Malware Analysis Report

2024-11-30 12:45

Sample ID 240822-smnbsatepf
Target Injector.exe
SHA256 c5f513dc12c9ef48e960d235428575de55c4c45091c9ecac3a1af5a7ea10f9fa
Tags
pyinstaller pysilon
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5f513dc12c9ef48e960d235428575de55c4c45091c9ecac3a1af5a7ea10f9fa

Threat Level: Known bad

The file Injector.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon

Pysilon family

Detect Pysilon

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-22 15:14

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-22 15:14

Reported

2024-08-22 15:19

Platform

win7-20240708-en

Max time kernel

12s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Injector.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Injector.exe

"C:\Users\Admin\AppData\Local\Temp\Injector.exe"

C:\Users\Admin\AppData\Local\Temp\Injector.exe

"C:\Users\Admin\AppData\Local\Temp\Injector.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI26642\python311.dll

MD5 58e01abc9c9b5c885635180ed104fe95
SHA1 1c2f7216b125539d63bd111a7aba615c69deb8ba
SHA256 de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837
SHA512 cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-22 15:14

Reported

2024-08-22 15:19

Platform

win10v2004-20240802-en

Max time kernel

20s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Injector.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 588 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe C:\Users\Admin\AppData\Local\Temp\Injector.exe
PID 588 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\Injector.exe C:\Users\Admin\AppData\Local\Temp\Injector.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Injector.exe

"C:\Users\Admin\AppData\Local\Temp\Injector.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Injector.exe

"C:\Users\Admin\AppData\Local\Temp\Injector.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI5882\python311.dll

MD5 58e01abc9c9b5c885635180ed104fe95
SHA1 1c2f7216b125539d63bd111a7aba615c69deb8ba
SHA256 de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837
SHA512 cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

C:\Users\Admin\AppData\Local\Temp\_MEI5882\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Local\Temp\_MEI5882\base_library.zip

MD5 4719f992c339f290fc7b4ef0be8b3701
SHA1 80bd1bda816bb6c0b2e447e0dd33e580dce24479
SHA256 6607c74b72920ee28363cc89878feb886238502416767be4d561b41bfe0577fc
SHA512 60d1ab27692c08c9f915f1708c0b69a7b475d0f04fdbbfd9f363d5f60142e944ca68f79e31ef5bc5140119e5296f377c272439a53c75d0db4480640d8e44fc24