Malware Analysis Report

2024-11-13 15:23

Sample ID 240607-hfqs8acf53
Target c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0
SHA256 c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0
Tags
persistence upx pyinstaller
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0

Threat Level: Likely malicious

The file c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0 was found to be: Likely malicious.

Malicious Activity Summary

persistence upx pyinstaller

UPX dump on OEP (original entry point)

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Adds Run key to start application

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-07 06:43

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 06:41

Reported

2024-06-07 07:00

Platform

win7-20240419-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Graphic Driver Extension Loader Service = "C:\\ProgramData\\Intel\\IntelGFX.exe" C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe

"C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe"

C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe

"C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_MEI30242\msvcr90.dll

MD5 2318feff52a4cbbbda0cdf3fd447a49b
SHA1 81d866b03931346deade5d66606c4d2608756aba
SHA256 ed7818df2d76f502e6c70c7d495b1e6f358b4ebe8bb8a045c024dd1401420ffe
SHA512 2a0ca5b0f5cc33acb82cd723012ad5257a69b218b0332a1f61ae1746c0aa881794c052fa5904ed72b018800fa9a7ab8b9223b522f0c161428303a049c79bc703

memory/3044-22-0x0000000074380000-0x0000000074431000-memory.dmp

memory/3044-28-0x00000000747F0000-0x0000000074801000-memory.dmp

memory/3044-39-0x0000000074360000-0x0000000074375000-memory.dmp

memory/3044-45-0x0000000074440000-0x00000000746F1000-memory.dmp

memory/3044-59-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

memory/3044-58-0x0000000074360000-0x0000000074375000-memory.dmp

memory/3044-57-0x000000001E980000-0x000000001E9A1000-memory.dmp

memory/3044-56-0x00000000747F0000-0x0000000074801000-memory.dmp

memory/3044-55-0x0000000074810000-0x000000007482E000-memory.dmp

memory/3044-54-0x0000000074380000-0x0000000074431000-memory.dmp

memory/3044-53-0x00000000742D0000-0x0000000074360000-memory.dmp

memory/3044-40-0x00000000742D0000-0x0000000074360000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI30~1\sqlite3.dll

MD5 2a999115993593c76466f8c4f351d43c
SHA1 193841fd5a2bda36ac3e82cada19f6accde30b33
SHA256 1514c1981fe724bf5bf42e3800b7ea86235821973a70ca046de2dcd8ed82d17a
SHA512 4918c584c5da52ccd543e5bf0df23f429611afac3c3ee7081022e93f85a443932e484a3ccabbf7708aed410bd30d1388c81694b33ff59398ec8bcb34c10d4b52

memory/3044-37-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI30~1\_sqlite3.pyd

MD5 0c070d68f24a1d645259319ad6f98ef4
SHA1 e8882fa93829caf674e69b16497f7808c8eedca7
SHA256 91053a6c100d8d5df8552202f3223aea67822b32a4ad7d8697608e6d23f508a4
SHA512 89284b4a55b87c4871123030b542f1ccc83609d693e1ea1799fefe954ffbce8636962f3f87fb6907fbd1058618364306b7776ba3eb9e2bbe91414dad13fd5cb5

memory/3044-33-0x000000001E980000-0x000000001E9A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI30~1\pywintypes27.dll

MD5 66731fcba577b47bf97fa0e36a539ff5
SHA1 759dfa167ea71fdbeb6275ef341ae7e52fba2e53
SHA256 d8c4796d11acb3583c3b3359b4b4e0f93d33af9aebd4bdaadb301c37b1df1dae
SHA512 f6a476621236abc66518cab9b2acfe975306fa84769d0149ebbe5420d9b625ce80f57f4ad9c7111604f2e7ce8fc1946828468cd38aadc320f43bae64879e5f12

\Users\Admin\AppData\Local\Temp\_MEI30~1\win32crypt.pyd

MD5 fd32de25a44ec1f391be5bc4c7ab0711
SHA1 d97d91cc246f1f49293e9567a9c35a06c4359d7f
SHA256 172aed8bf628a97b8fe3c1a6effbe63bd4c60e908d208b9498b2e2aa1bf99e1b
SHA512 fa43cc7ac54312b4ac74c5d07d7a79d8c97fd7c1816d9169601af867698d62e16ade36965831fb0e3e405df8136ddf00578738239be0c2a6f390ff6f55b35dd4

memory/3044-27-0x0000000074810000-0x000000007482E000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI30~1\_socket.pyd

MD5 8811517fe8d6a2c32ebfb512ac431177
SHA1 91cc8ac9d82bc7e21965035ba31ee5bef44a6403
SHA256 90afba4a6d54e8a079e51a77e76be48485d1cd20118369745e0b6a9d08444f35
SHA512 5241836f9a8d1d60bbc8cd3f7ffe9125c3f7cb37aaa8090713e18ab1d8423a427c641f9523675ab951aea608e96ed32c6a8fbc14ffe804b57158b477a14b9239

