Analysis

  • max time kernel
    196s
  • max time network
    202s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-06-2024 09:27

General

  • Target

    mcedit2-win64-2.0.0-beta14(1).exe

  • Size

    43.3MB

  • MD5

    f135e2b7393c903acaa574b687b8883a

  • SHA1

    af02358a2f488c9e09df69722abd9afa1ac87c5a

  • SHA256

    7b481550cb6ceae28deacb4072eafb5201bb111c65a7389c4aa66495fa670b55

  • SHA512

    1fae0ba03dffd66b23a041863cf09a43828a4c690e6f4a14472d6c31a70b737e96658b6f45709711f2aafbc893ac0b21e038739ea969bbc87faed884d3d46476

  • SSDEEP

    786432:jMWoIoRBC9R0e5fvHF9TqirinntYgu/+FV1slGXwk44KAL0UEe3imc5wpGLVykBA:jxoICM0MffLTqHtfumV1slv4KU0OOOki

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 64 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mcedit2-win64-2.0.0-beta14(1).exe
    "C:\Users\Admin\AppData\Local\Temp\mcedit2-win64-2.0.0-beta14(1).exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3620
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4492
    • C:\Users\Admin\AppData\Local\Temp\mcedit2-win64-2.0.0-beta14\mcedit2.exe
      "C:\Users\Admin\AppData\Local\Temp\mcedit2-win64-2.0.0-beta14\mcedit2.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:416
      • C:\Users\Admin\AppData\Local\Temp\mcedit2-win64-2.0.0-beta14\mcedit2.exe
        "C:\Users\Admin\AppData\Local\Temp\mcedit2-win64-2.0.0-beta14\mcedit2.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4588
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004BC
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4852
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:2040

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\PySide.QtCore.pyd

        Filesize

        2.2MB

        MD5

        2f08ac1fa08d6da312623e73038109f1

        SHA1

        1c4b9966630cbc930d16b6cf32ecbe6414482edf

        SHA256

        b9604c9420ea5beec738de7e8530b29d1812bc4797de8fe550a23c3faae60bea

        SHA512

        c5888843b0aa816f7d062005415ea6f661d32876ae315fd6f0f26d6bf5fd5e2388bfd215ce059f621fa5c84cdd6506e1441cfc0d39d2dfbf1a22f13a2f50730b

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\PySide.QtGui.pyd

        Filesize

        8.3MB

        MD5

        fefb9d77bf8b8a7bb5b1ef7110ad5ee2

        SHA1

        5b1c4531de46fa7e12f90f5997c9d150c32b6d39

        SHA256

        af3b5186892af4df059748d98c01674b4253a733439b4ff6865cb3d39df4ab93

        SHA512

        968d8373a26ae3f55cefb377eab593f3a0fe4f652c463ef927bfb9e8cc84e194ddeb7d40f3017681863c1aac667f677156692e5dc8c33931e72cbdf53631a254

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\QtCore4.dll

        Filesize

        3.1MB

        MD5

        b6bfa23296560f3a47734ded06e061f2

        SHA1

        21dd7dc422656a0e600cbd164af8b6750d0b5648

        SHA256

        1c2bc1e054c3c519403c053aa7ca30089f4b9417d213ad778ee3f3646d943fdf

        SHA512

        12b08d116bedc720a748fa72f0096990722bd79fa4eb1bdae48b455c23f7c04e0505197288c02e44fce77675df5a543bb61bf2e9a0dfa23b487b1eaa2cb9b6cf

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\QtGui4.dll

        Filesize

        10.4MB

        MD5

        616a06e8582339e0109e307a9ea058d1

        SHA1

        021ef6977583c23eaa5decdc170865996cf2c1b0

        SHA256

        7b2024c68f86b128a82c1f68a4fda449da6b6f39bb95834f0de8510ee86a5aef

        SHA512

        3fd4fedee4b4b07b46bc212c6117647a3e8e5f4f4b8b60a141de6614f67976c1575ae517e6948b4bab982285bb0fa55672ad334861664cc8a3604c82d8d20b16

