Malware Analysis Report

2024-11-13 15:24

Sample ID 240619-g3xplszekk
Target overlay_3.0.4.exe
SHA256 13e208f8e0c6deb7066b8ef785457042433a8b2c316223154354602cd3ff3a82
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

13e208f8e0c6deb7066b8ef785457042433a8b2c316223154354602cd3ff3a82

Threat Level: Shows suspicious behavior

The file overlay_3.0.4.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 06:20

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 06:20

Reported

2024-06-19 06:24

Platform

win7-20240611-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe

"C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe"

C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe

"C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22202\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-core-localization-l1-2-0.dll

MD5 584935f54f7a9947a2fec9a6d827e558
SHA1 3ee71afa08464bab300983a2bc627cd791d574dc
SHA256 78b921153dd5776295b464f6b887d6cf3e24097d53305a0c584256b8f569f9fb
SHA512 933658ceeb0a79d968b1ad32fa392f0e9f630c0264919fc729986f0d97ce72c5e5c554a42c068eacbbea24e4adca686ce10701803c6e80c77f7ed6d121cff749

\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-core-processthreads-l1-1-1.dll

MD5 fb60a721cfca0b3307067a7db90a996e
SHA1 fd4d776f3b9f1f7b658a2abdb5d321721eb19488
SHA256 2f031764abb092fa03732d27876a29f62d40ba0fdce08b66559915dc2879d10c
SHA512 b510c8a1436463ee4206cc6d3585a883bb195cdb3ed134eda286939ba50027ae2c01e409654252966717ccb0fbd2d09aae9d9412fa94491bf403103e7b62a5bb

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-core-file-l1-2-0.dll

MD5 4454791276f4716342de12eaa6ab5007
SHA1 cfeab7a4aed07adf0e22bb40ca408046896173fa
SHA256 0545cfcb511dcca7764a31465c211ff3d6b91ed5070c00a8613599edff4b7979
SHA512 e86ae200f473ffc00b4e4f3fcdb094cdf896184dd048aed3c408f145282cf5da67889e11334460984c60f332d2faecf9a89a5f3774c81b488aeaadb5e1520497

\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-core-timezone-l1-1-0.dll

MD5 9be41c3476bdf52936e25368c14b87c4
SHA1 22a068671f0e3fc9041a193158cfb95fa3618419
SHA256 9c208b51ad3331ae87ce2642d9a8b119add74798524ea1c3cb1e995045f452b9
SHA512 0756986284b8ea16cc1d35c8a87352e70b7b44a892b3b4a1266c64607aa0dd161e5da4b0286c6dbb38f040d538c85e6c4af26148a31d1382f86b12b4b389463d

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI22202\python310.dll

MD5 e4533934b37e688106beac6c5919281e
SHA1 ada39f10ef0bbdcf05822f4260e43d53367b0017
SHA256 2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5
SHA512 fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 06:20

Reported

2024-06-19 06:24

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe

"C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe"

C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe

"C:\Users\Admin\AppData\Local\Temp\overlay_3.0.4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.213.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI11842\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI11842\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Local\Temp\_MEI11842\python310.dll

MD5 e4533934b37e688106beac6c5919281e
SHA1 ada39f10ef0bbdcf05822f4260e43d53367b0017
SHA256 2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5
SHA512 fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

C:\Users\Admin\AppData\Local\Temp\_MEI11842\base_library.zip

MD5 45080452ebe871f75f4fe80f005489c7
SHA1 9c8426ad3f4936a58662cbcecec2841ed9268192
SHA256 9fb8878bb0c92aa6d090f2d9861df048fa693da2c683837e811b1ab0ce7b0c58
SHA512 e569d5037188134f204c614d2927eae78d71aa77025ca297a594748217a7b02e0b9d953a4d5277ccdf03adef0a6ff3ea213990820f438457c3115e9bea9c6264

C:\Users\Admin\AppData\Local\Temp\_MEI11842\python3.dll

MD5 24f4d5a96cd4110744766ea2da1b8ffa
SHA1 b12a2205d3f70f5c636418811ab2f8431247da15
SHA256 73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53
SHA512 bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4

C:\Users\Admin\AppData\Local\Temp\_MEI11842\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_socket.pyd

MD5 c389430e19f1cd4c2e7b8538e8c52459
SHA1 546ed5a85ad80a7b7db99f80c7080dc972e4f2a2
SHA256 a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067
SHA512 5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

C:\Users\Admin\AppData\Local\Temp\_MEI11842\select.pyd

MD5 c6ef07e75eae2c147042d142e23d2173
SHA1 6ef3e912db5faf5a6b4225dbb6e34337a2271a60
SHA256 43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78
SHA512 30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_lzma.pyd

MD5 14ea9d8ba0c2379fb1a9f6f3e9bbd63b
SHA1 f7d4e7b86acaf796679d173e18f758c1e338de82
SHA256 c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39
SHA512 64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_bz2.pyd

MD5 56203038756826a0a683d5750ee04093
SHA1 93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2
SHA256 31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c
SHA512 3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_ctypes.pyd

