Malware Analysis Report

2025-05-05 21:09

Sample ID 241021-b74qtsserf
Target c157d6596197035913df51690b5aefca.bin
SHA256 d0992bf6a2fc6235f712200d90353a1ad5a02052ceff612f0cf897fbba77ab35
Tags
pyinstaller pysilon discovery upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0992bf6a2fc6235f712200d90353a1ad5a02052ceff612f0cf897fbba77ab35

Threat Level: Known bad

The file c157d6596197035913df51690b5aefca.bin was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon discovery upx

Pysilon family

Detect Pysilon

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Detects Pyinstaller

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 01:48

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 01:48

Reported

2024-10-21 01:50

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe

"C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe"

C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe

"C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI14042\python39.dll

MD5 7cd78961972c635bbe49b29bb86e5726
SHA1 5677a224e3b1c27ffd05a6ccea6ffcbbdb42b3ef
SHA256 e99fc9e98f769b903473ba46ab4a6019df3126d8d40184c369a91fdeb5a336ca
SHA512 0dca58bea7a0297bbe7166b908ce4f6b2e0a85586492c3ba7f4aa8c75e12d3ca854040426a674ba5f75c2f53d407accda5ced56ce7166ca9a6ef40a1857ca145

memory/3000-47-0x00000000746F0000-0x0000000074B72000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 01:48

Reported

2024-10-21 01:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe

"C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe"

C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe

"C:\Users\Admin\AppData\Local\Temp\0d758fa0a4c3a9a4b634fb08211078d408418148215105ef3e30a492672bfda1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI33962\python39.dll

MD5 7cd78961972c635bbe49b29bb86e5726
SHA1 5677a224e3b1c27ffd05a6ccea6ffcbbdb42b3ef
SHA256 e99fc9e98f769b903473ba46ab4a6019df3126d8d40184c369a91fdeb5a336ca
SHA512 0dca58bea7a0297bbe7166b908ce4f6b2e0a85586492c3ba7f4aa8c75e12d3ca854040426a674ba5f75c2f53d407accda5ced56ce7166ca9a6ef40a1857ca145

C:\Users\Admin\AppData\Local\Temp\_MEI33962\VCRUNTIME140.dll

MD5 55c8e69dab59e56951d31350d7a94011
SHA1 b6af2d245ae4d67c38eb1cd31e0c1cffb29b9b2c
SHA256 9d8d21022ff9d3f6b81a45209662a4f3481edc2befae0c73b83cf942eab8be25
SHA512 efb2ac1891724df16268480628eb230b6ee37ed47b56d2e02a260559865cdd48ee340ce445e58f625e0f4d6dbdc5bfb7ce2eeedf564b837cff255ef7d1dc58cd

memory/4160-49-0x0000000074600000-0x0000000074A82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI33962\base_library.zip

MD5 077f614c0d45a14b87aa769da7277165
SHA1 edd2f5a6bfffc3b5b7705fa179054ee4c46617f1
SHA256 1888bebd2e4d139168e11ce69b9100e4f6d6fa038436155adbdcd2bede8419a3
SHA512 d46896f4a1a50ca660c5b1b2825e39883535dc6bafb3c64da5b185e05197f1b1d319c26fb9d875d70ead73ea2d7dcc02fa5bc3e22187bf65278493dcc951ad1e

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_ctypes.pyd

MD5 03fe59e2e3f629843ffaabd9d700819b
SHA1 a0636abd0cd55d2b3d923d0ef998df3aa08f1b8b
SHA256 2486f363d4586d3a1d6cc5a92d95c10e28d8af2a165db4be99cec7e7b791a557
SHA512 b79c45c2f2b070fd7627631ca6da4502d8e62a0a63f574bdc074fcb5292798b8007e2b5cbf457e5dd7e0758e77606660f6560bdcc614f6c69d46f662a845d3e6

memory/4160-54-0x0000000074540000-0x0000000074562000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI33962\libcrypto-1_1.dll

MD5 dbd06f3421a0cf3fc22a9e208a5bdded
SHA1 fd8d5cd2ccbbda5f3b5e6ad874830f69d7c58b15
SHA256 889d304848874192386184a10fc87477601e9a1100898a4297fc23111eaeb7d7
SHA512 2806973c67400c478845c945821149d6135dd04951891454cf7d2b4fdd6783460857297d77d368187fe7bac998be4d273ba7aa325a2623d1985475b1069f726f

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_hashlib.pyd

MD5 c4ed6bb824eafcb71325e5ddcef21890
SHA1 c26859fb72d1e9270618c924af411d5b190ec372
SHA256 779ca6540c3f039e41c0e73396346f5bcd6d15e95f6b4934dc635daf618279cb
SHA512 46b4296f42245a361ca1fd1e58b1e1fb0f8bd760a526b1ab7717c32cb808d08ce1eb07dfafc55eaa80b5ba4c40d56cf216ac5a699715639cad7031055d25622b

memory/4160-79-0x0000000074510000-0x0000000074522000-memory.dmp

memory/4160-77-0x0000000074530000-0x000000007453C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_uuid.pyd

MD5 15985ef78a98897e3096f679e870c15e
SHA1 8134574c360a4abfa3f4e4f6182f2d271b240ad8
SHA256 14f4d198bf974db98883f103ad18591dd8e793499e296c6cbf599eea7490e41f
SHA512 ed29d924a00d155f927d3e2a4295d6f9a5d6dfc56af62388fa5af1a769ffc703cdca6ebcaff1cb098c8bfbf87a2deb297c363b81c838985735eb6fe779a37f26