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\_ctypes.pyd

        Filesize

        119KB

        MD5

        43d728dca22fa15a90426900eb6a11d2

        SHA1

        888bdb94315383cee0727d2cd60f0baa0bb2dd98

        SHA256

        510e917666061200868396f69c26c508fd07c44ee48a94d310c59e69b3804cff

        SHA512

        c54b118d3ff7f7134879a3b542c6587af27282affdffd8189d01428ad1040b3cc03587b170355111eca0cbab100ce0f0eb634ef2e3928fb119007ff14551ae4f

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\_hashlib.pyd

        Filesize

        1.6MB

        MD5

        d256d9116eaede4dbf39a90cc90d594b

        SHA1

        9e52edf54d10eb722b3cce72cb1e5fba8468e16c

        SHA256

        456376da077b6abf0a7533607ef31b658d02afff2f7bcc25a3e454966b6ffa51

        SHA512

        d2e501353516409b8ef88b1ae9812c74977a4acf2f739c62c7622c8adc2c48d1672194b3d5891dab902d4133b7b7bd172ceeba5e13fe6abaab9072b512cbbedc

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\_multiprocessing.pyd

        Filesize

        34KB

        MD5

        d945e0fe5638a5955189ecf8ad156f29

        SHA1

        996f2fac787a8fe6a24a812e724c5badc7d15154

        SHA256

        2ac1673c1d14d02dea009686f93df075c701a14e693af2c7dc9bf69bfb128668

        SHA512

        57dc1f3e51c98a018dfaad227c74b8a3a7c6b2685ac8eb3b1e7fce7c0b57028e710f49f31856859899d408958811ff2be72d37d4f83af60b15991a8749bf654b

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\_socket.pyd

        Filesize

        49KB

        MD5

        a4d40e5cd4a75c68d460773fb0625be2

        SHA1

        60456c263f350a9b23fd8a54c3ea36595dfec0e1

        SHA256

        898936f85d2dc26575856a3ef8fefc2b30c733e858b6595adf10ef232928e189

        SHA512

        bdc53264a6659e1185a05dc3f94277a4e05288313fa6ade11015a538176782c3f692a57c27d7c4b15c839351bfacd63dd869d1374a010cf1f25877b6c2f2f89d

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\_ssl.pyd

        Filesize

        2.0MB

        MD5

        b3483d38078d934ec4662ec8c52cf5cf

        SHA1

        e80f8b01eed86882d3ec333c3a6521ae73ec7561

        SHA256

        f013395e9bff0d2bb7a2687c5748184139f77f61de9d285c5e7b267ddef0da7d

        SHA512

        2d8ad8a04f379204adb7d2488f11d3bbf4cdbc5bb85390f00d3b1995213f076194b262c85582d1b73a7deb6cbf36008dbb70097b67ef0144ddd807d8b6087d55

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\bz2.pyd

        Filesize

        90KB

        MD5

        e139c613c4aab0de3dfabe287e1dda29

        SHA1

        ae4ecc55bd82d5c9cb54ee1510e5d83d3c0aa2fb

        SHA256

        d09a7a68c62a54548a19582b956b332ea3de431156125eaa8e7476c8ec16c002

        SHA512

        35314235e118e620b335c30165056dd2a0ecbe07f1e37b3215a424d10cfc4dd866976b64bc4d155c18e73eaf9bae10d77c289c5afc08ab2076c9c5afefaedd02

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\libopenblas.CSRRD7HKRKC3T3YXA7VY7TAZGLSWDKW6.gfortran-win_amd64.dll

        Filesize

        41.2MB

        MD5

        efef1d95ad279d471ee051ce7eb43e80

        SHA1

        f6497d64abde7555905620fe9044cf9dbf84e915

        SHA256

        a51f7a4df02e3a6ca0d0d552def8150da53bc7edd70c53f6702ebb6557c3fc60

        SHA512

        51bf7155c778edda698d0fa7a9f403381db5fe6b2d77cb283fad5ed478985291ad352e2acbd65cb94eaec0136ed03033e50d6b56b3d6e341eeedd3886a9517f4

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\mcedit2.exe.manifest

        Filesize

        1015B

        MD5

        05f84418fa1c7ea4e98d3b37addd9f25

        SHA1

        bb70cc427d702a83302befd9d121b8837e271d26

        SHA256

        54e610cea1007ffc9083fee27b042f226e8fb7403a613e07c1661bcaba12415e

        SHA512

        8444e6dbc37eb0a737188a72612342e034ed7ab54b753942a7b665ddf2c069f3c25125eb79557e89e05db3418acfc6fa97a44cb333cf1db00086f2491de3d84e

