Malware Analysis Report

2024-11-30 13:05

Sample ID 240620-cflxdasfkb
Target StarOptimizer1.2.exe
SHA256 f34d1e06fe517a516581cf1569849cb4b4c98e156ed9a82c200e671dfb960a63
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f34d1e06fe517a516581cf1569849cb4b4c98e156ed9a82c200e671dfb960a63

Threat Level: Shows suspicious behavior

The file StarOptimizer1.2.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 02:01

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 02:01

Reported

2024-06-20 02:03

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe

"C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe"

C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe

"C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI15762\python39.dll

MD5 2135da9f78a8ef80850fa582df2c7239
SHA1 aac6ad3054de6566851cae75215bdeda607821c4
SHA256 324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3
SHA512 423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 02:01

Reported

2024-06-20 02:03

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe

"C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe"

C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe

"C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "pip install colorama"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "pip install psutil"

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22802\python39.dll

MD5 2135da9f78a8ef80850fa582df2c7239
SHA1 aac6ad3054de6566851cae75215bdeda607821c4
SHA256 324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3
SHA512 423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369

C:\Users\Admin\AppData\Local\Temp\_MEI22802\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI22802\base_library.zip

MD5 136ed5b9ea66abf60efa4e7040c601a4
SHA1 bc34be582b0d93e0d09f24a3d1ca476d68d63b56
SHA256 1d65a1aa5567fed89c66fd813a5136b47e706e8d7f95d7d8eef656013ddd23a4
SHA512 c00d7b22317b870211a333e0cb4bc4e2ba39aa1b9b08a83b20d978ba8f65ca04629b2d96fb943a906561a684f68bfa613110e234478f9dabad6f15c3a56ba89f

C:\Users\Admin\AppData\Local\Temp\_MEI22802\_ctypes.pyd

MD5 a1e9b3cc6b942251568e59fd3c342205
SHA1 3c5aaa6d011b04250f16986b3422f87a60326834
SHA256 a8703f949c9520b76cb1875d1176a23a2b3ef1d652d6dfac6e1de46dc08b2aa3
SHA512 2015b2ae1b17afc0f28c4af9cedf7d0b6219c4c257dd0c89328e5bd3eee35e2df63ef4fccb3ee38e7e65f01233d7b97fc363c0eae0cfa7754612c80564360d6f

C:\Users\Admin\AppData\Local\Temp\_MEI22802\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI22802\_bz2.pyd

MD5 b024a6f227eafa8d43edfc1a560fe651
SHA1 92451be6a2a6bfc4a8de8ad3559ba4a25d409f2e
SHA256 c0dd9496b19ba9536a78a43a97704e7d4bef3c901d196ed385e771366682819d
SHA512 b9edb6d0f1472dd01969e6f160b41c1e7e935d4eebcaf08554195eb85d91c19ff1bfbc150773f197462e582c6d31f12bd0304f636eb4f189ed3ed976824b283e

C:\Users\Admin\AppData\Local\Temp\_MEI22802\_lzma.pyd

MD5 77b78b43d58fe7ce9eb2fbb1420889fa
SHA1 de55ce88854e314697fa54703a2cd6cc970f3111
SHA256 6e571d93ce55d09583ec91c607883a43c1da3d4d36794d68c6ecd6bea4ab466a
SHA512 7b03b7d3f2fd9b51391de08e69ca9156a0232b56f210878a488b9d5a19492ab5880f45d9407331360fbe543a52c03d68f68da4387bf6a13b20ec903a7b081846

C:\Users\Admin\AppData\Local\Temp\_MEI22802\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\_MEI22802\_uuid.pyd

MD5 d7074a9d35ed4ff90b93660ed4f1ba75
SHA1 418f4e62c61b30aece854551a5b629d23eaad010
SHA256 c4ce019fbd541918d3e7ddf7845bf0449068fc7eee3b57da730860fc7741d561
SHA512 6cf06012683aa4fbd85341e496434add21eaa6c72b8100a4ea2539702062860f97ab8b324064ad0689faa81762f4961d956047130d8a14a543ccf0c57a05173c

