Malware Analysis Report

2024-10-16 07:02

Sample ID 240609-ycsfmseg94
Target Joinify.exe
SHA256 b626f2b952633aabce2a7461ba1e296cceb00c595b752f322a070629d53d36b1
Tags
pyinstaller evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b626f2b952633aabce2a7461ba1e296cceb00c595b752f322a070629d53d36b1

Threat Level: Likely malicious

The file Joinify.exe was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 19:38

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 19:38

Reported

2024-06-09 19:39

Platform

win7-20240221-en

Max time kernel

19s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Joinify.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Joinify.exe

"C:\Users\Admin\AppData\Local\Temp\Joinify.exe"

C:\Users\Admin\AppData\Local\Temp\Joinify.exe

"C:\Users\Admin\AppData\Local\Temp\Joinify.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI10842\python39.dll

MD5 088904a7f5b53107db42e15827e3af98
SHA1 1768e7fb1685410e188f663f5b259710f597e543
SHA256 3761c232e151e9ceaf6c7d37b68da3df1962e3106e425cc3937d1f60170f3718
SHA512 c5edc25fd9a37673f769af1a1fd540b41e68351bc30b44bc83a1d0d4a8fb078888bbb31173a77ef47698631c9816bc05637b499c20d63e3d65457d9aa4bc2c6b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 19:38

Reported

2024-06-09 19:39

Platform

win10v2004-20240508-en

Max time kernel

42s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Joinify.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3816 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe C:\Users\Admin\AppData\Local\Temp\Joinify.exe
PID 3816 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Joinify.exe C:\Users\Admin\AppData\Local\Temp\Joinify.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Joinify.exe

"C:\Users\Admin\AppData\Local\Temp\Joinify.exe"

C:\Users\Admin\AppData\Local\Temp\Joinify.exe

"C:\Users\Admin\AppData\Local\Temp\Joinify.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI38162\python39.dll

MD5 088904a7f5b53107db42e15827e3af98
SHA1 1768e7fb1685410e188f663f5b259710f597e543
SHA256 3761c232e151e9ceaf6c7d37b68da3df1962e3106e425cc3937d1f60170f3718
SHA512 c5edc25fd9a37673f769af1a1fd540b41e68351bc30b44bc83a1d0d4a8fb078888bbb31173a77ef47698631c9816bc05637b499c20d63e3d65457d9aa4bc2c6b

C:\Users\Admin\AppData\Local\Temp\_MEI38162\VCRUNTIME140.dll

MD5 7942be5474a095f673582997ae3054f1
SHA1 e982f6ebc74d31153ba9738741a7eec03a9fa5e8
SHA256 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c
SHA512 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

C:\Users\Admin\AppData\Local\Temp\_MEI38162\base_library.zip

MD5 dcd898e83fdd2973dad8a677145a495c
SHA1 fc651b2ce92787275f4bf5f5adf085cfb72e6bc8
SHA256 72d234fbbca01a2710ee2cdac1806f61c19af5a02a1db19a1bc4a1a0f799083b
SHA512 128e8b4f65432aad30f55effe8d91f3b0060f422bfe80d5d3636fc4aa1a03033a958c5481b9b54a4c66903cf3770dc8b957b97b37a6104b620e44bfb044eb3d6

C:\Users\Admin\AppData\Local\Temp\_MEI38162\python3.dll

MD5 c4fa8029ed8439203120d3e774aadc01
SHA1 3ef5714d25ad62efdebb160f3cb93e136dd1f581
SHA256 962dcad9911d6959d7320b2214ade633b53e5555e66d7e82f3bbcc78e2148e0e
SHA512 7429e7463f38767a3627c5a75b16d8856281063fcec42f977d069445ffe56c3edc78142a95047617de5082dc7142858a837596ead5179a8e583545b7754933a0

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_ctypes.pyd

MD5 e1ef9f5c77b01c82cf72522ec96b2a11
SHA1 e83daa56a104f6ea6235822c644b6554c3958cfe
SHA256 a79cf8259890d5843cf8eaf29db8dbd4bfabed50f4d859756f93ac2b30617023
SHA512 4231ec5b06effae6497bf62853b79420529cabaee6b58f519c3c30bdd42c925e85979c29c2db0747dcff3f99f3b19dc02ece96347e08cf49eb0abb1e19238c01

C:\Users\Admin\AppData\Local\Temp\_MEI38162\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_bz2.pyd

MD5 5a8b3602b3560868bd819b10c6343874
SHA1 73a5ce4d07479894f24b776eb387abd33deb83a9
SHA256 00d2f34aee55b473bcc11838469b94a62d01fdf4465e19f7d7388c79132f019e
SHA512 2f2f8305fd8853c479b5d2a442110efc3ad41a3c482cd554ebcc405fcf097e230f5cd45dbfb44050b5bd6fae662ce7cac0583c9784050f0c7d09a678768587db