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\mcedit2\rendering\minecraft_hiddenstates_raw.json

        Filesize

        1.5MB

        MD5

        697f8d27d757a28d3282ffb46a9b0f5a

        SHA1

        d698f7effc84b42d512a4ec5a5cc49b39d9684b8

        SHA256

        b5bf77984412aa1b9475bbe0f5c02800e27a9320785d303fdd6b49011aa4a4e2

        SHA512

        3f35315584165611bd050c386dec0a5df19d9d873e46be13f730f4dc83ab8f2a2422188a71062435b53797b729f5716aeda80e53ada2d64bf2fa57f6907c8dbb

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\mceditlib\blocktypes\idmapping_raw_1_12.json

        Filesize

        101KB

        MD5

        7838d885003a07016a8d817b89e5e367

        SHA1

        1c17b51a86dc274c4d2473a7dd5695a2196539c9

        SHA256

        dc1294304ef29c86d0400ad5d64fc005eb6c6c97bb9ff18e1d681d3f6207477d

        SHA512

        222a52c8a5fc1b94d6f034464d337a8fd2ca77a68c8cdc5a14e0b880f2088c2f5eafb05e532152f82ce8e803de1fddcc5e4541db71fb1b5c45e1ecc6d77eb159

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\numpy.core._multiarray_tests.pyd

        Filesize

        118KB

        MD5

        76fc713cd91f39e20b17075f974dbe76

        SHA1

        80ffbcae02d8ba641a66307a5c1a62e40af50923

        SHA256

        d9014a794b543768de15f90cabd0059f1b2e179f6bc75ec7abb650904c0bf587

        SHA512

        f25639813bd6198195ff19f93fb4fa93e6aa8368a20d9d9bfd69c2e981dfb9edb427aabb8d54f9ce73f57598ebea8bbfb9a452517b6f8cbd2c73d18f0c3ca10e

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\numpy.core.multiarray.pyd

        Filesize

        1.5MB

        MD5

        742f5be2846aa4155298b9f3928a72e1

        SHA1

        b3a204455aea9436fb316c452f2017465e34b4af

        SHA256

        da27e624710efeaaa4741ccf18241340270b22157b639b20166ee415572e28b1

        SHA512

        67f1b37f4bad7b4328d4183f91b0ac71fec53a89959c0a9d4ed7d7dce1991b65edf2cab0ca4057db5bcd80b9d02a302db11f9479b9d6f6d8637851624b58d4e8

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\numpy.core.umath.pyd

        Filesize

        840KB

        MD5

        2f1a24f1c663c35127e7006d694cc4a7

        SHA1

        9cfd8f66d923be755510619a42a92df9c6c0cae7

        SHA256

        b0d82c68a339b4c28b5507322bdc69fee5e3bf94003db6b1101a94b7389c2eb0

        SHA512

        23ca55d5c55fa93d309d3b5c83ac011258ab148b3b51c2ddaebf4e68e01c1c0dc775d1893bbe6028c2d5846cb7680e027624271ac879442896e1a8d4b1139242

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\numpy.fft.fftpack_lite.pyd

        Filesize

        66KB

        MD5

        67b8f04c21935c9af4bb503f6fa5f10e

        SHA1

        12fc4a3897cecb7c033aa8903f782d843c3c909f

        SHA256

        07741bb530232ef8afc4f60c4944f3fc995122c9dafe67f7f1ee7b817adc1526

        SHA512

        cc2bbfd98b379a7c013a8cc150b535817df48ab554f570c88cbc14ec4dc02fa65f5c53ac0d2889e1be80e8f5980c1125a6445876c74458d260a6050b661633eb

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\numpy.linalg._umath_linalg.pyd

        Filesize

        138KB

        MD5

        c31700b10f62ee143ea02e91a65b17d6

        SHA1

        06bc54ed8c0a0588cc7a9d65cbe70033c2fc3c5b

        SHA256

        16f428236c85815ff11a4748f5c89aa4652be2fd40e08cff396a7414135098f1

        SHA512

        681c078ae33fbdc16e7a39acd30404b0c29c9a0d829bcf274a8a32f8994a2f8aae3257bc7a94ddbe9c80877d6c6ff26edfc8d2f35f8819ba625df0cdb44b6cac

