Malware Analysis Report

2024-11-13 15:24

Sample ID 240619-jebhks1dmj
Target UniqueStudio RCON.exe
SHA256 f239037a3b0b29773a9519c2c5dff44c4e11210560cf3585b2a535e8b401887e
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f239037a3b0b29773a9519c2c5dff44c4e11210560cf3585b2a535e8b401887e

Threat Level: Shows suspicious behavior

The file UniqueStudio RCON.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 07:34

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 07:34

Reported

2024-06-19 07:45

Platform

win10v2004-20240508-en

Max time kernel

502s

Max time network

512s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe

"C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe"

C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe

"C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Files

C:\Users\Admin\AppData\Local\Temp\_MEI20122\python312.dll

MD5 5c5602cda7ab8418420f223366fff5db
SHA1 52f81ee0aef9b6906f7751fd2bbd4953e3f3b798
SHA256 e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce
SHA512 51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f

C:\Users\Admin\AppData\Local\Temp\_MEI20122\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI20122\base_library.zip

MD5 73f91fe1b7771f022020ddf0ac619cde
SHA1 d9ecb3061627c94f2cf6c1b7a34fea2cdbd13df7
SHA256 763457ec96d1d2afddffa85523d59aa351208bfdf607f5c5f3fb79a518b6d0c2
SHA512 cb85666c7e50e3dbf14fc215ec05d9576b884066983fe97fa10a40c6a8d6be11c68ca853e7f7039ec67e6b2d90e8c8a3273039b4b86d91d311bcddcdd831b507

C:\Users\Admin\AppData\Local\Temp\_MEI20122\_wmi.pyd

MD5 ee33f4c8d17d17ad62925e85097b0109
SHA1 8c4a03531cf3dbfe6f378fdab9699d51e7888796
SHA256 79adca5037d9145309d3bd19f7a26f7bb7da716ee86e01073c6f2a9681e33dad
SHA512 60b0705a371ad2985db54a91f0e904eea502108663ea3c3fb18ed54671be1932f4f03e8e3fd687a857a5e3500545377b036276c69e821a7d6116b327f5b3d5c1

C:\Users\Admin\AppData\Local\Temp\_MEI20122\_ssl.pyd

MD5 9b4e74fd1de0f8a197e4aa1e16749186
SHA1 833179b49eb27c9474b5189f59ed7ecf0e6dc9ea
SHA256 a4ce52a9e0daddbbe7a539d1a7eda787494f2173ddcc92a3faf43b7cf597452b
SHA512 ae72b39cb47a859d07a1ee3e73de655678fe809c5c17ffd90797b5985924ddb47ceb5ebe896e50216fb445526c4cbb95e276e5f3810035b50e4604363eb61cd4

C:\Users\Admin\AppData\Local\Temp\_MEI20122\_socket.pyd

MD5 899380b2d48df53414b974e11bb711e3
SHA1 f1d11f7e970a7cd476e739243f8f197fcb3ad590
SHA256 b38e66e6ee413e5955ef03d619cadd40fca8be035b43093d2342b6f3739e883e
SHA512 7426ca5e7a404b9628e2966dae544f3e8310c697145567b361825dc0b5c6cd87f2caf567def8cd19e73d68643f2f38c08ff4ff0bb0a459c853f241b8fdf40024

C:\Users\Admin\AppData\Local\Temp\_MEI20122\_lzma.pyd

MD5 4e2239ece266230ecb231b306adde070
SHA1 e807a078b71c660db10a27315e761872ffd01443
SHA256 34130d8abe27586ee315262d69af4e27429b7eab1f3131ea375c2bb62cf094be
SHA512 86e6a1eab3529e600dd5caab6103e34b0f618d67322a5ecf1b80839faa028150c492a5cf865a2292cc8584fba008955da81a50b92301583424401d249c5f1401

C:\Users\Admin\AppData\Local\Temp\_MEI20122\_hashlib.pyd

MD5 f495d1897a1b52a2b15c20dcecb84b47
SHA1 8cb65590a8815bda58c86613b6386b5982d9ec3f
SHA256 e47e76d70d508b62924fe480f30e615b12fdd7745c0aac68a2cddabd07b692ae
SHA512 725d408892887bebd5bcf040a0ecc6a4e4b608815b9dea5b6f7b95c812715f82079896df33b0830c9f787ffe149b8182e529bb1f78aadd89df264cf8853ee4c4

