Malware Analysis Report

2024-11-13 15:29

Sample ID 240606-tln3csgc9y
Target winAPI.exe
SHA256 d9cd6884ad7518018efaa52cde9c0ed46fba959e9ea093c97e68004dbf2cad66
Tags
pyinstaller upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d9cd6884ad7518018efaa52cde9c0ed46fba959e9ea093c97e68004dbf2cad66

Threat Level: Shows suspicious behavior

The file winAPI.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller upx

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unsigned PE

Detects Pyinstaller

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 16:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 16:08

Reported

2024-06-06 16:09

Platform

win10v2004-20240508-en

Max time kernel

10s

Max time network

14s

Command Line

"C:\Users\Admin\AppData\Local\Temp\winAPI.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hmtwld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hmtwld.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\winAPI.exe

"C:\Users\Admin\AppData\Local\Temp\winAPI.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "start C:\Users\Admin\AppData\Local\Temp\hmtwld.exe"

C:\Users\Admin\AppData\Local\Temp\hmtwld.exe

C:\Users\Admin\AppData\Local\Temp\hmtwld.exe

C:\Users\Admin\AppData\Local\Temp\hmtwld.exe

C:\Users\Admin\AppData\Local\Temp\hmtwld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 rentry.co udp
US 104.26.2.16:443 rentry.co tcp
US 8.8.8.8:53 download.ro-sense.store udp
US 104.21.20.19:443 download.ro-sense.store tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 19.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 104.21.20.19:443 download.ro-sense.store tcp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.224:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 224.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\hmtwld.exe

MD5 14efd584d86ddbe8ee40e57032ebd17f
SHA1 65990e752ae180a45a8f00a96f7327bbb486f776
SHA256 6525af6f43275bc3247468af68ce9850031823f657ada0be49249e5ce3c04062
SHA512 cc3fee67b9d716acb19109acda53456a20295a4efaaf6030dcc3d1c8fb9762b71bcb6600a8d95c7ee36384c4a6f188f88044889e4f9c937ab007a27ff95ead42

C:\Users\Admin\AppData\Local\Temp\_MEI39882\python310.dll

MD5 90d5b8ba675bbb23f01048712813c746
SHA1 f2906160f9fc2fa719fea7d37e145156742ea8a7
SHA256 3a7d497d779ff13082835834a1512b0c11185dd499ab86be830858e7f8aaeb3e
SHA512 872c2bf56c3fe180d9b4fb835a92e1dc188822e9d9183aab34b305408bb82fba1ead04711e8ad2bef1534e86cd49f2445d728851206d7899c1a7a83e5a62058e

C:\Users\Admin\AppData\Local\Temp\_MEI39882\VCRUNTIME140.dll

MD5 11d9ac94e8cb17bd23dea89f8e757f18
SHA1 d4fb80a512486821ad320c4fd67abcae63005158
SHA256 e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
SHA512 aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

memory/4600-51-0x00007FFB42EF0000-0x00007FFB43355000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39882\base_library.zip

MD5 7b2903144d2ab90e0e8c34c0c5fc8b30
SHA1 4f435ff09b472607c96c9fbc38ca1cac8cb4725c
SHA256 76f8cfff0ca0997ba4fead6d7883316f32688cb9872a86df23148cd94c1511b2
SHA512 257ed12db69532081c3b6050779b021e46dcc26377d69310a2352eecb285ed74cb9ca63f3dbfb9e9c2289c6add588a1512b7f0ae547952b6d4b578953dc36701

C:\Users\Admin\AppData\Local\Temp\_MEI39882\python3.DLL

MD5 a5471f05fd616b0f8e582211ea470a15
SHA1 cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e
SHA256 8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790
SHA512 e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_ctypes.pyd

MD5 b1f12f4bfc0bd49a6646a0786bc5bc00
SHA1 acb7d8c665bb8ca93e5f21e178870e3d141d7cbc
SHA256 1fe61645ed626fc1dec56b2e90e8e551066a7ff86edbd67b41cb92211358f3d7
SHA512 a3fb041bd122638873c395b95f1a541007123f271572a8a988c9d01d2b2d7bb20d70e1d97fc3abffd28cb704990b41d8984974c344faea98dd0c6b07472b5731

memory/4600-59-0x00007FFB52B80000-0x00007FFB52BA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39882\libffi-7.dll

MD5 d50ebf567149ead9d88933561cb87d09
SHA1 171df40e4187ebbfdf9aa1d76a33f769fb8a35ed
SHA256 6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af
SHA512 7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