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_lzma.pyd

MD5 caa58290ab4414e2e22cc0b6ff4b2d29
SHA1 840902aaf7db40da17018776e5c842014c3a81ac
SHA256 185d407bcca7399c458133f2ce1efa938352b8093b2de040c91c3c3088ab173f
SHA512 a82e380ab1676424e52a36c08eabd572375dd36a7fe2b9df51d48c368aed6c04b0b3674bc6a9787efedd0ed70bb1869ed1a2f3a1f4238485710092b9cbadd00e

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_socket.pyd

MD5 e71c0c49f7e2bd39cafeed1dca29455b
SHA1 22cb314298c6c38e3246f73dc7277ed00d6b8449
SHA256 3b0ea76a2b0caabf5b8994d3789778575ecbf2831acaf4d53d274e265d271622
SHA512 4c09599c7c93427b30a011cc39738983c79f0835292e5c0e7e19f6329f33810773d0e97e20f4698d22b6d0b8b643521bc3ce318c890366872ed26b6d3dab5c05

C:\Users\Admin\AppData\Local\Temp\_MEI38162\select.pyd

MD5 1e74ba085eb08a3affe5f5fabaaa6caf
SHA1 46e3efbd21dc0a2c7650ed949bc7e7e91b37efea
SHA256 36be2a85c1989dc171bde986950b81d3e9cda21f1d1bf2f81f7fe15ffefad511
SHA512 517a109490c3724a630a85471e28ff3c4f96c9810b96f5baa9b66473ef59ed4055e331c8da064a53bc12892fb674f417b3485e96f16015e1437cbd2ca67e87d8

C:\Users\Admin\AppData\Local\Temp\_MEI38162\pyexpat.pyd

MD5 f38c38fa0e17db7935b92cb827cf0356
SHA1 4d58b54307de86d384d246b5577a55db1de96eb5
SHA256 9e481e46a93f74675a0ac6c9565e6b75511f2e5064f764f7f7e2f77680b41378
SHA512 1429b59ac51b1c4d137db7a985a519a9914cd1184af53448cbb6675b62151d428cd05818d811cb8a63ae45d80d302f6eeef28ef7d4723c9a5ae4942f7e424efd

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_queue.pyd

MD5 671a9ac9b34f07ada65bf1635e4626c5
SHA1 d4a6e478caaacdbdb52f57d12e16ba96671d30f2
SHA256 3f1fc09b3f0a5c8c7aff4223d002952ab26f462aa390940a9f00454815204739
SHA512 92617258ef747f93ab2c378f5c9a2aac14668d834df15939c1ef83a555490b9ee3380d7341bee60c33057482736a595593749b8794ddeaa9649339363095108c

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_ssl.pyd

MD5 39919e97dc418e0099b2a0bb332a8c77
SHA1 f04c9d78b3d5e2a95ea3535c363d8b05d666d39e
SHA256 b38b09bf0421b1f49338ded8021d7bc56be19902d9b21a9b6e9c8df448f93eb2
SHA512 f179ebe84ae065ed63e71f2855b2b69cdedfc8be70dace0eb07c8b191768eace1312562e27e77492481f214f85d31f35c88c2b1f7a3881cee9dffffa7ffc668a

C:\Users\Admin\AppData\Local\Temp\_MEI38162\libssl-1_1.dll

MD5 2335285f5ac87173bd304efeddfa1d85
SHA1 64558d2150120abed3514db56299721c42c6fe58
SHA256 1b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94
SHA512 82737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde

C:\Users\Admin\AppData\Local\Temp\_MEI38162\libcrypto-1_1.dll

MD5 aa811bb63dbd4c5859b68332326f60b1
SHA1 6e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977
SHA256 00a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0
SHA512 dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_asyncio.pyd

MD5 3a5fbfdc3091114488bc30cc1873365b
SHA1 a4da519a41ce499430f5fea6f731f59b41e8031d
SHA256 a055e2b17cba4199b48db6848e44543399870958f49b1afce10534c46298ef2a
SHA512 00e08a09f7124e3e300a834796cc106ce07f8801749dc2ce451d5397ed822c2b3c602c20344b44c608c4fc0048cac6897748daab91d80a1be877a9c44e531dc1

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_overlapped.pyd

MD5 60af9df3c5d25c193d73a566e763b0b8
SHA1 a87c3285ff6f59528611f42577d30dbf35827b45
SHA256 c63632bf1b28f7f1007ff093a9ef3d034cb9480fc373c29e06a407b223b6ddff
SHA512 57c33929ec284013e88696ab7c099d570d0211d99f8e2027f1d8db9ae66810ccba6992959a2d543929f59bfc67cc4d1cc9264046e02df9cd119c3b1d2ec41a20

C:\Users\Admin\AppData\Local\Temp\_MEI38162\pytransform_vax_002423.pyd

MD5 2535bcd21a8d45b22771f1181b52fe48
SHA1 b9bf6af50a76b7a53011090e4df0ce1cb8adc8b8
SHA256 587f0fd6d780a3dd97b19f4091b78f380ebbfc7b78acbc8d44e11f943b9c6db7
SHA512 4beab10faf9d8b28ead7ab83f9d32539655576898de1c60c305a1a5c57d6b211b364a54c7746955769db48b5973ac6d513f93d2101ed5da3b8e20010caed263b

memory/380-152-0x00007FFFB0030000-0x00007FFFB0032000-memory.dmp

memory/380-151-0x00000000674F0000-0x00000000680CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_uuid.pyd

