Malware Analysis Report

2024-11-13 15:29

Sample ID 240606-rnfsnagc38
Target Loader (fixed).exe
SHA256 0e75bf7335c8e883b98a73ecb84c9252dc9eeb59b3c6173b6132c863a070cda9
Tags
upx pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0e75bf7335c8e883b98a73ecb84c9252dc9eeb59b3c6173b6132c863a070cda9

Threat Level: Shows suspicious behavior

The file Loader (fixed).exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx pyinstaller

Loads dropped DLL

UPX packed file

Detects Pyinstaller

Unsigned PE

Detects videocard installed

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 14:20

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 14:20

Reported

2024-06-06 14:23

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe
PID 4832 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe
PID 4136 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4908 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4908 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2884 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2884 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3988 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3988 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4136 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4420 wrote to memory of 3416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4420 wrote to memory of 3416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4136 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 4136 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2244 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 408 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 408 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe

"C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe"

C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe

"C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:49952 tcp
N/A 127.0.0.1:49987 tcp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI48322\python310.dll

MD5 196deb9a74e6e9e242f04008ea80f7d3
SHA1 a54373ebad306f3e6f585bcdf1544fbdcf9c0386
SHA256 20b004bfe69166c4961fee93163e795746df39fb31dc67399c0fde57f551eb75
SHA512 8c226d3ef21f3ddeee14a098c60ef030fa78590e9505d015ce63ea5e5bbcea2e105ff818e94653df1bddc9ba6ed3b376a1dff5c19266b623fa22cd75ac263b68

memory/4136-49-0x00007FF9D6310000-0x00007FF9D677E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

C:\Users\Admin\AppData\Local\Temp\_MEI48322\base_library.zip

MD5 fbd6be906ac7cd45f1d98f5cb05f8275
SHA1 5d563877a549f493da805b4d049641604a6a0408
SHA256 ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA512 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

C:\Users\Admin\AppData\Local\Temp\_MEI48322\_ctypes.pyd

MD5 f0077496f3bb6ea93da1d7b5ea1511c2
SHA1 a901ad6e13c1568d023c0dcb2b7d995c68ed2f6a
SHA256 0269ae71e9a7b006aab0802e72987fc308a6f94921d1c9b83c52c636e45035a0
SHA512 4f188746a77ad1c92cefa615278d321912c325a800aa67abb006821a6bdffc145c204c9da6b11474f44faf23376ff7391b94f4a51e6949a1d2576d79db7f27ef

C:\Users\Admin\AppData\Local\Temp\_MEI48322\python3.DLL

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

C:\Users\Admin\AppData\Local\Temp\_MEI48322\libffi-7.dll

MD5 8e1d2a11b94e84eaa382d6a680d93f17
SHA1 07750d78022d387292525a7d8385687229795cf1
SHA256 090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82
SHA512 213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e

memory/4136-60-0x00007FF9E7A70000-0x00007FF9E7A7F000-memory.dmp

memory/4136-59-0x00007FF9E7730000-0x00007FF9E7754000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\_socket.pyd

MD5 02adf34fc4cf0cbb7da84948c6e0a6ce
SHA1 4d5d1adaf743b6bd324642e28d78331059e3342b
SHA256 e92b5042b4a1ca76b84d3070e4adddf100ba5a56cf8e7fcd4dd1483830d786a5
SHA512 da133fc0f9fefed3b483ba782948fcdc508c50ffc141e5e1e29a7ec2628622cdd606c0b0a949098b48ee3f54cdb604842e3ca268c27bc23f169fced3d2fbd0a5

memory/4136-63-0x00007FF9E7500000-0x00007FF9E7519000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\select.pyd

MD5 16be2c5990fe8df5a6d98b0ba173084d
SHA1 572cb2107ff287928501dc8f5ae4a748e911d82d
SHA256 65de0eb0f1aa5830a99d46a1b2260aaa0608ed28e33a4b0ffe43fd891f426f76
SHA512 afa991c407548da16150ad6792a5233688cc042585538d510ac99c2cb1a6ee2144f31aa639065da4c2670f54f947947860a90ec1bde7c2afaa250e758b956dbf

memory/4136-66-0x00007FF9E7970000-0x00007FF9E797D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\_bz2.pyd

MD5 d584d4cfc04f616d406ec196997e706c
SHA1 b7fe2283e5b882823ee0ffcf92c4dd05f195dc4c
SHA256 e1ea9bb42b4184bf3ec29cbe10a6d6370a213d7a40aa6d849129b0d8ec50fda4
SHA512 ccf7cfbf4584401bab8c8e7d221308ca438779849a2eea074758be7d7afe9b73880e80f8f0b15e4dc2e8ae1142d389fee386dc58b603853760b0e7713a3d0b9d

memory/4136-70-0x00007FF9E74E0000-0x00007FF9E74F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\_lzma.pyd