C:\Users\Admin\AppData\Local\Temp\_MEI22802\_tkinter.pyd

MD5 77cf63868cae43963b69b4561114cd19
SHA1 6975afa15fde28279ede93c78d78847ed58d6221
SHA256 313fb33e72028fcc893ec7874e0c825c035cdcebe1b5b7c7d8d11ef3ad1b354f
SHA512 fcf92377b07a2979b87cce7f545dd5f34df8739e2634d889077a10bb4441853b24a9427fa92ed5cb4694e71ef6421f89e1106bd689f94d11d839e29f576af514

C:\Users\Admin\AppData\Local\Temp\_MEI22802\pyexpat.pyd

MD5 3ee5ec36b631c2352cd8bd2e4b58b37f
SHA1 d6ddab5eb14226fea6e5212382b5dd39aa50df97
SHA256 f32af8a21c016702647a83661eb4460bac7c791754cb1faaf1c4d096a94cd7cb
SHA512 873f72bc481bf6c55cdd00e97ea0e5946f466790f3319374b1c15772d4abdc7f394defd2cb130323fff2169380b0cda7319bb2b19f87ed5dfa479635f4b21317

C:\Users\Admin\AppData\Local\Temp\_MEI22802\_socket.pyd

MD5 cd56f508e7c305d4bfdeb820ecf3a323
SHA1 711c499bcf780611a815afa7374358bbfd22fcc9
SHA256 9e97b782b55400e5a914171817714bbbc713c0a396e30496c645fc82835e4b34
SHA512 e937c322c78e40947c70413404beba52d3425945b75255590dedf84ee429f685e0e5bc86ad468044925fbc59cf7ec8698a5472dd4f05b4363da30de04f9609a5

C:\Users\Admin\AppData\Local\Temp\_MEI22802\pywin32_system32\pywintypes39.dll

MD5 f20fd2e2ac9058a9fd227172f8ff2c12
SHA1 89eba891352be46581b94a17db7c2ede9a39ab01
SHA256 20bde8e50e42f7aabf59106eea238fcc0dece0c6e362c0a7feeb004ab981db8a
SHA512 42a86fa192aea7adb4283dc48a323a4f687dad40060ea3ffddcd8fd7670bb535d31a7764706e5c5473da28399fec048ae714a111ee238bb25e1aad03e12078d4

C:\Users\Admin\AppData\Local\Temp\_MEI22802\pywin32_system32\pythoncom39.dll

MD5 8d4cd39cf6b1e5d3743ac1bcdcab4f12
SHA1 2ecfd93164920a60c273b1d000df14351816dbd7
SHA256 0789f9321abfa3a6403a483cb3ba684da5cfc39d26195fce8669a77c6367c413
SHA512 7734d61b7b2c5f829d05488b26d958b85d0cf87776b91e8a63b58debf5d32db42bc2d203cc5a27ab426672c282bf95b41b8429ee3ea1f0e0d9ca55f9f68e77bd

C:\Users\Admin\AppData\Local\Temp\_MEI22802\win32\win32api.pyd

MD5 05e4b3b876e5fa6a2b8951f764559623
SHA1 4ad50f70eef4feaa9d051c2f161fbac8a862a4bc
SHA256 a52f8bd28b5b9558cde10333ce452a7d6f338ce1005a2b8451755005868e4a98
SHA512 5648306af7c056c9250731b7d5a508664294bbb8ba865f9dc06fd7216adf7b8cc31b1cfbc0175c7f2752680744f6546a1959e7f7d1ec7a8a845f75642ce034d9

C:\Users\Admin\AppData\Local\Temp\_MEI22802\_hashlib.pyd

MD5 69dc506cf2fa3da9d0caba05fca6a35d
SHA1 33b24abb7b1d68d3b0315be7f8f49de50c9bdcb6
SHA256 c5b8c4582e201fef2d8cb2c8672d07b86dec31afb4a17b758dbfb2cff163b12f
SHA512 0009ec88134e25325a47b8b358da0fed8bb34fe80602e08a60686f6029b80f4287d33adb66ef41435d11d6edff86a88916f776eeaf2d1cb72035783f109ca1ff

C:\Users\Admin\AppData\Local\Temp\_MEI22802\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI22802\tk86t.dll

MD5 4b6270a72579b38c1cc83f240fb08360
SHA1 1a161a014f57fe8aa2fadaab7bc4f9faaac368de
SHA256 cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08
SHA512 0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

