Analysis Overview
SHA256
b626f2b952633aabce2a7461ba1e296cceb00c595b752f322a070629d53d36b1
Threat Level: Likely malicious
The file Joinify.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Loads dropped DLL
Checks BIOS information in registry
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 19:38
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 19:38
Reported
2024-06-09 19:39
Platform
win7-20240221-en
Max time kernel
19s
Max time network
19s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1084 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | C:\Users\Admin\AppData\Local\Temp\Joinify.exe |
| PID 1084 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | C:\Users\Admin\AppData\Local\Temp\Joinify.exe |
| PID 1084 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | C:\Users\Admin\AppData\Local\Temp\Joinify.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Joinify.exe
"C:\Users\Admin\AppData\Local\Temp\Joinify.exe"
C:\Users\Admin\AppData\Local\Temp\Joinify.exe
"C:\Users\Admin\AppData\Local\Temp\Joinify.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI10842\python39.dll
| MD5 | 088904a7f5b53107db42e15827e3af98 |
| SHA1 | 1768e7fb1685410e188f663f5b259710f597e543 |
| SHA256 | 3761c232e151e9ceaf6c7d37b68da3df1962e3106e425cc3937d1f60170f3718 |
| SHA512 | c5edc25fd9a37673f769af1a1fd540b41e68351bc30b44bc83a1d0d4a8fb078888bbb31173a77ef47698631c9816bc05637b499c20d63e3d65457d9aa4bc2c6b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 19:38
Reported
2024-06-09 19:39
Platform
win10v2004-20240508-en
Max time kernel
42s
Max time network
36s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | N/A |
Loads dropped DLL
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3816 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | C:\Users\Admin\AppData\Local\Temp\Joinify.exe |
| PID 3816 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\Joinify.exe | C:\Users\Admin\AppData\Local\Temp\Joinify.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Joinify.exe
"C:\Users\Admin\AppData\Local\Temp\Joinify.exe"
C:\Users\Admin\AppData\Local\Temp\Joinify.exe
"C:\Users\Admin\AppData\Local\Temp\Joinify.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI38162\python39.dll
| MD5 | 088904a7f5b53107db42e15827e3af98 |
| SHA1 | 1768e7fb1685410e188f663f5b259710f597e543 |
| SHA256 | 3761c232e151e9ceaf6c7d37b68da3df1962e3106e425cc3937d1f60170f3718 |
| SHA512 | c5edc25fd9a37673f769af1a1fd540b41e68351bc30b44bc83a1d0d4a8fb078888bbb31173a77ef47698631c9816bc05637b499c20d63e3d65457d9aa4bc2c6b |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\VCRUNTIME140.dll
| MD5 | 7942be5474a095f673582997ae3054f1 |
| SHA1 | e982f6ebc74d31153ba9738741a7eec03a9fa5e8 |
| SHA256 | 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c |
| SHA512 | 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\base_library.zip
| MD5 | dcd898e83fdd2973dad8a677145a495c |