C:\Users\Admin\AppData\Local\Temp\_MEI39882\libcrypto-1_1.dll

MD5 700f32459dca0f54c982cd1c1ddd6b8b
SHA1 2538711c091ac3f572cb0f13539a68df0f228f28
SHA256 1de22bd1a0154d49f48b3fab94fb1fb1abd8bfed37d18e79a86ecd7cdab893c9
SHA512 99de1f5cb78c83fc6af0a475fb556f1ac58a1ba734efc69d507bf5dc1b0535a401d901324be845d7a59db021f8967cf33a7b105b2ddcb2e02a39dc0311e7c36d

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_uuid.pyd

MD5 b3e7fc44f12d2db5bad6922e0b1d927f
SHA1 3fe8ef4b6fb0bc590a1c0c0f5710453e8e340f8f
SHA256 6b93290a74fb288489405044a7dee7cca7c25fa854be9112427930dd739ebace
SHA512 a0465a38aaac2d501e9a12a67d5d71c9eeeb425f535c473fc27ac13c2bb307641cc3cef540472f916e341d7bada80a84b99d78850d94c95ee14139f8540d0c42

memory/4600-80-0x00007FFB58BE0000-0x00007FFB58BEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_socket.pyd

MD5 f675cf3cdd836cacfab9c89ab9f97108
SHA1 3e077bf518f7a4cb30ea4607338cff025d4d476e
SHA256 bb82a23d8dc6bf4c9aeb91d3f3bef069276ae3b14eeca100b988b85dd21e2dd3
SHA512 e2344b5f59bd0fad3570977edf0505aa2e05618e66d07c9f93b163fc151c4e1d6fbc0e25b7c989505c1270f8cd4840c6120a73a7ad64591ee3c4fb282375465e

C:\Users\Admin\AppData\Local\Temp\_MEI39882\select.pyd

MD5 740424368fb6339d67941015e7ac4096
SHA1 64f3fab24f469a027ddfcf0329eca121f4164e45
SHA256 a389eae40188282c91e0cdf38c79819f475375860225b6963deb11623485b76d
SHA512 6d17dc3f294f245b4ca2eca8e62f4c070c7b8a5325349bc25ebaeea291a5a5ebd268bd1321c08755141aa58de0f985adc67335b4f83bc1aeec4b398d0f538e0e

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_bz2.pyd

MD5 39b487c3e69816bd473e93653dbd9b7f
SHA1 bdce6fde092a3f421193ddb65df893c40542a4e2
SHA256 a1629c455be2cf55e36021704716f4b16a96330fe993aae9e818f67c4026fcdc
SHA512 7543c1555e8897d15c952b89427e7d06c32e250223e85fafae570f8a0fa13c39fb6fc322d043324a31b2f2f08d2f36e0da59dfd741d09c035d0429173b6badc9

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_sqlite3.pyd

MD5 1dbec8753e5cd062cd71a8bb294f28f9
SHA1 c32e9b577f588408a732047863e04a1db6ca231e
SHA256 6d95d41a36b5c9e3a895eff91149978aa383b6a8617d542accef2080737c3cad
SHA512 a1c95dbb1a9e2ffbcc9422f53780b35fbc77cb56ac3562afb8753161a233e5efa8da8ad67f5bde5a094beb8331d9dab5c3d5e673a8d09fd6d0383a8a6ffda087

C:\Users\Admin\AppData\Local\Temp\_MEI39882\sqlite3.dll

MD5 7055e9008e847cb6015b1bb89f26c7ac
SHA1 c7c844cb46f8287a88bec3bd5d02647f5a07ae80
SHA256 2884d8e9007461ab6e8bbdd37c6bc4f6de472bbd52ec5b53e0a635075d86b871
SHA512 651b7b8c2518e4826d84c89be5052fd944f58f558c51cc905da181049850186d0a87fd2e05734fbe6a69618a6e48261a9fdd043ab17eb01620c6510e96d57008

memory/4600-91-0x00007FFB52720000-0x00007FFB5273E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_ssl.pyd

MD5 2edf5c4e534a45966a68033e7395f40d
SHA1 478ef27474eec0fd966d1663d2397e8fb47fec17
SHA256 7abc2b326f5b7c3011827eb7a5a4d896cc6b2619246826519b3f57d2bb99d3bd
SHA512 f83b698cfe702a15eb0267f254c593b90fa155ad2aefe75e5ba0ee5d4f38976882796cba2a027b42a910f244360177ac809891d505b3d0ae9276156b64850b6b

memory/4600-98-0x00007FFB43CA0000-0x00007FFB43D56000-memory.dmp

memory/4600-100-0x0000017BB29B0000-0x0000017BB2D24000-memory.dmp

memory/4600-99-0x00007FFB42860000-0x00007FFB42BD4000-memory.dmp

memory/4600-97-0x00007FFB49D20000-0x00007FFB49D4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39882\libssl-1_1.dll