MD5 213a986429a24c61eca7efed8611b28a
SHA1 348f47528a4e8d0a54eb60110db78a6b1543795e
SHA256 457114386ce08d81cb7ac988b1ff60d2fdffc40b3de6d023034b203582d32f5d
SHA512 1e43c2cacc819a2e578437d1329fa1f772fe614167d3ec9b5612b44f216175500e56e3d60a7107b66a5b3121e9e2e49344ebe9ff1b752cae574bb8b60eec42ed

memory/4136-73-0x00007FF9E72C0000-0x00007FF9E72ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\_sqlite3.pyd

MD5 b2b86c10944a124a00a6bcfaf6ddb689
SHA1 4971148b2a8d07b74aa616e2dd618aaf2be9e0db
SHA256 874783af90902a7a8f5b90b018b749de7ddb8ec8412c46f7abe2edfe9c7abe84
SHA512 0a44b508d2a9700db84bd395ff55a6fc3d593d2069f04a56b135ba41fc23ea7726ae131056123d06526c14284bce2dbadd4abf992b3eb27bf9af1e083763556f

memory/4136-76-0x00007FF9E71E0000-0x00007FF9E71FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\sqlite3.dll

MD5 4357c9ab90f329f6cbc8fe6bc44a8a97
SHA1 2ec6992da815dcdb9a009d41d7f2879ea8f8b3f3
SHA256 eb1b1679d90d6114303f490de14931957cdfddf7d4311b3e5bacac4e4dc590ba
SHA512 a245971a4e3f73a6298c949052457fbaece970678362e2e5bf8bd6e2446d18d157ad3f1d934dae4e375ab595c84206381388fb6de6b17b9df9f315042234343a

memory/4136-78-0x00007FF9D6190000-0x00007FF9D6301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\_ssl.pyd

MD5 1af0fbf618468685c9a9541be14b3d24
SHA1 27e8c76192555a912e402635765df2556c1c2b88
SHA256 a46968ca76d6b17f63672a760f33664c3ea27d9356295122069e23d1c90f296a
SHA512 7382a0d3ec2ce560efd2ddd43db8423637af341ce6889d335165b7876b15d08f4de0f228f959dcb90b47814f9f4e0edd02d38a78ddad152ed7bc86791d46bc36

C:\Users\Admin\AppData\Local\Temp\_MEI48322\libcrypto-1_1.dll

MD5 9c2ffedb0ae90b3985e5cdbedd3363e9
SHA1 a475fbe289a716e1fbe2eab97f76dbba1da322a9
SHA256 7c9418ad6fb6d15acb7d340b7a6533f76337ad302a18e2b4e08d4ee37689913a
SHA512 70d2635d42e24c7426cf5306ed010808f2222049915adb43ffc12c13259c8e7a9fee3a49e096d5ba2b6b733fef18574823d00df2e8d7fb1532e1d65d0c478008

memory/4136-83-0x00007FF9E7170000-0x00007FF9E719E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\libssl-1_1.dll

MD5 87bb1a8526b475445b2d7fd298c57587
SHA1 aaad18ea92b132ca74942fd5a9f4c901d02d9b09
SHA256 c35a97d8f24ea84d1e39a8621b6b3027c9ac24885bdd37386c9fcaad1858419d
SHA512 956bd8e9f35c917cbfb570fc633bb2df0d1c2686731fa7179f5e7cd8789e665dd6ff8443e712eafa4e3f8d8661f933cb5675aeb1a2efc195c3bb32211e6d2506

memory/4136-85-0x00007FF9E6CE0000-0x00007FF9E6D98000-memory.dmp

memory/4136-88-0x00007FF9D6310000-0x00007FF9D677E000-memory.dmp

memory/4136-89-0x00007FF9D5E10000-0x00007FF9D6185000-memory.dmp

memory/4136-90-0x000001D76C520000-0x000001D76C895000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\_asyncio.pyd

MD5 6de61484aaeedf539f73e361eb186e21
SHA1 07a6ae85f68ca9b7ca147bf587b4af547c28e986
SHA256 2c308a887aa14b64f7853730cb53145856bacf40a1b421c0b06ec41e9a8052ff
SHA512 f9c4a6e8d4c5cb3a1947af234b6e3f08c325a97b14adc371f82430ec787cad17052d6f879575fc574abb92fd122a3a6a14004dce80b36e6e066c6bc43607463d

memory/4136-94-0x00007FF9E6AD0000-0x00007FF9E6AE5000-memory.dmp

memory/4136-93-0x00007FF9E7730000-0x00007FF9E7754000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\_overlapped.pyd