C:\Users\Admin\AppData\Local\Temp\_MEI20122\_decimal.pyd

MD5 21c73e7e0d7dad7a1fe728e3b80ce073
SHA1 7b363af01e83c05d0ea75299b39c31d948bbfe01
SHA256 a28c543976aa4b6d37da6f94a280d72124b429f458d0d57b7dbcf71b4bea8f73
SHA512 0357102bffc2ec2bc6ff4d9956d6b8e77ed8558402609e558f1c1ebc1baca6aeaa5220a7781a69b783a54f3e76362d1f74d817e4ee22aac16c7f8c86b6122390

C:\Users\Admin\AppData\Local\Temp\_MEI20122\_bz2.pyd

MD5 c7ce973f261f698e3db148ccad057c96
SHA1 59809fd48e8597a73211c5df64c7292c5d120a10
SHA256 02d772c03704fe243c8de2672c210a5804d075c1f75e738d6130a173d08dfcde
SHA512 a924750b1825747a622eef93331fd764d824c954297e37e8dc93a450c11aa7ab3ad7c3b823b11656b86e64de3cd5d409fda15db472488dfaa4bb50341f0b29d1

C:\Users\Admin\AppData\Local\Temp\_MEI20122\VCRUNTIME140_1.dll

MD5 7e668ab8a78bd0118b94978d154c85bc
SHA1 dbac42a02a8d50639805174afd21d45f3c56e3a0
SHA256 e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f
SHA512 72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

C:\Users\Admin\AppData\Local\Temp\_MEI20122\python3.dll

MD5 77896345d4e1c406eeff011f7a920873
SHA1 ee8cdd531418cfd05c1a6792382d895ac347216f
SHA256 1e9224ba7190b6301ef47befa8e383d0c55700255d04a36f7dac88ea9573f2fb
SHA512 3e98b1b605d70244b42a13a219f9e124944da199a88ad4302308c801685b0c45a037a76ded319d08dbf55639591404665befe2091f0f4206a9472fee58d55c22

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\bin\Qt5Gui.dll

MD5 47307a1e2e9987ab422f09771d590ff1
SHA1 0dfc3a947e56c749a75f921f4a850a3dcbf04248
SHA256 5e7d2d41b8b92a880e83b8cc0ca173f5da61218604186196787ee1600956be1e
SHA512 21b1c133334c7ca7bbbe4f00a689c580ff80005749da1aa453cceb293f1ad99f459ca954f54e93b249d406aea038ad3d44d667899b73014f884afdbd9c461c14

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\bin\Qt5Widgets.dll

MD5 4cd1f8fdcd617932db131c3688845ea8
SHA1 b090ed884b07d2d98747141aefd25590b8b254f9
SHA256 3788c669d4b645e5a576de9fc77fca776bf516d43c89143dc2ca28291ba14358
SHA512 7d47d2661bf8fac937f0d168036652b7cfe0d749b571d9773a5446c512c58ee6bb081fec817181a90f4543ebc2367c7f8881ff7f80908aa48a7f6bb261f1d199

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\QtWidgets.pyd

MD5 9cde8433816662eaeb762c8e6fe77e6b
SHA1 d9d69268af89c4134ed94c768baedd6abbce7557
SHA256 e732f15729fa69c3067dc33abb60e241570398aa9ab3359d9ff2a9714d1a1e4c
SHA512 3f6dfc0fdc9eeb4f5d041aaf5d0420091f7230bf60796e979503d345ce9a74e0f23dd229c31207221c8509bab1edde616ff9803776708a5b4097a7338d372c54

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\bin\Qt5Core.dll

MD5 817520432a42efa345b2d97f5c24510e
SHA1 fea7b9c61569d7e76af5effd726b7ff6147961e5
SHA256 8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a
SHA512 8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441

