701c569 |
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_socket.pyd
| MD5 | f28dc3a4451c29fea272d7ae063425c5 |
| SHA1 | ece376146a7115cd5b1ad141a59fff25b6da6a5d |
| SHA256 | a75aa54781de3c97f5b4c2e0389d5ad39602cda6fcd5a3810667a4cf24f4286a |
| SHA512 | 746b1b608c457cdf8aa784683533e1220c60dd689f7f5266013f1194e9fd091123eb11d697119b9de65686019176062eb9aba04d2845930369829182a399b5e5 |
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_ssl.pyd
| MD5 | 9c6d526768f8395aecff0af0d27f0063 |
| SHA1 | a580e2782c31ffb9365ea31dce8b337aae9eee07 |
| SHA256 | 2c4cb4459c37a2152698e19f27350a7dbf56c51509689b1d7a65c60fb5a75751 |
| SHA512 | 52bc14aa9f6bb6822740b7be98187fba1adf86f484e130ac6df3fad6e456b41288cbb9c8abf9d7af8730e9c0f7438ed362582ee7f39a5cab9cf471bb5b84b9eb |
C:\Users\Admin\AppData\Local\Temp\_MEI47642\_hashlib.pyd
| MD5 | 6f784c403e2097d11331f8778f6d9d2c |
| SHA1 | 64ecd6ee875f89a88204e673acae9547992fd085 |
| SHA256 | cda9a6478417629cb40809aad57bd5a884f183333506d00008d16e47368fd633 |
| SHA512 | c1fbd548f03a46ee19cd003831bcb53df204cd1c71ab672955a2ff19267c523a17970f8fb9586e712665c09b54c19338037a38a425dacb857aae5b6162fa282c |
C:\Users\Admin\AppData\Local\Temp\_MEI47642\select.pyd
| MD5 | c76ccf3e7883917832c3b2fa2b980aa1 |
| SHA1 | f35f0424522f3986f5917725b8c0b515bd80bf46 |
| SHA256 | 417ecb5fe0caf271ae53fd9132f4a6d50cb5304d586548f964a546cd5858f347 |
| SHA512 | 44e15c8b0d61c2b7f9dba92d0c43acb8d0a27b1c7fc58b9f1a89d39ae7ceabc5b7df5d8b2592949f014e34a04b0592189a5d1fe7551a0b59bd9499c0a7d16d8b |
C:\Users\Admin\AppData\Local\Temp\_MEI47642\bz2.pyd
| MD5 | 51fdb7790e680a394e9936498d3a73fa |
| SHA1 | fab9f97feee68fbd9225de051349ac3258920fa2 |
| SHA256 | 985902e0813564981059c2f57282614f5a907dc3df0273ba7bef2ad64123c921 |
| SHA512 | 594153dd913a3369d310980b0e53bc6a10174e18b0b416dc1b86b2401b4bd94546bee9fbde7421e102490ccba4c8a8d7b91b3df5e3c0506cc98b51bc63e15c50 |
C:\Users\Admin\AppData\Local\Temp\_MEI47642\unicodedata.pyd
| MD5 | 6c38211cc951d7800cb961f4bb16716c |
| SHA1 | fe49ce52862fa87fc6c2ae8731a3c22b69dcd3ba |
| SHA256 | 45edce458a292465d784e07a3ffd46580aab0a4f925c40704bc45a60325e7537 |
| SHA512 | 4eb5daabfdb599e466b17ef541809cae9fb83994be28ba2b3401a79e5b94e6d991aa1821c22f54c6ea90b866ce4f6f9c857053eb4f37b3751dcf25806ed4e674 |
memory/4764-34-0x0000000000400000-0x0000000000444000-memory.dmp
memory/5112-35-0x0000000000400000-0x0000000000444000-memory.dmp
memory/5112-38-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4764-44-0x0000000000400000-0x0000000000444000-memory.dmp