pysilon | 8a46ee75e9ff83fca1310134751cedf8edac0ef10c9ce4656d368daebf4e0826 | Triage

Submit
Reports

Overview

overview

Static

static

NZP.exe

windows11-21h2-x64

Sharing

General

Target

NZP.exe
Size

103.4MB
Sample

240808-s4c75syhkf
MD5

66d7df10f82ac4a7a5021e305fb3a560
SHA1

774504d7ff3957a8d141d33b9a6fe9c8f8b15b9b
SHA256

8a46ee75e9ff83fca1310134751cedf8edac0ef10c9ce4656d368daebf4e0826
SHA512

ed2cbf821c8ad11bfc3b82b6a59297b4924491d7e979e3213043ca99e4b49053c66a47c0dfe3f316c646f357193691e2dd603c752bd7d170f092bfbb425390be
SSDEEP

3145728:pCOb8S6xjKcBaIc2qHO5iVY2nGQbRe0zJcBWSs9U:DgSWNaIsHCiH1XcBWP

Score

10^/10

pysilon google defense_evasion discovery evasion execution motw persistence phishing pyinstaller

Static task

static1

pyinstaller pysilon

4 signatures

Behavioral task

behavioral1

Sample

NZP.exe

Resource

win11-20240802-en

google defense_evasion discovery evasion execution motw persistence phishing

windows11-21h2-x64

32 signatures

1800 seconds

Malware Config

Targets

- Target
  
  NZP.exe
- Size
  
  103.4MB
- MD5
  
  66d7df10f82ac4a7a5021e305fb3a560
- SHA1
  
  774504d7ff3957a8d141d33b9a6fe9c8f8b15b9b
- SHA256
  
  8a46ee75e9ff83fca1310134751cedf8edac0ef10c9ce4656d368daebf4e0826
- SHA512
  
  ed2cbf821c8ad11bfc3b82b6a59297b4924491d7e979e3213043ca99e4b49053c66a47c0dfe3f316c646f357193691e2dd603c752bd7d170f092bfbb425390be
- SSDEEP
  
  3145728:pCOb8S6xjKcBaIc2qHO5iVY2nGQbRe0zJcBWSs9U:DgSWNaIsHCiH1XcBWP
Score

10^/10

google defense_evasion discovery evasion execution motw persistence phishing
- Detected google phishing page
  phishing google
- Enumerates VirtualBox DLL files
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

File and Directory Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallerpysilon

behavioral1

googledefense_evasiondiscoveryevasionexecutionmotwpersistencephishing

© 2018-2025

Terms | Privacy