MD5 b05bce7e8a1ef69679da7d1b4894208f
SHA1 7b2dd612cf76da09d5bd1a9dcd6ba20051d11595
SHA256 9c8edf15e9f0edbc96e3310572a231cdd1c57c693fbfc69278fbbc7c2fc47197
SHA512 27cef9b35a4560c98b4d72e5144a68d068263506ac97f5f813b0f6c7552f4c206c6f9a239bc1d9161aff79742cd4516c86f5997c27b1bd084e03854d6410b8e2

memory/4136-97-0x00007FF9E7500000-0x00007FF9E7519000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\multidict\_multidict.cp310-win_amd64.pyd

MD5 d282e94282a608185de94e591889e067
SHA1 7d510c2c89c9bd5546cee8475e801df555e620bc
SHA256 84726536b40ff136c6d739d290d7660cd9514e787ab8cefbcbb7c3a8712b69aa
SHA512 e413f7d88dd896d387af5c3cfe3943ba794925c70ffb5f523a200c890bf9ceb6e4da74abe0b1b07d5e7818628cd9bc1f45ebc4e9d1e4316dd4ae27ea5f5450d3

memory/4136-98-0x00007FF9E7720000-0x00007FF9E7730000-memory.dmp

memory/4136-101-0x00007FF9E6AB0000-0x00007FF9E6AC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\_hashlib.pyd

MD5 0d8ffe48eb5657e5ac6725c7be1d9aa3
SHA1 a39a3dc76f3c7a4b8645bb6c1dc34e50d7e9a287
SHA256 5ad4b3a6287b9d139063383e2bfdc46f51f6f3aaca015b59f9ed58f707fa2a44
SHA512 c26c277196395291a4a42e710af3560e168535e59b708b04343b4a0a926277a93e16fe24673903469b7c96545d6fbf036f149ef21231a759a13147d533d4fc3b

memory/4136-104-0x00007FF9E6A90000-0x00007FF9E6AA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\unicodedata.pyd

MD5 d296d76daf56777da51fec9506d07c6a
SHA1 c012b7d74e68b126a5c20ac4f8408cebacbbf98d
SHA256 05201ceb3dba9395f6ac15a069d94720b9c2b5c6199447105e9bc29d7994c838
SHA512 15eed0ab1989e01b57e10f886a69a0cca2fff0a37cc886f4e3bc5c08684536cb61ff2551d75c62137c97aa455d6f2b99aab7ae339ea98870bb4116f63508deb1

memory/4136-107-0x00007FF9D5CF0000-0x00007FF9D5E08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\yarl\_quoting_c.cp310-win_amd64.pyd

MD5 50dee02b7fe56be5b7ae5bd09faa41ef
SHA1 69123e3aabd7070a551e44336f9ed83d96d333f8
SHA256 91067e48b7dff282a92995afaffff637f8a3b1164d05a25aea0393d5366c6b52
SHA512 7a67c23513a695b2fc527df264564ee08d29d98f0d99ff0700d1c54fbca0c519fa224fc2b5ff696cf016da9001e41842d35afb4fb4c06acf9e9aff08ca2d7dd6

memory/4136-110-0x00007FF9E71E0000-0x00007FF9E71FF000-memory.dmp

memory/4136-111-0x00007FF9E6A60000-0x00007FF9E6A82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\aiohttp\_helpers.cp310-win_amd64.pyd

MD5 24b04e53107114e2dc13f44774e31832
SHA1 01d1d62f47f0d18795c2ccf7ea660a9d20a760e2
SHA256 aaebb74eee86318e3e40b13ae29b0cd2fb53a7b5963dc8ad47a5acf6b3ea9bf4
SHA512 7fec582436b54148459dac4565b801a227831b04bb3f2da1fad6cfa340882009df82327c7992fa40e72635fc472bbc4d936c9c91935edeb0ca1dc13b3c3de2c8

memory/4136-116-0x00007FF9E69A0000-0x00007FF9E69B7000-memory.dmp

memory/4136-114-0x00007FF9D6190000-0x00007FF9D6301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\aiohttp\_http_writer.cp310-win_amd64.pyd

