Analysis Overview
SHA256
2b0a5b3b41371469cba89974d25e3f71bd31923d085236b9ab23702ae8faa395
Threat Level: Shows suspicious behavior
The file Window Renamer.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-18 22:52
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 22:52
Reported
2024-06-18 22:55
Platform
win10v2004-20240611-en
Max time kernel
124s
Max time network
128s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1012 wrote to memory of 4976 | N/A | C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe | C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe |
| PID 1012 wrote to memory of 4976 | N/A | C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe | C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe
"C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe"
C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe
"C:\Users\Admin\AppData\Local\Temp\Window Renamer.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:8
C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI10122\python311.dll
| MD5 | e2bd5ae53427f193b42d64b8e9bf1943 |
| SHA1 | 7c317aad8e2b24c08d3b8b3fba16dd537411727f |
| SHA256 | c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400 |
| SHA512 | ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036 |
C:\Users\Admin\AppData\Local\Temp\_MEI10122\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
C:\Users\Admin\AppData\Local\Temp\_MEI10122\base_library.zip
| MD5 | df673df8c5f4b100f5588b8cf1834b68 |
| SHA1 | dc82a6a581fc4ad98ef94046753a107f3079e2a8 |
| SHA256 | 61f8ceeb90d4321ea6b9593627ee414acac0de654327e703c679aebc8c520c6f |
| SHA512 | 6836c4bc80a15b89401006d1b061a7ce7c1431b742dcc903bcf027713bf8886189f88e8937dd13bd2c5e21671063adb09939d1c1fcf2db755d8935abd846dc3e |
C:\Users\Admin\AppData\Local\Temp\_MEI10122\win32\win32gui.pyd
| MD5 | 3c81c0ceebb2b5c224a56c024021efad |
| SHA1 | aee4ddcc136856ed2297d7dbdc781a266cf7eab9 |
| SHA256 | 6085bc00a1f157c4d2cc0609e20e1e20d2572fe6498de3bec4c9c7bebcfbb629 |
| SHA512 | f2d6c06da4f56a8119a931b5895c446432152737b4a7ae95c2b91b1638e961da78833728d62e206e1d886e7c36d7bed3fa4403d0b57a017523dd831dd6b7117f |
C:\Users\Admin\AppData\Local\Temp\_MEI10122\VCRUNTIME140_1.dll
| MD5 | 7e668ab8a78bd0118b94978d154c85bc |
| SHA1 | dbac42a02a8d50639805174afd21d45f3c56e3a0 |
| SHA256 | e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f |
| SHA512 | 72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032 |
C:\Users\Admin\AppData\Local\Temp\_MEI10122\pywin32_system32\pywintypes311.dll
| MD5 | 90b786dc6795d8ad0870e290349b5b52 |
| SHA1 | 592c54e67cf5d2d884339e7a8d7a21e003e6482f |
| SHA256 | 89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a |
| SHA512 | c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72 |