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\numpy.linalg.lapack_lite.pyd

        Filesize

        23KB

        MD5

        0e5e761c10e4b95c1c222c38e174863d

        SHA1

        8445b540af9e8177e6146c37c215b0e8c47168d2

        SHA256

        6f677d5c3eaa28b92b5e560ab1dcce1154ed3b89a82474c15967347c997a077d

        SHA512

        06416851d16f8e75f8e9c1db3f2e38f5fd23735afc4f132f6ff5cd5d765d2c9c5d224a451c7ff69bdebda9cfdb53a7e8cb489582be06407838ee3d05e9819de2

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\numpy.random.mtrand.pyd

        Filesize

        699KB

        MD5

        b61619ae88efcd7f9646d43696ee9830

        SHA1

        aedd5879f1f13e1684f886a4ff4dc427c2974694

        SHA256

        ea497e0ff6dbb8a6ff3f6ce8b33b8246096f9def67bb455aa449b93b5b7ef88d

        SHA512

        7bf1e5898f358795d47ca9c4047fcc8f5f20fec8caffac913589c198a37521726a01011fac6a9ba943ab52b7a87fb0b3f547b3949fe117e8e3971a6c09a8579d

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\pyside-python2.7.dll

        Filesize

        138KB

        MD5

        9e1b5a74f597e92ff8f8a12847a98dba

        SHA1

        dbb3051169f59f351ed77e4632817a75a40be662

        SHA256

        9e45e2190b7068dbbd93e838d636335f2435aad297112bb7282565b16af009ec

        SHA512

        2f81d09e937cbee65ac8ed5da4b10d1ab97f463963232af1a6b57404dd8f8209d4858d770d9b2439599e0ce3051c575e0821d6833d47f77d88640c13fe9e5410

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\python27.dll

        Filesize

        3.3MB

        MD5

        cdd62ebf980af1672d588873cdbda7f9

        SHA1

        9dba63cb6e40cea976e11b5c048c1ca80417b66b

        SHA256

        e87c5b9eaabb9958f24c447da366dfe735f301d20f00cd4899e6378913a45ad1

        SHA512

        f5d81c50655e2715f8fcbb0a4879dd30bd6b2bccd633430ec438ce4db2ad3a836d0cb5026eb74ee6cc32bb17efb5df77ff93102a40f22691cb2c8cdbabe95e7e

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\pythoncom27.dll

        Filesize

        536KB

        MD5

        b1a7a42894c19ec23356fafdcb65eefc

        SHA1

        07b4f30416cb5b9a81d8d8d31d2cb8f9b54f4bc3

        SHA256

        5bdb4d4cc70cc763069f3afea5f1c75d1533e36100617ac443df598427150a49

        SHA512

        4b463a71637d2119ae5e65847f0d1254d7952d9f380ea92d9021d1b6ccad25b3da343f5b70861d4d9939cc6c5550816a24ef2f26d05676b9994523d766a407ff

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\pywintypes27.dll

        Filesize

        135KB

        MD5

        34819ac261da8420f0030f1b7280dfc2

        SHA1

        bdf8c5f2329723173b014909b47247ef35157d45

        SHA256

        f4c9eb864295ff8702e423fec66676ed0e81c1e14f37f26ea8b0790fb2be45f2

        SHA512

        8c8f4b4494a7356645250fd135f13a83b40edade4f6355c00678563a5827cf6307445eb36aff67b73107a6e3325424b5a73b5708a1bdd03fdbbd2d28b31b01a6

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\select.pyd

        Filesize

        11KB

        MD5

        cb188090ab2fa92cba084d7a5a2207a6

        SHA1

        f52d7cca91b126ca50d4b970f2bf32bdf107e959

        SHA256

        a39444e2873b2730caecbbbb19c83f748c6292d367c6b61ab58b3476d5c5877c

        SHA512

        a1ec59b486ecf6c211a6d1811a24e62d4bfaf58825f3794319f42f1c3c43ae389fce24fae601825706a98d49ecfdfa15c4892b7e9fa442357fa3595061461907