MD5 45498cefc9ead03a63c2822581cd11c6
SHA1 f96b6373237317e606b3715705a71db47e2cafad
SHA256 a84174a00dc98c98240ad5ee16c35e6ef932cebd5b8048ff418d3dd80f20deca
SHA512 4d3d8d33e7f3c2bf1cad3afbfba6ba53852d1314713ad60eeae1d51cc299a52b73da2c629273f9e0b7983ca01544c3645451cfa247911af4f81ca88a82cf6a80

memory/4600-92-0x00007FFB42BE0000-0x00007FFB42D4D000-memory.dmp

memory/4600-90-0x00007FFB4DD10000-0x00007FFB4DD3C000-memory.dmp

memory/4600-89-0x00007FFB52740000-0x00007FFB52759000-memory.dmp

memory/4600-88-0x00007FFB532D0000-0x00007FFB532DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_lzma.pyd

MD5 95badb08cd77e563c9753fadc39a34dd
SHA1 b3c3dfe64e89b5e7afb5f064bbf9d8d458f626a0
SHA256 5545627b465d780b6107680922ef44144a22939dd406deae44858b79747e301a
SHA512 eb36934b73f36ba2162e75f0866435f57088777dc40379f766366c26d40f185de5be3da55d17f5b82cb498025d8d90bc16152900502eb7f5de88bbef84ace2cf

memory/4600-82-0x00007FFB52A60000-0x00007FFB52A79000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_queue.pyd

MD5 18b8b2b0aefcee9527299c464b7f6d3d
SHA1 a565216faee2534bbda5b3f65aeb2eef5fd9bcda
SHA256 6f334fa1474116dd499a125f3b5ca4cd698039446faf50340f9a3f7af3adb8c2
SHA512 0b56e9d89f4dd3da830954b6561c49c06775854e0b27bc2b07ea8e9c79829d66dae186b95209c8c4cc7c3a7ba6b03cdf134b2e0036cea929e61d755d4709abcb

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_overlapped.pyd

MD5 745706ab482fe9c9f92383292f121072
SHA1 439f00978795d0845aceaf007fd76ff5947567fd
SHA256 4d98e7d1b74bd209f8c66e1a276f60b470f6a5d6f519f76a91eb75be157a903d
SHA512 52fe3dfc45c380dfb1d9b6e453bdffcd92d57ad7b7312d0b9a86a76d437c512a17da33822f8e81760710d8ff4fd6a4b702d2abfffc600c9350d4d463451d38d6

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_multiprocessing.pyd

MD5 28f6fcc0b7bb10a45ff1370c9e1b9561
SHA1 c7669f406b5ec2306a402e872dec17380219907a
SHA256 6dd33d49554ee61490725ea2c9129c15544791ab7a65fb523cc9b4f88d38744b
SHA512 2aef40344e80c3518afc07bf6ad4c96c4fff44434f8307e2efa544290d59504d7b014d7ea94af0377e342a632d6c4c74bfdf16d26f92ccc7062be618ea4dbee7

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_hashlib.pyd

MD5 31dfa2caaee02cc38adf4897b192d6d1
SHA1 9be57a9bad1cb420675f5b9e04c48b76d18f4a19
SHA256 dc045ac7d4bde60b0f122d307fcd2bbaf5e1261a280c4fb67cfc43de5c0c2a0f
SHA512 3e58c083e1e3201a9fbbf6a4fcbc2b0273cf22badabab8701b10b3f8fdd20b11758cdcfead557420393948434e340aad751a4c7aa740097ab29d1773ea3a0100

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_decimal.pyd

MD5 b7f498da5aec35140a6d928a8f792911
SHA1 95ab794a2d4cb8074a23d84b10cd62f7d12a4cd0
SHA256 b15f0dc3ce6955336162c9428077dcedfa1c52e60296251521819f3239c26ee8
SHA512 5fcb2d5325a6a4b7aff047091957ba7f13de548c5330f0149682d44140ac0af06837465871c598db71830fd3b2958220f80ae8744ef16fdb7336b3d6a5039e18

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_cffi_backend.cp310-win_amd64.pyd