C:\Users\Admin\AppData\Local\Temp\_MEI20122\unicodedata.pyd

MD5 a1388676824ce6347d31d6c6a7a1d1b5
SHA1 27dd45a5c9b7e61bb894f13193212c6d5668085b
SHA256 2480a78815f619a631210e577e733c9bafecb7f608042e979423c5850ee390ff
SHA512 26ea1b33f14f08bb91027e0d35ac03f6203b4dfeee602bb592c5292ab089b27ff6922da2804a9e8a28e47d4351b32cf93445d894f00b4ad6e2d0c35c6c7f1d89

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

MD5 6bc084255a5e9eb8df2bcd75b4cd0777
SHA1 cf071ad4e512cd934028f005cabe06384a3954b6
SHA256 1f0f5f2ce671e0f68cf96176721df0e5e6f527c8ca9cfa98aa875b5a3816d460
SHA512 b822538494d13bda947655af791fed4daa811f20c4b63a45246c8f3befa3ec37ff1aa79246c89174fe35d76ffb636fa228afa4bda0bd6d2c41d01228b151fd89

memory/3332-165-0x00007FF815FC0000-0x00007FF8164B0000-memory.dmp

memory/3332-166-0x00007FF814DE0000-0x00007FF815321000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\QtCore.pyd

MD5 d6d51c8f5e381cbba49d54e507a41220
SHA1 86deaab67d3fc4e26bc81db89faec720a5d8a3a4
SHA256 5a2aed6f96abec6905e6a36d33bc00d2c23e13f6333ea0545a32ab57b33a7c47
SHA512 3b3b386d3d0a8865348a574740473325a1a7deac6a9b767fbca253e1de90412aa76e4e9b36d9586f3307f10ee567adb34d85bf21751e568e86ec66683131fbf0

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\QtGui.pyd

MD5 a931566050607d6a9feb94cef82672d9
SHA1 405a7e907631efef51bea7952d4d725b6402d5a2
SHA256 8c425d163b0c650cb8dc4662625de4998bed2ad9a3f2e04a8664e2e72a69f845
SHA512 263a23f1346ecf1a042f3c697c8f40aefb99e134c06ee87edeef47c170e7113327a9c51143af83e4fa1589970f22c2606bf6f4bb4ebff7be3ee3e3acfde4a258

memory/3332-174-0x00007FF814900000-0x00007FF814B65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20122\libssl-3.dll

MD5 bfc834bb2310ddf01be9ad9cff7c2a41
SHA1 fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c
SHA256 41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1
SHA512 6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

C:\Users\Admin\AppData\Local\Temp\_MEI20122\libcrypto-3.dll

MD5 51e8a5281c2092e45d8c97fbdbf39560
SHA1 c499c810ed83aaadce3b267807e593ec6b121211
SHA256 2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA512 98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

C:\Users\Admin\AppData\Local\Temp\_MEI20122\select.pyd

MD5 bffff83a000baf559f3eb2b599a1b7e8
SHA1 7f9238bda6d0c7cc5399c6b6ab3b42d21053f467
SHA256 bc71fbdfd1441d62dd86d33ff41b35dc3cc34875f625d885c58c8dc000064dab
SHA512 3c0ba0cf356a727066ae0d0d6523440a882aafb3ebdf70117993effd61395deebf179948f8c7f5222d59d1ed748c71d9d53782e16bd2f2eccc296f2f8b4fc948

memory/3332-171-0x00007FF814B70000-0x00007FF814DD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\sip.cp312-win_amd64.pyd

MD5 5377602344083cca28f03caa6442c699
SHA1 9bdb21e90dfde0f92889da296c3d6c06dbf5be3e
SHA256 4e1a8a32a84dd2098eea849a804885ce7cd0fb7c6fa3513f1cb60bc4e7578171
SHA512 fdc735ffcdd929ee0a9f8436ef6ba17598c4675b83a390b5a4ab6a5b42cc95a3dad6d449e3202d7a4156c76f0deff43d46e78421d0d22e061112cee4ef6227eb

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\bin\MSVCP140_1.dll

MD5 0fe6d52eb94c848fe258dc0ec9ff4c11
SHA1 95cc74c64ab80785f3893d61a73b8a958d24da29
SHA256 446c48c1224c289bd3080087fe15d6759416d64f4136addf30086abd5415d83f
SHA512 c39a134210e314627b0f2072f4ffc9b2ce060d44d3365d11d8c1fe908b3b9403ebdd6f33e67d556bd052338d0ed3d5f16b54d628e8290fd3a155f55d36019a86