MD5 50dea505ca281aa212ed274c4a6c8dee
SHA1 9c00ebb80f75016122f0e17d16b4e328930c97f2
SHA256 cf37a3202197a4a51ad604ad054ca056daa23e86d8b4d731aeba76128bd463f2
SHA512 0ff2345a05c8333eda7f68017ca0fb9979ebf2d73575bb9fe17979e86ce226d43bc8942ff5f217cd48afebec782963483c7c00e8de9ad70c377f026a1606afc1

memory/4136-120-0x00007FF9E6980000-0x00007FF9E6999000-memory.dmp

memory/4136-119-0x00007FF9E7170000-0x00007FF9E719E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\aiohttp\_http_parser.cp310-win_amd64.pyd

MD5 fa4f8f1f441d4484676434f3259d2636
SHA1 3cc48b6fd3a9e095ad260db1e0b63089d2790974
SHA256 30107fa8ac62ae46dd41b60f7aff883cfff7e61c225986bf942a332738b915fa
SHA512 aefd22279ebc75d1b9c8af9176e69a935ba6257680fa4ad0c4662a83470b1e201a42e20776cc0bcb9e6981b7861d6805b1d2154237b42b759fcd0df3707c8e34

memory/4136-122-0x00007FF9E6CE0000-0x00007FF9E6D98000-memory.dmp

memory/4136-124-0x00007FF9DD470000-0x00007FF9DD4BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\aiohttp\_websocket.cp310-win_amd64.pyd

MD5 d568b417c5f56eda3d369c1ec727cbed
SHA1 eea5b25c417c87913ce0cd7a2d78e80ea658115c
SHA256 6dfa4510da740660fc4f70a79a83b817e55cdb31dd8a393fe78db223ea7b20f3
SHA512 d1749d01a2d64dc1a3182af9b840f4ddadb8f587c403f8a99963fa5a23621f695dc19f6531e1c182219e28d89e4e2f8f55e7b4b9f1f90d673c45302871cbd4df

C:\Users\Admin\AppData\Local\Temp\_MEI48322\frozenlist\_frozenlist.cp310-win_amd64.pyd

MD5 703c3909c2a463ae1a766e10c45c9e5a
SHA1 37a1db87e074e9cd9191b1b8d8cc60894adeaf73
SHA256 e7f39b40ba621edfd0dceda41ccdead7c8e96dd1fa34035186db41d26ddee803
SHA512 1c46832b1b7645e3720da6cca170516a38b9fe6a10657e3f5a905166b770c611416c563683ce540b33bc36d37c4a594231e0757458091e3ae9968da2ff029515

C:\Users\Admin\AppData\Local\Temp\_MEI48322\_uuid.pyd

MD5 00276ab62a35d7c6022ae787168fe275
SHA1 e34d9a060b8f2f8673f878e64d7369ab99869876
SHA256 3500db7ef67cddd8b969f87b4a76a577b5b326597da968e262c23d2a8c7b426a
SHA512 ea4a46b0f7295b61a268d8df0e2f722b86b596946c421d5d89fe734389a819c9ae8e94b99e554feb4e40497261fa9c3ae7d13fdba1f4ad4f22c650076150682a

memory/4136-131-0x00007FF9D5E10000-0x00007FF9D6185000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\cryptography\hazmat\bindings\_rust.pyd

MD5 b9f1c1de19b85486e36f7dfcfb5da708
SHA1 939d97a69b46ec9b8cc34da2623b141a608b4c35
SHA256 a502a97210240cd31bab64285a22050e409553de03b7cff981dd17c409d8829b
SHA512 d7cb707837c113579d6130ae3bfb7dc066521efb6ae843d31b27306ae81ea435c5a20408bdb917025b56073dfdf5955198570585f8ab226f36ffe77edf6090d6

memory/4136-136-0x00007FF9E6AD0000-0x00007FF9E6AE5000-memory.dmp

memory/4136-135-0x00007FF9DEED0000-0x00007FF9DEEEE000-memory.dmp

memory/4136-134-0x00007FF9E72B0000-0x00007FF9E72BA000-memory.dmp

memory/4136-133-0x00007FF9E61D0000-0x00007FF9E61E1000-memory.dmp

memory/4136-132-0x000001D76C520000-0x000001D76C895000-memory.dmp

memory/4136-138-0x00007FF9D55F0000-0x00007FF9D5CE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI48322\_cffi_backend.cp310-win_amd64.pyd