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\shiboken-python2.7.dll

        Filesize

        149KB

        MD5

        7a0a0bd238f0db6b93bdab03df47ab09

        SHA1

        cdd817262cefeea6f16382268e49d3c1a3f28a80

        SHA256

        e2729282aa38b540a2c5667e83574620188b1df4a2b27de27350556bdd2b0d04

        SHA512

        741a7f53c2986d54aca38dadc74cec50a6c85926d15dddee49628e610747543015fed6f3eada6b0756fc5ee366c8e038eeb3007c0d6284edfbc1ca818af48ce2

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\unicodedata.pyd

        Filesize

        676KB

        MD5

        7aff74ee0bc42f0862e1d58d8147c081

        SHA1

        8cfe4fbcb9c35828e8ad611dc680bf1fe383f99a

        SHA256

        7a0e39ef1bd3991cb18374c69c47b24a0e4b25cded4727e50ce645f5e751a213

        SHA512

        60e50c66a1bca1ad0f12c38d4d6ca9181acb26f67e1a1d439dc597c019df808d3cc89e3739b67827162890a9f4d8344dcfb8516d0cc6ad9e55a0e53f08871e41

      • C:\Users\Admin\AppData\Local\Temp\_MEI4162\win32api.pyd

        Filesize

        127KB

        MD5

        3545b238993f7aefa80b7878999fa76b

        SHA1

        fafca47b22a0b4595952af0c783670334c9d5ead

        SHA256

        b34ae3cd825301c0e6278657ecf40da47260ade5ac408bab5ac6e5e28aaa1951

        SHA512

        103fcfd068b9aaa1ba21b78feac58d78d679b5c3c0fd9388f57ce3b5f1f9dc5c63f6c4524dbe6d9fbc6516591b88e1908ae164472782adbf5847a0cc4480fe55

      • C:\Users\Admin\AppData\Local\Temp\mcedit2-win64-2.0.0-beta14\mcedit2.exe

        Filesize

        43.1MB

        MD5

        d88fb7bf9f3b9267a03e69848a6aaf95

        SHA1

        d288e1689cc9294f6791f35792dcdaacb6107a30

        SHA256

        2ff35487800697e6a61cbd58e1f70097c39f0cd53104a086674cf78fdc7a0361

        SHA512

        aaa5bd52341c3f554bb7aa88a4fe91810f30b17510c6e4b79ed351ed3e859f8bbe708a62bbbbb08a9ee7cfa03205a3173125c2ab3743532058701438387ad6e5

      • memory/4588-331-0x000001F63A930000-0x000001F63A990000-memory.dmp

        Filesize

        384KB

      • memory/4588-294-0x000001F629760000-0x000001F629786000-memory.dmp

        Filesize

        152KB

      • memory/4588-337-0x000001F63DC80000-0x000001F63DCF0000-memory.dmp

        Filesize

        448KB

      • memory/4588-330-0x000001F63A8F0000-0x000001F63A930000-memory.dmp

        Filesize

        256KB

      • memory/4588-295-0x0000000180000000-0x0000000180237000-memory.dmp

        Filesize

        2.2MB

      • memory/4588-315-0x000001F62B630000-0x000001F62B707000-memory.dmp

        Filesize

        860KB

      • memory/4588-333-0x000001F63DB80000-0x000001F63DBBA000-memory.dmp

        Filesize

        232KB

      • memory/4588-338-0x000001F63DCF0000-0x000001F63DD59000-memory.dmp

        Filesize

        420KB

      • memory/4588-336-0x000001F63DC50000-0x000001F63DC79000-memory.dmp

        Filesize

        164KB

      • memory/4588-292-0x000001F629730000-0x000001F629759000-memory.dmp

        Filesize

        164KB

      • memory/4588-332-0x000001F63C990000-0x000001F63C9CC000-memory.dmp

        Filesize

        240KB

      • memory/4588-329-0x000001F639770000-0x000001F639822000-memory.dmp

        Filesize

        712KB

      • memory/4588-305-0x000001F62A770000-0x000001F62AFC9000-memory.dmp

        Filesize

        8.3MB

      • memory/4588-309-0x000001F62B480000-0x000001F62B62B000-memory.dmp

        Filesize

        1.7MB

      • memory/4588-340-0x0000000066800000-0x0000000068CAF000-memory.dmp

        Filesize

        36.7MB