Malware Analysis Report

2025-05-05 21:13

Sample ID 240626-t4hnaswapl
Target playSong.exe
SHA256 aa14dad18e2115ec46526aa1d9894803ec563c208f035ce68579a2a2bd4b9dad
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

aa14dad18e2115ec46526aa1d9894803ec563c208f035ce68579a2a2bd4b9dad

Threat Level: Shows suspicious behavior

The file playSong.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-26 16:36

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 16:36

Reported

2024-06-26 16:37

Platform

win10v2004-20240508-en

Max time kernel

12s

Max time network

14s

Command Line

"C:\Users\Admin\AppData\Local\Temp\playSong.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\playSong.exe

"C:\Users\Admin\AppData\Local\Temp\playSong.exe"

C:\Users\Admin\AppData\Local\Temp\playSong.exe

"C:\Users\Admin\AppData\Local\Temp\playSong.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI39362\ucrtbase.dll

MD5 bd8b198c3210b885fe516500306a4fcf
SHA1 28762cb66003587be1a59c2668d2300fce300c2d
SHA256 ce2621719f1358508c2c33bcc1380d78a737ca20cd18c0ac89f38e1be788d9a2
SHA512 c32b6c083d3a7da01085718e5685e9a04034be91251c065794ceef1dfaaf6573fdd845cbc84e926ab3f510d295649cb6e497564fbe52cc79c053357c645c11a5

C:\Users\Admin\AppData\Local\Temp\_MEI39362\playSong.exe.manifest

MD5 45eee364abf2da361d6489e83ea3e715
SHA1 b404a232a4a331bbff9fbf6edd8699605838c33f
SHA256 9576a1972532cddc379e9f042582655519aaad764e82190308b8f504ea86e06c
SHA512 403c2b5c600074e431f375e4daac20fb57a79695d304b22fa613dcaf23484fb88edf0a88a4e236a7d69a87c7774a496ba82f2403a4ee9d4fd6543e41387b229b

C:\Users\Admin\AppData\Local\Temp\_MEI39362\python38.dll

MD5 3cd1e87aeb3d0037d52c8e51030e1084
SHA1 49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af
SHA256 13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8
SHA512 497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340

C:\Users\Admin\AppData\Local\Temp\_MEI39362\VCRUNTIME140.dll

MD5 8697c106593e93c11adc34faa483c4a0
SHA1 cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256 ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

C:\Users\Admin\AppData\Local\Temp\_MEI39362\base_library.zip

MD5 2b58a0447d1feea708ac059763c4c3e4
SHA1 12578b60af0f354d527df066aaeb2422fe14913d
SHA256 ae8f1046d28fc1d62b4c1dc2c6c55535eba2473abf7e61a33ae7307181c03f06
SHA512 8b5966be4e00e78ad3b4e409ff21767357312ec149f884382fc5fb0b056d7e724f330e188037bd543df21a2ce934dc1b09408abc1a6a16f74850cec67846e773

C:\Users\Admin\AppData\Local\Temp\_MEI39362\_ctypes.pyd

MD5 4d13a7b3ecc8c7dc96a0424c465d7251
SHA1 0c72f7259ac9108d956aede40b6fcdf3a3943cb5
SHA256 2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed
SHA512 68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8

C:\Users\Admin\AppData\Local\Temp\_MEI39362\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI39362\_socket.pyd

MD5 eb974aeda30d7478bb800bb4c5fbc0a2
SHA1 c5b7bc326bd003d42bcf620d657cac3f46f9d566
SHA256 1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016
SHA512 f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b

C:\Users\Admin\AppData\Local\Temp\_MEI39362\select.pyd

MD5 08b499ae297c5579ba05ea87c31aff5b
SHA1 4a1a9f1bf41c284e9c5a822f7d018f8edc461422
SHA256 940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281
SHA512 ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9

C:\Users\Admin\AppData\Local\Temp\_MEI39362\_queue.pyd

MD5 1707a6aeeb0278ee445e86ee4354c86c
SHA1 50c30823b1dc995a03f5989c774d6541e5eaaef9
SHA256 dd8c39ff48de02f3f74256a61bf3d9d7e411c051dd4205ca51446b909458f0cd
SHA512 404b99b8c70de1d5e6a4f747df44f514a4b6480b6c30b468f35e9e0257fd75c1a480641bc88180f6eb50f0bd96bdcafb65bb25364c0757a6e601090ae5989838