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\bin\MSVCP140.dll

MD5 01b946a2edc5cc166de018dbb754b69c
SHA1 dbe09b7b9ab2d1a61ef63395111d2eb9b04f0a46
SHA256 88f55d86b50b0a7e55e71ad2d8f7552146ba26e927230daf2e26ad3a971973c5
SHA512 65dc3f32faf30e62dfdecb72775df870af4c3a32a0bf576ed1aaae4b16ac6897b62b19e01dc2bf46f46fbe3f475c061f79cbe987eda583fee1817070779860e5

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\platforms\qwindows.dll

MD5 4931fcd0e86c4d4f83128dc74e01eaad
SHA1 ac1d0242d36896d4dda53b95812f11692e87d8df
SHA256 3333ba244c97264e3bd19db5953efa80a6e47aaced9d337ac3287ec718162b85
SHA512 0396bccda43856950afe4e7b16e0f95d4d48b87473dc90cf029e6ddfd0777e1192c307cfe424eae6fb61c1b479f0ba1ef1e4269a69c843311a37252cf817d84d

memory/3332-187-0x000001490E700000-0x000001490E710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\platforms\qwebgl.dll

MD5 1edcb08c16d30516483a4cbb7d81e062
SHA1 4760915f1b90194760100304b8469a3b2e97e2bc
SHA256 9c3b2fa2383eeed92bb5810bdcf893ae30fa654a30b453ab2e49a95e1ccf1631
SHA512 0a923495210b2dc6eb1acedaf76d57b07d72d56108fd718bd0368d2c2e78ae7ac848b90d90c8393320a3d800a38e87796965afd84da8c1df6c6b244d533f0f39

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\platforms\qoffscreen.dll

MD5 6407499918557594916c6ab1ffef1e99
SHA1 5a57c6b3ffd51fc5688d5a28436ad2c2e70d3976
SHA256 54097626faae718a4bc8e436c85b4ded8f8fb7051b2b9563a29aee4ed5c32b7b
SHA512 8e8abb563a508e7e75241b9720a0e7ae9c1a59dd23788c74e4ed32a028721f56546792d6cca326f3d6aa0a62fdedc63bf41b8b74187215cd3b26439f40233f4d

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\platforms\qminimal.dll

MD5 2f6d88f8ec3047deaf174002228219ab
SHA1 eb7242bb0fe74ea78a17d39c76310a7cdd1603a8
SHA256 05d1e7364dd2a672df3ca44dd6fd85bed3d3dc239dcfe29bfb464f10b4daa628
SHA512 0a895ba11c81af14b5bd1a04a450d6dcca531063307c9ef076e9c47bd15f4438837c5d425caee2150f3259691f971d6ee61154748d06d29e4e77da3110053b54

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll

MD5 53a85f51054b7d58d8ad7c36975acb96
SHA1 893a757ca01472a96fb913d436aa9f8cfb2a297f
SHA256 d9b21182952682fe7ba63af1df24e23ace592c35b3f31eceef9f0eabeb5881b9
SHA512 35957964213b41f1f21b860b03458404fbf11daf03d102fbea8c2b2f249050cefbb348edc3f22d8ecc3cb8abfdc44215c2dc9da029b4f93a7f40197bd0c16960

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll

MD5 f66f6e9eda956f72e3bb113407035e61
SHA1 97328524da8e82f5f92878f1c0421b38ecec1e6c
SHA256 e23fbc1bec6ceedfa9fd305606a460d9cac5d43a66d19c0de36e27632fddd952
SHA512 7ff76e83c8d82016ab6bd349f10405f30deebe97e8347c6762eb71a40009f9a2978a0d8d0c054cf7a3d2d377563f6a21b97ddefd50a9ac932d43cc124d7c4918

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\imageformats\qico.dll

MD5 a9abd4329ca364d4f430eddcb471be59
SHA1 c00a629419509929507a05aebb706562c837e337
SHA256 1982a635db9652304131c9c6ff9a693e70241600d2ef22b354962aa37997de0b
SHA512 004ea8ae07c1a18b0b461a069409e4061d90401c8555dd23dbf164a08e96732f7126305134bfaf8b65b0406315f218e05b5f0f00bedb840fb993d648ce996756