MD5 0d43a42cb44ecb9785ccc090a3de3d8f
SHA1 2f77cfa195cfe024d42e2ed287e2194685ec5d7d
SHA256 fdaa50a83947ec292e1773043f077cddfefbb52e53d5575b175eab5987de3242
SHA512 5968654a976699b4653d44912b34fc67a59d821d9e45f271d7d94b18b1a255c265f9e85460b570be04983b15268547a451e5385064616ab750b825b156c4643e

memory/4136-141-0x00007FF9E6E20000-0x00007FF9E6E58000-memory.dmp

memory/4136-157-0x00007FF9E6AD0000-0x00007FF9E6AE5000-memory.dmp

memory/4136-145-0x00007FF9D6310000-0x00007FF9D677E000-memory.dmp

memory/4136-162-0x00007FF9E6A60000-0x00007FF9E6A82000-memory.dmp

memory/4136-170-0x00007FF9E6E20000-0x00007FF9E6E58000-memory.dmp

memory/4136-169-0x00007FF9D55F0000-0x00007FF9D5CE5000-memory.dmp

memory/4136-163-0x00007FF9E69A0000-0x00007FF9E69B7000-memory.dmp

memory/4136-161-0x00007FF9D5CF0000-0x00007FF9D5E08000-memory.dmp

memory/4136-158-0x00007FF9E7720000-0x00007FF9E7730000-memory.dmp

memory/4136-146-0x00007FF9E7730000-0x00007FF9E7754000-memory.dmp

memory/4136-165-0x00007FF9DD470000-0x00007FF9DD4BC000-memory.dmp

memory/4136-176-0x00007FF9D6310000-0x00007FF9D677E000-memory.dmp

memory/4136-201-0x00007FF9E6E20000-0x00007FF9E6E58000-memory.dmp

memory/4136-199-0x00007FF9DEED0000-0x00007FF9DEEEE000-memory.dmp

memory/4136-198-0x00007FF9E72B0000-0x00007FF9E72BA000-memory.dmp

memory/4136-197-0x00007FF9E61D0000-0x00007FF9E61E1000-memory.dmp

memory/4136-202-0x00007FF9D55F0000-0x00007FF9D5CE5000-memory.dmp

memory/4136-196-0x00007FF9DD470000-0x00007FF9DD4BC000-memory.dmp

memory/4136-195-0x00007FF9E6980000-0x00007FF9E6999000-memory.dmp

memory/4136-194-0x00007FF9E69A0000-0x00007FF9E69B7000-memory.dmp

memory/4136-192-0x00007FF9D5CF0000-0x00007FF9D5E08000-memory.dmp

memory/4136-191-0x00007FF9E6A90000-0x00007FF9E6AA4000-memory.dmp

memory/4136-187-0x00007FF9D5E10000-0x00007FF9D6185000-memory.dmp

memory/4136-186-0x00007FF9E6CE0000-0x00007FF9E6D98000-memory.dmp

memory/4136-185-0x00007FF9E7170000-0x00007FF9E719E000-memory.dmp

memory/4136-184-0x00007FF9D6190000-0x00007FF9D6301000-memory.dmp

memory/4136-183-0x00007FF9E71E0000-0x00007FF9E71FF000-memory.dmp

memory/4136-182-0x00007FF9E72C0000-0x00007FF9E72ED000-memory.dmp

memory/4136-181-0x00007FF9E74E0000-0x00007FF9E74F9000-memory.dmp

memory/4136-180-0x00007FF9E7970000-0x00007FF9E797D000-memory.dmp

memory/4136-179-0x00007FF9E7500000-0x00007FF9E7519000-memory.dmp

memory/4136-178-0x00007FF9E7A70000-0x00007FF9E7A7F000-memory.dmp

memory/4136-177-0x00007FF9E7730000-0x00007FF9E7754000-memory.dmp

memory/4136-193-0x00007FF9E6A60000-0x00007FF9E6A82000-memory.dmp

memory/4136-190-0x00007FF9E6AB0000-0x00007FF9E6AC4000-memory.dmp

memory/4136-189-0x00007FF9E7720000-0x00007FF9E7730000-memory.dmp

memory/4136-188-0x00007FF9E6AD0000-0x00007FF9E6AE5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 14:20

Reported

2024-06-06 14:22

Platform

win7-20240508-en

Max time kernel

47s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe

"C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe"

C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe

"C:\Users\Admin\AppData\Local\Temp\Loader (fixed).exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI3482\python310.dll

MD5 196deb9a74e6e9e242f04008ea80f7d3
SHA1 a54373ebad306f3e6f585bcdf1544fbdcf9c0386
SHA256 20b004bfe69166c4961fee93163e795746df39fb31dc67399c0fde57f551eb75
SHA512 8c226d3ef21f3ddeee14a098c60ef030fa78590e9505d015ce63ea5e5bbcea2e105ff818e94653df1bddc9ba6ed3b376a1dff5c19266b623fa22cd75ac263b68

memory/2500-48-0x000007FEF6300000-0x000007FEF676E000-memory.dmp