\Users\Admin\AppData\Local\Temp\_MEI30~1\_ctypes.pyd

MD5 892b1c64bd2d6455ccee13bed8f7372c
SHA1 570700b3019d6eb4846bed288fa9cff3663d77f5
SHA256 fc813a3c6294feef54d36fff55d8e8fd23527a67e71b4c275094a1529863ac15
SHA512 0a72db9be613525889abd1556875d79806ebd000682c7b82ce2f7ea8397987ba8d461bafc0770a4fd32ba805a018fc49c3a50804479eeeb1b7475c1f2f696c8a

memory/3044-21-0x0000000074440000-0x00000000746F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30242\MSVCR90.dll

MD5 75a3740bb79ae94fc74903d26326b5b9
SHA1 9d475f893c10b13230093b495761cbf62998f5e6
SHA256 c665fa5b9dfc85ed3c3098bb121a701cfa541a37b9f01b1879197cb5783db988
SHA512 a9706c21712482998afcd48e4c552263e0d794340a6a10a046491f6109286b14ad585369bad41347227ebdfdbcf893a2eb86d43317f76a1e6186d6e190be2b86

\Users\Admin\AppData\Local\Temp\_MEI30242\python27.dll

MD5 774b5e73fce373318cefbe93048fc03f
SHA1 02ef353926b6e073794c2e63e792abc1ae88a221
SHA256 8a5b103ca8a2846265b14175ff8bb42c6a881e12f52a1879913af879392534bb
SHA512 1b5f79bd1985b5c0a6098ae48bf754ec650551587f01bdb7a2868e5076bc74df51542905d43abbc8af54470cdd69ce7104e711ffda4e45f6f8769dbc7ad97387

C:\Users\Admin\AppData\Local\Temp\_MEI30242\python27.dll

MD5 cb9708e764150e9b31945f9b89963835
SHA1 80f3b88d6b9ec8505cd2f0982376c7bff9ca02c8
SHA256 d393e3dcdaaf6acfc1625c5a8adf4add402987179a221a7474f17228628d3654
SHA512 488bca89ba5d5f9a1a3cf8e2957af21f78df2c2148a4fa4e15132a0d73080eca01371a858968acda3597587c0314d20b586f6f85d455b6ce9045aa328c908939

C:\Users\Admin\AppData\Local\Temp\_MEI30242\IntelGFX.exe.manifest

MD5 6d9baafd6ebcbaf5127448f0b334b7ae
SHA1 dcc0d1c77b913d81e0ebdc97069525c84f5bc59c
SHA256 64431ef89972f5c64a96499a4e972d66ce870008c2471edd696d2fc99e746ac2
SHA512 9989056b9a77e2434a5c48daf99cd24fe15c85d55b7ec87ea141f55417e9e1e7394585778efdb035c822b361a97da364c2c59090817050a84c2e76d4bb92eb3c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 06:41

Reported

2024-06-07 07:10

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Graphic Driver Extension Loader Service = "C:\\ProgramData\\Intel\\IntelGFX.exe" C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe

"C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe"

C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe

"C:\Users\Admin\AppData\Local\Temp\c05ab9496876974558c2aa90991698be730d43dcfe9d2cc332360cd88f1dd3f0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 234.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/2176-19-0x00000000758B0000-0x0000000075B61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI10562\python27.dll

MD5 5bbdf87ce9c35f18ec7e302062a9ed8a
SHA1 bc749574cd233006e19fa1c17e73b37eec97e38c
SHA256 cc5aef66d9c01b6788f2c8a32d1e863fa9dc2856d4932ce7968d4820cdfd6be5
SHA512 f569211564e3c0abc1bcf10386ac46a3fc0f8fb9a3e1fc430cadf64231df07d3a64bb49ae2eaf3befd36642df7c81d502c054fa5126f8513c13c1a2237e87e3b

C:\Users\Admin\AppData\Local\Temp\_MEI10562\_socket.pyd

MD5 8811517fe8d6a2c32ebfb512ac431177
SHA1 91cc8ac9d82bc7e21965035ba31ee5bef44a6403
SHA256 90afba4a6d54e8a079e51a77e76be48485d1cd20118369745e0b6a9d08444f35
SHA512 5241836f9a8d1d60bbc8cd3f7ffe9125c3f7cb37aaa8090713e18ab1d8423a427c641f9523675ab951aea608e96ed32c6a8fbc14ffe804b57158b477a14b9239

memory/2176-29-0x000000001E980000-0x000000001E9A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI10562\sqlite3.dll