| SHA1 | fc651b2ce92787275f4bf5f5adf085cfb72e6bc8 |
| SHA256 | 72d234fbbca01a2710ee2cdac1806f61c19af5a02a1db19a1bc4a1a0f799083b |
| SHA512 | 128e8b4f65432aad30f55effe8d91f3b0060f422bfe80d5d3636fc4aa1a03033a958c5481b9b54a4c66903cf3770dc8b957b97b37a6104b620e44bfb044eb3d6 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\python3.dll
| MD5 | c4fa8029ed8439203120d3e774aadc01 |
| SHA1 | 3ef5714d25ad62efdebb160f3cb93e136dd1f581 |
| SHA256 | 962dcad9911d6959d7320b2214ade633b53e5555e66d7e82f3bbcc78e2148e0e |
| SHA512 | 7429e7463f38767a3627c5a75b16d8856281063fcec42f977d069445ffe56c3edc78142a95047617de5082dc7142858a837596ead5179a8e583545b7754933a0 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_ctypes.pyd
| MD5 | e1ef9f5c77b01c82cf72522ec96b2a11 |
| SHA1 | e83daa56a104f6ea6235822c644b6554c3958cfe |
| SHA256 | a79cf8259890d5843cf8eaf29db8dbd4bfabed50f4d859756f93ac2b30617023 |
| SHA512 | 4231ec5b06effae6497bf62853b79420529cabaee6b58f519c3c30bdd42c925e85979c29c2db0747dcff3f99f3b19dc02ece96347e08cf49eb0abb1e19238c01 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_bz2.pyd
| MD5 | 5a8b3602b3560868bd819b10c6343874 |
| SHA1 | 73a5ce4d07479894f24b776eb387abd33deb83a9 |
| SHA256 | 00d2f34aee55b473bcc11838469b94a62d01fdf4465e19f7d7388c79132f019e |
| SHA512 | 2f2f8305fd8853c479b5d2a442110efc3ad41a3c482cd554ebcc405fcf097e230f5cd45dbfb44050b5bd6fae662ce7cac0583c9784050f0c7d09a678768587db |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_lzma.pyd
| MD5 | caa58290ab4414e2e22cc0b6ff4b2d29 |
| SHA1 | 840902aaf7db40da17018776e5c842014c3a81ac |
| SHA256 | 185d407bcca7399c458133f2ce1efa938352b8093b2de040c91c3c3088ab173f |
| SHA512 | a82e380ab1676424e52a36c08eabd572375dd36a7fe2b9df51d48c368aed6c04b0b3674bc6a9787efedd0ed70bb1869ed1a2f3a1f4238485710092b9cbadd00e |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_socket.pyd
| MD5 | e71c0c49f7e2bd39cafeed1dca29455b |
| SHA1 | 22cb314298c6c38e3246f73dc7277ed00d6b8449 |
| SHA256 | 3b0ea76a2b0caabf5b8994d3789778575ecbf2831acaf4d53d274e265d271622 |
| SHA512 | 4c09599c7c93427b30a011cc39738983c79f0835292e5c0e7e19f6329f33810773d0e97e20f4698d22b6d0b8b643521bc3ce318c890366872ed26b6d3dab5c05 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\select.pyd
| MD5 | 1e74ba085eb08a3affe5f5fabaaa6caf |
| SHA1 | 46e3efbd21dc0a2c7650ed949bc7e7e91b37efea |
| SHA256 | 36be2a85c1989dc171bde986950b81d3e9cda21f1d1bf2f81f7fe15ffefad511 |
| SHA512 | 517a109490c3724a630a85471e28ff3c4f96c9810b96f5baa9b66473ef59ed4055e331c8da064a53bc12892fb674f417b3485e96f16015e1437cbd2ca67e87d8 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\pyexpat.pyd
| MD5 | f38c38fa0e17db7935b92cb827cf0356 |
| SHA1 | 4d58b54307de86d384d246b5577a55db1de96eb5 |
| SHA256 | 9e481e46a93f74675a0ac6c9565e6b75511f2e5064f764f7f7e2f77680b41378 |
| SHA512 | 1429b59ac51b1c4d137db7a985a519a9914cd1184af53448cbb6675b62151d428cd05818d811cb8a63ae45d80d302f6eeef28ef7d4723c9a5ae4942f7e424efd |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_queue.pyd