MD5 462fd515ca586048459b9d90a660cb93
SHA1 06089f5d5e2a6411a0d7b106d24d5203eb70ec60
SHA256 bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4
SHA512 67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

C:\Users\Admin\AppData\Local\Temp\_MEI11842\pyexpat.pyd

MD5 ea36d6df8ab58a22421f01d6d673adf2
SHA1 6a22ea1f37e8655d1602823f18ac87727110a1b5
SHA256 32e8c601259ec029e44824116ad911426157ceeae55f9fdd15387af40660dd5a
SHA512 d23b7b4f46e99fa4c93e6adba24e30d09c445e85c7b2eae93a6efbffc5d8be166908f7ba7edf7b3e5089e712a4ce8e5bcdc32610f59bda94b90dd01aa3601035

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_queue.pyd

MD5 60dec90862b996e56aedafb2774c3475
SHA1 ce6ff24b2cc03aff2e825e1cf953cba10c139c9d
SHA256 9568ef8bae36edae7347b6573407c312ce3b19bbd899713551a1819d6632da46
SHA512 c4b2066975f5d204a7659a2c7c6bc6dfc9a2fc83d7614dbbc0396f3dcc8b142df9a803f001768bfd44ca6bfa61622836b20a9d68871954009435449ae6d76720

C:\Users\Admin\AppData\Local\Temp\_MEI11842\win32api.pyd

MD5 931c91f4f25841115e284b08954c2ad9
SHA1 973ea53c89fee686930396eb58d9ff5464b4c892
SHA256 7ab0d714e44093649551623b93cc2aea4b30915adcb114bc1b75c548c3135b59
SHA512 4a048a7a0949d853ac7568eb4ad4bba8d7165ec4191ce8bc67b0954080364278908001dbce0f4d39a84a1c2295f12d22a7311893f6b2e985c3ad96bd421aa3b8

C:\Users\Admin\AppData\Local\Temp\_MEI11842\pywin32_system32\pywintypes310.dll

MD5 a44f3026baf0b288d7538c7277ddaf41
SHA1 c23fbdd6a1b0dc69753a00108dce99d7ec7f5ee3
SHA256 2984df073a029acf46bcaed4aa868c509c5129555ed70cac0fe2235abdba6e6d
SHA512 9699a2629f9f8c74a7d078ae10c9ffe5f30b29c4a2c92d3fcd2096dc2edceb71c59fd84e9448bb0c2fb970e2f4ade8b3c233ebf673c47d83ae40d12a2317ca98

C:\Users\Admin\AppData\Local\Temp\_MEI11842\pywin32_system32\pythoncom310.dll

MD5 e3b435bc314f27638f5a729e3f3bb257
SHA1 fd400fc8951ea9812864455aef4b91b42ba4e145
SHA256 568982769735d04d7cc4bdd5c7b2b85ec0880230b36267ce14114639307b7bca
SHA512 c94baffbec5cadf98e97e84ba2561269ee6ad60a47cc8661f7c544a5179f9e260fbec1c41548379587b3807670b0face9e640e1d6bca621e78ef93e0bb43efcc

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_ssl.pyd

MD5 7c7223f28c0c27c85a979ad222d19288
SHA1 4185e671b1dc56b22134c97cd8a4a67747887b87
SHA256 4ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986
SHA512 f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0

C:\Users\Admin\AppData\Local\Temp\_MEI11842\libssl-1_1.dll

MD5 86f2d9cc8cc54bbb005b15cabf715e5d
SHA1 396833cba6802cb83367f6313c6e3c67521c51ad
SHA256 d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771
SHA512 0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

C:\Users\Admin\AppData\Local\Temp\_MEI11842\libcrypto-1_1.dll

MD5 80b72c24c74d59ae32ba2b0ea5e7dad2
SHA1 75f892e361619e51578b312605201571bfb67ff8
SHA256 eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d
SHA512 08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_asyncio.pyd

MD5 686262283ba69cce7f3eaba7cdeb0372
SHA1 5b771e444ee97b246545affcdc8fa910c8f591ea
SHA256 02ec5cd22543c0ca298c598b7e13949a4e8247cec288d0bca0a1269059b548ef
SHA512 dca7403cfe2bfe14cf51f747a893f49db52d4d43691dbccecaa83796351b6f7e644cf8e455a0b9c38c6c006f481d5c45d32ae789756250a2b29978e9feb839d0

C:\Users\Admin\AppData\Local\Temp\_MEI11842\tk86t.dll

MD5 4b6270a72579b38c1cc83f240fb08360
SHA1 1a161a014f57fe8aa2fadaab7bc4f9faaac368de
SHA256 cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08
SHA512 0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

C:\Users\Admin\AppData\Local\Temp\_MEI11842\tcl86t.dll

MD5 75909678c6a79ca2ca780a1ceb00232e
SHA1 39ddbeb1c288335abe910a5011d7034345425f7d
SHA256 fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860
SHA512 91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