MD5 0803ad237eb9e6370d71d0c500ce6493
SHA1 60479ffe844717a7ccd451ae1cfa5208ed003177
SHA256 fc5dc4af3a540c97d33cd300558488884417912629fad2e36baeba6ffca9faac
SHA512 1f8a19fe1c228a5f7cde873a89d3c64e9b3c9b2d9b360bd893b86ac8558bae76a5f08b6a6ba093ff369f0f04e72ec10260d1d2299b796b2c1433ae11ae8b6e1a

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_hashlib.pyd

MD5 8f7edaff246c46dbf09ab5554b918b37
SHA1 c14c33b14419f5d24fb36e5f1bf1760a9c63228b
SHA256 9154b36c178d84a901edad689a53148451ef3c851a91447a0654f528a620d944
SHA512 1947a1010fa1b07671aa471d5821792dee7f2b0cd1937d3f944cd0201a299e6cb37a41debbbd1bc6e774186f6d08ad6264055cba7652b0d5bd22691431cb360e

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_cffi_backend.cp39-win_amd64.pyd

MD5 ba20b38817bd31b386615e6cf3096940
SHA1 dfd0286bc3d11d779f6b24f4245b5602b1842df0
SHA256 0fffe7a441f2c272a7c6d8cf5eb1adce71fde6f6102bc7c1ceb90e05730c4b07
SHA512 b580c1c26f4ddea3fb7050c83839e9e3ede7659f934928072ae8da53db0c92babc72dbc01130ec931f4ec87e3a3118b6d6c42a4654cd6775e24710517585b275

C:\Users\Admin\AppData\Local\Temp\_MEI38162\charset_normalizer\md.cp39-win_amd64.pyd

MD5 c4de5638d7cf59a01c768448c6bef89d
SHA1 4405bae0d6fc5502e32689d99e74abafd87f9588
SHA256 cd8f4e8f69c855042a8f36f68a1601d96f09568baff51f96decda4fa5aeb274d
SHA512 adbf18508988af7c081539110d1b2b2f3acdea0e63bd039ec94fc57b53464761abae1639ad21f6302465ddf8fed3b0f987d9300d457be2706f10b2a36d58bce9

C:\Users\Admin\AppData\Local\Temp\_MEI38162\unicodedata.pyd

MD5 06092dbacf3b009ad11376dfc5ed2acd
SHA1 2597d23469d65936fca20906ef41e1f999944210
SHA256 2f9e76a8148029ade3e8f61d014d79a9b1c154cc9b5d6608f50fc478170ff676
SHA512 c782ebb9139a6b358d6e55cca3f018e421747984245fafbd150696b152763f2a6d08a21a0185f49df867dfabf5f066631a55f324abfed4e8bece8f85ead81c85

C:\Users\Admin\AppData\Local\Temp\_MEI38162\_decimal.pyd

MD5 77510dba8f87d26741d0a2501d61ad48
SHA1 fff70ddcbb5ddf34419a4196a341bfff52d2d3ee
SHA256 6c5ba4ad0c7b89b83e2a0a2c6cc4927992aa0adc449eea6aacaaff2b55f544f6
SHA512 9b84491bfbb5523b9c73580a8e434ad87a0ccc540fe9d522ee97324c9c20a68d1f45adc712dadd2d3966c4d613ad40b8000a2de4b44a7268020e461d21abf284

C:\Users\Admin\AppData\Local\Temp\_MEI38162\charset_normalizer\md__mypyc.cp39-win_amd64.pyd

MD5 d67200e140f7226beda03e3fac5dbfce
SHA1 d09d0d558ca640d380ec463ef0c6acaaf800f12c
SHA256 ae2bdf86ce87b46bd557f7955ae4d018155e9bead7ccb63c65f359ae79fc5309
SHA512 d8fb745b85db89978b4abfa1ebd645bf837ed9bdec80ab647f31de0fc0a547112a893e3f76912445a367d289e57a080da25797ef8ead7cd18e1b3f6e4aaf8350

C:\Users\Admin\AppData\Local\Temp\_MEI38162\brotli\_brotli.pyd

MD5 5cd8cbde51c687b96a732c6cab46b016
SHA1 9584be1465af75937f9cff3c6609ce2f6228498f
SHA256 9d007f4dd7e138404aa849eb1afa8637b8d28606f7e3349bc99fb9279184319f
SHA512 1f9681c65f8f803d7e150c03a126ccee715e680035b30d0dcdcd538735d2e294ee8766f5afaa4a2d663eb5da13ec85eef01f57d967753f09649017911fdd2d27

memory/380-156-0x00007FFFAFF90000-0x00007FFFB0185000-memory.dmp

memory/380-171-0x00000000674F0000-0x00000000680CD000-memory.dmp

memory/380-172-0x00007FFFAFF90000-0x00007FFFB0185000-memory.dmp