| MD5 | 671a9ac9b34f07ada65bf1635e4626c5 |
| SHA1 | d4a6e478caaacdbdb52f57d12e16ba96671d30f2 |
| SHA256 | 3f1fc09b3f0a5c8c7aff4223d002952ab26f462aa390940a9f00454815204739 |
| SHA512 | 92617258ef747f93ab2c378f5c9a2aac14668d834df15939c1ef83a555490b9ee3380d7341bee60c33057482736a595593749b8794ddeaa9649339363095108c |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_ssl.pyd
| MD5 | 39919e97dc418e0099b2a0bb332a8c77 |
| SHA1 | f04c9d78b3d5e2a95ea3535c363d8b05d666d39e |
| SHA256 | b38b09bf0421b1f49338ded8021d7bc56be19902d9b21a9b6e9c8df448f93eb2 |
| SHA512 | f179ebe84ae065ed63e71f2855b2b69cdedfc8be70dace0eb07c8b191768eace1312562e27e77492481f214f85d31f35c88c2b1f7a3881cee9dffffa7ffc668a |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\libssl-1_1.dll
| MD5 | 2335285f5ac87173bd304efeddfa1d85 |
| SHA1 | 64558d2150120abed3514db56299721c42c6fe58 |
| SHA256 | 1b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94 |
| SHA512 | 82737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\libcrypto-1_1.dll
| MD5 | aa811bb63dbd4c5859b68332326f60b1 |
| SHA1 | 6e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977 |
| SHA256 | 00a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0 |
| SHA512 | dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_asyncio.pyd
| MD5 | 3a5fbfdc3091114488bc30cc1873365b |
| SHA1 | a4da519a41ce499430f5fea6f731f59b41e8031d |
| SHA256 | a055e2b17cba4199b48db6848e44543399870958f49b1afce10534c46298ef2a |
| SHA512 | 00e08a09f7124e3e300a834796cc106ce07f8801749dc2ce451d5397ed822c2b3c602c20344b44c608c4fc0048cac6897748daab91d80a1be877a9c44e531dc1 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_overlapped.pyd
| MD5 | 60af9df3c5d25c193d73a566e763b0b8 |
| SHA1 | a87c3285ff6f59528611f42577d30dbf35827b45 |
| SHA256 | c63632bf1b28f7f1007ff093a9ef3d034cb9480fc373c29e06a407b223b6ddff |
| SHA512 | 57c33929ec284013e88696ab7c099d570d0211d99f8e2027f1d8db9ae66810ccba6992959a2d543929f59bfc67cc4d1cc9264046e02df9cd119c3b1d2ec41a20 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\pytransform_vax_002423.pyd
| MD5 | 2535bcd21a8d45b22771f1181b52fe48 |
| SHA1 | b9bf6af50a76b7a53011090e4df0ce1cb8adc8b8 |
| SHA256 | 587f0fd6d780a3dd97b19f4091b78f380ebbfc7b78acbc8d44e11f943b9c6db7 |
| SHA512 | 4beab10faf9d8b28ead7ab83f9d32539655576898de1c60c305a1a5c57d6b211b364a54c7746955769db48b5973ac6d513f93d2101ed5da3b8e20010caed263b |
memory/380-152-0x00007FFFB0030000-0x00007FFFB0032000-memory.dmp
memory/380-151-0x00000000674F0000-0x00000000680CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_uuid.pyd
| MD5 | 0803ad237eb9e6370d71d0c500ce6493 |
| SHA1 | 60479ffe844717a7ccd451ae1cfa5208ed003177 |
| SHA256 | fc5dc4af3a540c97d33cd300558488884417912629fad2e36baeba6ffca9faac |
| SHA512 | 1f8a19fe1c228a5f7cde873a89d3c64e9b3c9b2d9b360bd893b86ac8558bae76a5f08b6a6ba093ff369f0f04e72ec10260d1d2299b796b2c1433ae11ae8b6e1a |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_hashlib.pyd