MD5 2a999115993593c76466f8c4f351d43c
SHA1 193841fd5a2bda36ac3e82cada19f6accde30b33
SHA256 1514c1981fe724bf5bf42e3800b7ea86235821973a70ca046de2dcd8ed82d17a
SHA512 4918c584c5da52ccd543e5bf0df23f429611afac3c3ee7081022e93f85a443932e484a3ccabbf7708aed410bd30d1388c81694b33ff59398ec8bcb34c10d4b52

memory/2176-48-0x0000000075710000-0x00000000757A0000-memory.dmp

memory/2176-47-0x00000000757A0000-0x00000000757B5000-memory.dmp

memory/2176-46-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

memory/2176-45-0x000000001E980000-0x000000001E9A1000-memory.dmp

memory/2176-44-0x00000000757C0000-0x00000000757D1000-memory.dmp

memory/2176-43-0x00000000757E0000-0x00000000757FE000-memory.dmp

memory/2176-42-0x00000000758B0000-0x0000000075B61000-memory.dmp

memory/2176-37-0x0000000075710000-0x00000000757A0000-memory.dmp

memory/2176-36-0x00000000757A0000-0x00000000757B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI10562\_sqlite3.pyd

MD5 0c070d68f24a1d645259319ad6f98ef4
SHA1 e8882fa93829caf674e69b16497f7808c8eedca7
SHA256 91053a6c100d8d5df8552202f3223aea67822b32a4ad7d8697608e6d23f508a4
SHA512 89284b4a55b87c4871123030b542f1ccc83609d693e1ea1799fefe954ffbce8636962f3f87fb6907fbd1058618364306b7776ba3eb9e2bbe91414dad13fd5cb5

memory/2176-32-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI10562\pywintypes27.dll

MD5 66731fcba577b47bf97fa0e36a539ff5
SHA1 759dfa167ea71fdbeb6275ef341ae7e52fba2e53
SHA256 d8c4796d11acb3583c3b3359b4b4e0f93d33af9aebd4bdaadb301c37b1df1dae
SHA512 f6a476621236abc66518cab9b2acfe975306fa84769d0149ebbe5420d9b625ce80f57f4ad9c7111604f2e7ce8fc1946828468cd38aadc320f43bae64879e5f12

C:\Users\Admin\AppData\Local\Temp\_MEI10562\win32crypt.pyd

MD5 fd32de25a44ec1f391be5bc4c7ab0711
SHA1 d97d91cc246f1f49293e9567a9c35a06c4359d7f
SHA256 172aed8bf628a97b8fe3c1a6effbe63bd4c60e908d208b9498b2e2aa1bf99e1b
SHA512 fa43cc7ac54312b4ac74c5d07d7a79d8c97fd7c1816d9169601af867698d62e16ade36965831fb0e3e405df8136ddf00578738239be0c2a6f390ff6f55b35dd4

memory/2176-25-0x00000000757C0000-0x00000000757D1000-memory.dmp

memory/2176-24-0x00000000757E0000-0x00000000757FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI10562\_ctypes.pyd

MD5 892b1c64bd2d6455ccee13bed8f7372c
SHA1 570700b3019d6eb4846bed288fa9cff3663d77f5
SHA256 fc813a3c6294feef54d36fff55d8e8fd23527a67e71b4c275094a1529863ac15
SHA512 0a72db9be613525889abd1556875d79806ebd000682c7b82ce2f7ea8397987ba8d461bafc0770a4fd32ba805a018fc49c3a50804479eeeb1b7475c1f2f696c8a

C:\Users\Admin\AppData\Local\Temp\_MEI10562\python27.dll

MD5 83fcb4eb099c82f84d684b2bc2765f8d
SHA1 5a576f5e50d7b2cbcf227bdee94db2dbf0e87e83
SHA256 2f5f4c9264e935f7b7cf9079ee0ed01eaf1c4a5dd71b6c0db7273780d9c2f529
SHA512 f0718e308fa2db25a8898a91f2950c377c2a6132a1f5cae4d4a254bc6f0d364d5166c8a95a2d0331b93fd3fd238aeb196fdfe7a9f8818dfa899659aa73f3bab4

C:\Users\Admin\AppData\Local\Temp\_MEI10562\IntelGFX.exe.manifest

MD5 6d9baafd6ebcbaf5127448f0b334b7ae
SHA1 dcc0d1c77b913d81e0ebdc97069525c84f5bc59c
SHA256 64431ef89972f5c64a96499a4e972d66ce870008c2471edd696d2fc99e746ac2
SHA512 9989056b9a77e2434a5c48daf99cd24fe15c85d55b7ec87ea141f55417e9e1e7394585778efdb035c822b361a97da364c2c59090817050a84c2e76d4bb92eb3c