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\imageformats\qtiff.dll

MD5 9c0acf12d3d25384868dcd81c787f382
SHA1 c6e877aba3fb3d2f21d86be300e753e23bb0b74e
SHA256 825174429ced6b3dab18115dbc6c9da07bf5248c86ec1bd5c0dcaeca93b4c22d
SHA512 45594fa3c5d7c4f26325927bb8d51b0b88e162e3f5e7b7f39a5d72437606383e9fdc8f83a77f814e45aff254914514ae52c1d840a6c7b98767f362ed3f4fc5bd

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\imageformats\qtga.dll

MD5 a913276fa25d2e6fd999940454c23093
SHA1 785b7bc7110218ec0e659c0e5ace9520aa451615
SHA256 5b641dec81aec1cf7ac0cce9fc067bb642fbd32da138a36e3bdac3bb5b36c37a
SHA512 cebe48e6e6c5cdf8fc339560751813b8de11d2471a3dab7d648df5b313d85735889d4e704e8eec0ad1084ab43be0ebdfbacd038aeac46d7a951efb3a7ce838eb

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\imageformats\qsvg.dll

MD5 c0de135782fa0235a0ea8e97898eaf2a
SHA1 fcf5fd99239bf4e0b17b128b0ebec144c7a17de2
SHA256 b3498f0a10ac4cb42cf7213db4944a34594ff36c78c50a0f249c9085d1b1ff39
SHA512 7bd5f90ccab3cf50c55eaf14f7ef21e05d3c893fa7ac9846c6ca98d6e6d177263ac5eb8a85a34501bcfca0da7f0b6c39769726f4090fca2231ee64869b81cf0b

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\imageformats\qjpeg.dll

MD5 16abcceb70ba20e73858e8f1912c05cd
SHA1 4b3a32b166ab5bbbee229790fdae9cbc84f936ba
SHA256 fb4e980cb5fafa8a4cd4239329aed93f7c32ed939c94b61fb2df657f3c6ad158
SHA512 3e5c83967bf31c9b7f1720059dd51aa4338e518b076b0461541c781b076135e9cb9cbceb13a8ec9217104517fbcc356bdd3ffaca7956d1c939e43988151f6273

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\imageformats\qicns.dll

MD5 ad84af4d585643ff94bfa6de672b3284
SHA1 5d2df51028fbeb7f6b52c02add702bc3fa781e08
SHA256 f4a229a082d16f80016f366156a2b951550f1e9df6d4177323bbedd92a429909
SHA512 b68d83a4a1928eb3390deb9340cb27b8a3eb221c2e0be86211ef318b4dd34b37531ca347c73cce79a640c5b06fbd325e10f8c37e0cee2581f22abfbff5cc0d55

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\imageformats\qgif.dll

MD5 52fd90e34fe8ded8e197b532bd622ef7
SHA1 834e280e00bae48a9e509a7dc909bea3169bdce2
SHA256 36174dd4c5f37c5f065c7a26e0ac65c4c3a41fdc0416882af856a23a5d03bb9d
SHA512 ef3fb3770808b3690c11a18316b0c1c56c80198c1b1910e8aa198df8281ba4e13dc9a6179bb93a379ad849304f6bb934f23e6bbd3d258b274cc31856de0fc12b

C:\Users\Admin\AppData\Local\Temp\_MEI20122\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll

MD5 313f89994f3fea8f67a48ee13359f4ba
SHA1 8c7d4509a0caa1164cc9415f44735b885a2f3270
SHA256 42dde60befcf1d9f96b8366a9988626b97d7d0d829ebea32f756d6ecd9ea99a8
SHA512 06e5026f5db929f242104a503f0d501a9c1dc92973dd0e91d2daf5b277d190082de8d37ace7edf643c70aa98bb3d670defe04ce89b483da4f34e629f8ed5fecf

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 07:34

Reported

2024-06-19 07:45

Platform

win10v2004-20240611-en

Max time kernel

595s

Max time network

599s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.pyc"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\UniqueStudio RCON.pyc"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4268,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1384,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

N/A