C:\Users\Admin\AppData\Local\Temp\_MEI22802\select.pyd

MD5 35bb285678b249770dda3f8a15724593
SHA1 a91031d56097a4cbf800a6960e229e689ba63099
SHA256 71ed480da28968a7fd07934e222ae87d943677468936fd419803280d0cad07f3
SHA512 956759742b4b47609a57273b1ea7489ce39e29ebced702245a9665bb0479ba7d42c053e40c6dc446d5b0f95f8cc3f2267af56ccaaaf06e6875c94d4e3f3b6094

C:\Users\Admin\AppData\Local\Temp\_MEI22802\_ssl.pyd

MD5 70014e88ecf3133b7be097536f77b459
SHA1 5d75675bb35ba6fae774937789491e051e62a252
SHA256 d318795c98c5f3c127c8e47220a92acba0736daf31bab0dc9c7e6c3513bb2aa3
SHA512 aa59b32c9164afca1b799e389c7087e95eeaa543790b6f590f9e30aa13b7fdb8cc83d0ef6351f0b578a4da636f4ca1e6dfe4558dcf3a813b744a80f7392aa462

C:\Users\Admin\AppData\Local\Temp\_MEI22802\_queue.pyd

MD5 328e41b501a51b58644c7c6930b03234
SHA1 bc09f8b62fec750a48bafd9db3494d2f30f7bd54
SHA256 2782cf3c04801ede65011be282e99cd34d163b2b2b2333fd3147b33f7d5e72ab
SHA512 c6e6e6bca0e9c4e84f7c07541995a7ee4960da095329f69120ba631c3c3e07c0441cf2612d9dcc3d062c779aec7d4e6a00f71f57cc32e2a980a1e3574b67d248

C:\Users\Admin\AppData\Local\Temp\_MEI22802\_decimal.pyd

MD5 ff0bf710eb2d7817c49e1f4e21502073
SHA1 26d4499af20aa2d154eb75835f6729004b4f079f
SHA256 c6eb532da62a115ae75f58766b632e005140a2e7c9c67a77564f1804685a377f
SHA512 6cc6a2cc986c84c00a51e1823de4eb56672b36f6ff4c4b23f43c93fd39d68fd99d5b51df6374e7b7f89ac945c0b421bb6bade9a458dd43c3d9721aadbbcd2315

C:\Users\Admin\AppData\Local\Temp\_MEI22802\unicodedata.pyd

MD5 3ba2a20dda6d1b4670767455bbe32870
SHA1 7c98221bc6ed763030087b1f33fb83eac2823ea4
SHA256 3a0987025f1cf2111dc6e4f59402073ba123d7436d809ee4198b4e7bfb8cb868
SHA512 0688f8af3359a8571bef2a89efabc2dbf26f3f5c6220932a4e7df2e33fac95cafee8b80796346ba698e6bf43630b8069f56538b95a8ff62ec21d629787ca5cd1

C:\Users\Admin\AppData\Local\Temp\_MEI22802\tcl86t.dll

MD5 75909678c6a79ca2ca780a1ceb00232e
SHA1 39ddbeb1c288335abe910a5011d7034345425f7d
SHA256 fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860
SHA512 91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

C:\Users\Admin\AppData\Local\Temp\_MEI22802\libssl-1_1.dll

MD5 de72697933d7673279fb85fd48d1a4dd
SHA1 085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256 ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA512 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 02:01

Reported

2024-06-20 02:03

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\message (14).pyc"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\message (14).pyc"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\message (14).pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\message (14).pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f495ab76a4af30588f6feaf8f8105f52
SHA1 430b915edf6bcaba5f29e357b0ed8ef43b2b2c4d
SHA256 59c408fa99dbdfc08567ac41c17ab22afc11d81417bbfe35b8e21edb5c2a46ca
SHA512 6cea4afeca9789fb2ee401aad65222939a9673b079f68ba90a0ff5e7850cc5d4a8b5dd48747729c0d9819ae8b7f6238328e9af07a5b99a9e2d8227eef689d079

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 02:01

Reported

2024-06-20 02:03

Platform

win10v2004-20240508-en

Max time kernel

44s

Max time network

49s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\message (14).pyc"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\message (14).pyc"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A