C:\Users\Admin\AppData\Local\Temp\_MEI11842\win32gui.pyd

MD5 a80585794613ee13180e111487748cc6
SHA1 d330bec7de11ac770769ea15d1e4b4689e6ea958
SHA256 a96364e69c959e7ff0c88f7e10ee91e2d9fe6fa8ddedad5020349b3c4a9b173c
SHA512 a6e6bc1b8e5b1a05cd59d7fe1486b0ffd0c016c4e9801ae417acb00200a94d75bd37447a2e7284dc85d78351fea6f9c30134e2d19981c792796fb30d7bc3bb30

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_hashlib.pyd

MD5 7a74284813386818ada7bf55c8d8acf9
SHA1 380c4184eec7ca266e4c2b96bb92a504dfd8fe5f
SHA256 21a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2
SHA512 f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46

C:\Users\Admin\AppData\Local\Temp\_MEI11842\VCRUNTIME140_1.dll

MD5 75e78e4bf561031d39f86143753400ff
SHA1 324c2a99e39f8992459495182677e91656a05206
SHA256 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e
SHA512 ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

C:\Users\Admin\AppData\Local\Temp\_MEI11842\charset_normalizer\md.cp310-win_amd64.pyd

MD5 0e2a2addd0d5b21193dbaae162604181
SHA1 526b25822b2571307fe8d4208c83227c0c64cb10
SHA256 ab0a8fd8f085766a2a7001380e6ee219d5ae68d0194498eeb8d3866f922fbcae
SHA512 6e0f0fa11fff0853e4063f5e1a526936cd682303f94b13da0bd4fb6b2da5efdbb3acb378951508ee3a2dea7f7e2c1d6f968e00ae63d1b6063cc2ad932a3856e9

C:\Users\Admin\AppData\Local\Temp\_MEI11842\MSVCP140.dll

MD5 1ba6d1cf0508775096f9e121a24e5863
SHA1 df552810d779476610da3c8b956cc921ed6c91ae
SHA256 74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA512 9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_brotli.cp310-win_amd64.pyd

MD5 6d44fd95c62c6415999ebc01af40574b
SHA1 a5aee5e107d883d1490257c9702913c12b49b22a
SHA256 58bacb135729a70102356c2d110651f1735bf40a602858941e13bdeabfacab4a
SHA512 59b6c07079f979ad4a27ec394eab3fdd2d2d15d106544246fe38f4eb1c9e12672f11d4a8efb5a2a508690ce2677edfac85eb793e2f6a5f8781b258c421119ff3

C:\Users\Admin\AppData\Local\Temp\_MEI11842\win32process.pyd

MD5 90dce1c0d1f00a3816624b13a5f71027
SHA1 9d056db2d4961a0ed86d60124d1b99ef7317c283
SHA256 6c6fa941938224133848e3fe64574995e550cedcdfcdc5479e6ed3bbae9b7e9b
SHA512 844d6a9dc6ebec68e2c6fb06a1ea30cf8a2d0fbb3ed5a3ced472901cd01db569982093a8e72a188aa0905b3dbe17f44c920b52a2f77a4346bf9e964fe332e80b

C:\Users\Admin\AppData\Local\Temp\_MEI11842\tcl\encoding\cp1252.enc

MD5 e9117326c06fee02c478027cb625c7d8
SHA1 2ed4092d573289925a5b71625cf43cc82b901daf
SHA256 741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e
SHA512 d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_tkinter.pyd

MD5 24bb3fc8c0bd04e36ccc922d88b64501
SHA1 ff6fe37108e0bf43a12e56a4a9b859b11cda3c2e
SHA256 27deae3479abff3229e54d0c93bc41ab57ad39b156c5b07878644e20fdf1a1bf
SHA512 c703b2433a6a437bff319ab654f0aacb5d956a152d9a811131888e8443927734bbfbc2405b395d93d6010da1b79069a6922dd50a853c6f5a2dd34a7cc3c6ba86

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_overlapped.pyd

MD5 a5bd529290006ef1ebc8d32ffe501ca5
SHA1 c59ef2157358fb8f79b5a37ee9abba802ae915ba
SHA256 eeaa26addf211b37e689d46cfac6b7fad0d5421adc4c0113872dac1347aff130
SHA512 6b026e62b0b37445a480599175161cf6a60284ef881e0f0d1da643ac80013c2005f790f099733d76cfcf855e2ecd3a0e6c8bfc19dbabff67869119676ee03b73

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 06:20

Reported

2024-06-19 06:24

Platform

win7-20240508-en

Max time kernel

121s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\bwstats.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\bwstats.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bwstats.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bwstats.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 dd10574ff3e2e881643968c978aa511f
SHA1 e1541ab3b36d7ccc817ad3341e86a40f1007ad54
SHA256 cd306e17b23b4dc1f5d76855a7f892ffee9df356438cd1aa54be712b3559ddab
SHA512 f1b8492746343382d0b8cdb2c3af70566d660f19382b9e40bca01b6998eee58d0874f7e727860413cfacfa6937d93b2a95a3dc57362a55f16f18b1341d8daf9b

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 06:20

Reported

2024-06-19 06:24

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\bwstats.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\bwstats.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A