| MD5 | 8f7edaff246c46dbf09ab5554b918b37 |
| SHA1 | c14c33b14419f5d24fb36e5f1bf1760a9c63228b |
| SHA256 | 9154b36c178d84a901edad689a53148451ef3c851a91447a0654f528a620d944 |
| SHA512 | 1947a1010fa1b07671aa471d5821792dee7f2b0cd1937d3f944cd0201a299e6cb37a41debbbd1bc6e774186f6d08ad6264055cba7652b0d5bd22691431cb360e |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_cffi_backend.cp39-win_amd64.pyd
| MD5 | ba20b38817bd31b386615e6cf3096940 |
| SHA1 | dfd0286bc3d11d779f6b24f4245b5602b1842df0 |
| SHA256 | 0fffe7a441f2c272a7c6d8cf5eb1adce71fde6f6102bc7c1ceb90e05730c4b07 |
| SHA512 | b580c1c26f4ddea3fb7050c83839e9e3ede7659f934928072ae8da53db0c92babc72dbc01130ec931f4ec87e3a3118b6d6c42a4654cd6775e24710517585b275 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\charset_normalizer\md.cp39-win_amd64.pyd
| MD5 | c4de5638d7cf59a01c768448c6bef89d |
| SHA1 | 4405bae0d6fc5502e32689d99e74abafd87f9588 |
| SHA256 | cd8f4e8f69c855042a8f36f68a1601d96f09568baff51f96decda4fa5aeb274d |
| SHA512 | adbf18508988af7c081539110d1b2b2f3acdea0e63bd039ec94fc57b53464761abae1639ad21f6302465ddf8fed3b0f987d9300d457be2706f10b2a36d58bce9 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\unicodedata.pyd
| MD5 | 06092dbacf3b009ad11376dfc5ed2acd |
| SHA1 | 2597d23469d65936fca20906ef41e1f999944210 |
| SHA256 | 2f9e76a8148029ade3e8f61d014d79a9b1c154cc9b5d6608f50fc478170ff676 |
| SHA512 | c782ebb9139a6b358d6e55cca3f018e421747984245fafbd150696b152763f2a6d08a21a0185f49df867dfabf5f066631a55f324abfed4e8bece8f85ead81c85 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_decimal.pyd
| MD5 | 77510dba8f87d26741d0a2501d61ad48 |
| SHA1 | fff70ddcbb5ddf34419a4196a341bfff52d2d3ee |
| SHA256 | 6c5ba4ad0c7b89b83e2a0a2c6cc4927992aa0adc449eea6aacaaff2b55f544f6 |
| SHA512 | 9b84491bfbb5523b9c73580a8e434ad87a0ccc540fe9d522ee97324c9c20a68d1f45adc712dadd2d3966c4d613ad40b8000a2de4b44a7268020e461d21abf284 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\charset_normalizer\md__mypyc.cp39-win_amd64.pyd
| MD5 | d67200e140f7226beda03e3fac5dbfce |
| SHA1 | d09d0d558ca640d380ec463ef0c6acaaf800f12c |
| SHA256 | ae2bdf86ce87b46bd557f7955ae4d018155e9bead7ccb63c65f359ae79fc5309 |
| SHA512 | d8fb745b85db89978b4abfa1ebd645bf837ed9bdec80ab647f31de0fc0a547112a893e3f76912445a367d289e57a080da25797ef8ead7cd18e1b3f6e4aaf8350 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\brotli\_brotli.pyd
| MD5 | 5cd8cbde51c687b96a732c6cab46b016 |
| SHA1 | 9584be1465af75937f9cff3c6609ce2f6228498f |
| SHA256 | 9d007f4dd7e138404aa849eb1afa8637b8d28606f7e3349bc99fb9279184319f |
| SHA512 | 1f9681c65f8f803d7e150c03a126ccee715e680035b30d0dcdcd538735d2e294ee8766f5afaa4a2d663eb5da13ec85eef01f57d967753f09649017911fdd2d27 |
memory/380-156-0x00007FFFAFF90000-0x00007FFFB0185000-memory.dmp
memory/380-171-0x00000000674F0000-0x00000000680CD000-memory.dmp
memory/380-172-0x00007FFFAFF90000-0x00007FFFB0185000-memory.dmp