MD5 641e49ce0c4fa963d347fbf915aabdbe
SHA1 1351f6c4ac5dcda7e3ffbf3d5e355b4bb864eb10
SHA256 1c795df278c7f64be8e6973f8dbf1a625997cb39ae2dcb5bee0ca4c1b90c8906
SHA512 766b9adb5143e89d663177c2fb0e951afb84c0a43ec690ae2c477ee0bbe036df6f4161a6012430d42e4913fd5fbe7e49af6d13ac7c62d042a484861fc5a04616

C:\Users\Admin\AppData\Local\Temp\_MEI39882\_asyncio.pyd

MD5 480d3f4496e16d54bb5313d206164134
SHA1 3db3a9f21be88e0b759855bf4f937d0bbfdf1734
SHA256 568fb5c3d9b170ce1081ad12818b9a12f44ab1577449425a3ef30c2efbee613d
SHA512 8e887e8de9c31dbb6d0a85b4d6d4157e917707e63ce5f119bb4b03cb28d41af90d087e3843f3a4c2509bca70cdac3941e00b8a5144ade8532a97166a5d0a7bd9

C:\Users\Admin\AppData\Local\Temp\_MEI39882\unicodedata.pyd

MD5 0c26e9925bea49d7cf03cfc371283a9b
SHA1 89290d3e43e18165cb07a7a4f99855b9e8466b21
SHA256 13c2ea04a1d40588536f1d7027c8d0ea228a9fb328ca720d6c53b96a8e1ae724
SHA512 6a3cd4b48f7c0087f4a1bdc1241df71d56bd90226759481f17f56baa1b991d1af0ba5798a2b7ba57d9ffa9ec03a12bfac81df2fba88765bd369435ff21a941e1

C:\Users\Admin\AppData\Local\Temp\_MEI39882\pyexpat.pyd

MD5 b4cf065f5e5b7a5bc2dd2b2e09bea305
SHA1 d289a500ffd399053767ee7339e48c161655b532
SHA256 9b5f407a2a1feaa76c6d3058a2f04c023b1c50b31d417bbfee69024098e4938b
SHA512 ddd9e216b11152d6a50481e06bb409335d36ce7fe63072aa0c7789c541593f2d7e8b4373be67a018c59f5e418e5a39a3ad729b732f11fa253f6275a64e125989

C:\Users\Admin\AppData\Local\Temp\_MEI39882\multidict\_multidict.cp310-win_amd64.pyd

MD5 58a0ff76a0d7d3cd86ceb599d247c612
SHA1 af52bdb9556ef4b9d38cf0f0b9283494daa556a6
SHA256 2079d8be068f67fb2ece4fb3f5927c91c1c25edecb9d1c480829eb1cd21d7cc5
SHA512 e2d4f80cdeba2f5749a4d3de542e09866055d8aee1d308b96cb61bc53f4495c781e9b2559cc6a5f160be96b307539a8b6e06cabeffcc0ddb9ad4107dcacd8a76

memory/4600-105-0x00007FFB52A50000-0x00007FFB52A60000-memory.dmp

memory/4600-104-0x00007FFB507D0000-0x00007FFB507E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39882\yarl\_quoting_c.cp310-win_amd64.pyd

MD5 c14493cd3cc9b9b5f850b5fadcbe936e
SHA1 eddb260ff89bfa132a479fdf783c67098011fb85
SHA256 1782f3c12b3eb01716fcd59b0cd69c02c2fb888db4377f4d5fe00f07986be8e3
SHA512 0a7b85322b8fa566fb3d24b8e4021fb64433be06c3c4dbeb06d9633e4af0a5b76252fb2228de0abd818be5f4a18fffc712c727816632dd8c8585c9a9a7bf0fb6

C:\Users\Admin\AppData\Local\Temp\_MEI39882\cryptography\hazmat\bindings\_rust.pyd

MD5 2fcce5a4be27c1f03c07f28442c519c2
SHA1 720309702539887f00b604ef9482e6f4e90267fe
SHA256 eed558d5a0fe7cea03d6b52950594ec8a7c2e451daca1018118a7c640af4990a
SHA512 71629b36b48bb353b7cd97c23cef116a006a61582cb7064e38cfd6e0769a8f8edbb51e7e141e365c0be2dbb0985cb3ef3cc0f0d3fd4eeb32322f8c406352b4e2

memory/4600-117-0x00007FFB52A10000-0x00007FFB52A1A000-memory.dmp

memory/4600-116-0x00007FFB447E0000-0x00007FFB44802000-memory.dmp

memory/4600-115-0x00007FFB42740000-0x00007FFB42858000-memory.dmp

memory/4600-124-0x00007FFB43C60000-0x00007FFB43C98000-memory.dmp