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_ssl.pyd

MD5 eba397afda3baaeb3e4a38ffed4391b1
SHA1 f5d53e1c91bc5c3239ebead81c9abddd2121fe62
SHA256 4d874d604da9ae4755fa0a851557116be67416d597d1becc673245531923b934
SHA512 c6a1aa19e55a794d5d545e592017865a9c32745c30039c0ebfb7f1e139617d4bf41c3b20f445f192309267af17028701be4ae25cbdcb0fbb6fc8c57d2992b5b7

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_sqlite3.pyd

MD5 a779b2c2e39295e787b21a4d9b8a8663
SHA1 a3a1a09d46a33469e04d945f6d60f2de90d49895
SHA256 18b228b76fbe257f4bb771e80506a9fcc759e912fb1344781a42875bf8b60ae4
SHA512 1d44fd1fd8d5e2d0927e39c15af2bf0dab1e60c2ddb9d738ec9fe1f059a9c28692b80f0128226e527e81c28de575820217f0a8912f68447fa0f8bb58f23fee33

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_socket.pyd

MD5 6eb06bba571d03b65a19535966d4d9d6
SHA1 c61de129dbca3731d596a1cdebc9431ba8bc43e8
SHA256 a4f5160eb46943dc89410de9c0d09edb18f6e194abcadf1d07504eb4eb70bc02
SHA512 e23cac3f10020cc1cb8941627d7d157f30db3d7b1fa6ac8ab23ac7ae130526ee221bce951ac094ab63a545faa4f19f4df860dc327885c110b42aacc5758af339

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_queue.pyd

MD5 57b82ec9fef0bd5a54f8f633f5978317
SHA1 d2aac952e500f7c5b0cb5133feed6a5de0e56e30
SHA256 c7edf6cda105ad6f127afa4ce659ac519406279323ddda344316764782bf70cd
SHA512 6bc734958fc0e5deeba1a551973b23d0ef245a5fe193e7bf1508adeaacf864f184002c32fabd18e4f96b755bd05eaebe4acd30114fa18d3bf5366027a7a869ba

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_overlapped.pyd

MD5 bc4ab73c6cd06309604a537fdc27d510
SHA1 7cbb3f61b00bf82fd5a6f1041c5d06e8fd2ef23a
SHA256 05af7a47b2654cee9599f9f7d2c6425464939b0b18bf641b553629f48febcdb1
SHA512 3e0f3d0adf518e7b87471951c18de1b359105f7044ae19fe38328db52774f71493fb135e9e78518a994105ac46eacde3d512ea0f2380fc01ff83917d3bb66d07

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_multiprocessing.pyd

MD5 e830e563ed0d882511cc114ca267e4df
SHA1 4383197285d2a7602eaf29b9e3976e91144bdef9
SHA256 b70f64c66e1c39dbc709f65ec78ec6a6003189904c928f98abfe5f2c64e97c2b
SHA512 a46a2c7bcba0b98d56e74584710c45de48d6ba9153c929536e1b95c47ec94effdd67bc23b0c4c01f4b0b69df93ca99305a979b1eb5f07bb21ad45217214604b9

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_lzma.pyd

MD5 eabe20f2b3e9bf84affb523c2e023fec
SHA1 aea8d13848b204e25f5e21e261fa2c92ac794dae
SHA256 13f7904dee42476f01568e187c611d0193417ee5371bdb443083f5859a08357a
SHA512 14c650d67c8269f54ffe1e095b00e46843da6ed23947efd87b3d18fa07a17d3e0caa06471e45044fc2ee3c0e07a3c2a0cee55f79330aed8e602c337b00744209

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_elementtree.pyd

MD5 a4b295e88a0ca842a95a4d1ea92e9681
SHA1 9046a29fb328b7a9a747a920245833e599f960b7
SHA256 60311b89a968044cdbb80255c5f0f79a0ec90c9cc749c2421d4bda7b7cfc537e
SHA512 ae3a93fd8bbd72b28b45b0075d5b54ea57200940a91131f43ec0e3a9ff864c886a4eb83bf16d82877bc5e1ce56a2ae15e0a4e702787020d2f7627be6258b30d9

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_decimal.pyd

MD5 3b86f83c0ad6fd0730ffbbccab15241e
SHA1 b0a221c250ec5da47677e05d0226d71a6f675f76
SHA256 7cf6ca3ce7919d268c3ad48f0a71ebf6a7ae1c0feec34af17e0c856b9d7d9f61
SHA512 9c1f4b19ed941e789d9727fb4ceb112f44461e86a5e0e649d451d32655523e027322b2e1a330812401b590f48e407f81143deb84ff458163fe6603c113361b62

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_bz2.pyd

MD5 7e2635e06c3d7a72d2b0e1cbb8f4b47a
SHA1 0eb409c30d87507aa736cd096cddcbde53645229
SHA256 e2858222c0f5729d79a244ddf9a8b4aba9f7bf720f7d606d015ba48464181274
SHA512 7adbbefc172cebf7c0a1a50437ed6e44a40dd79ff94bd3275ac434aa9996f15f50a43beb277f5c090592cc8ac4d6f456f853efa446fbb042a30352e096880655

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_asyncio.pyd

MD5 fc2732eee5ab49a1767460683a103987
SHA1 543963e7e3e9152532ebbb682bb0dc3bb8373692
SHA256 f7bd5af823984398987213d033602d25b22a75da12e41aba20ffc686e9fb9f89
SHA512 62c47fb53f7dbf5bf28331b97a36d0d92b1a559784a0b7ac96ecd97503657b1714587d627fb09d0631fa4d95348dc8889edbc2100f84e2d8088dd2a22e61b68e

C:\Users\Admin\AppData\Local\Temp\_MEI33962\unicodedata.pyd

MD5 adaa2e1d235950b35ed10cdedf3951f8
SHA1 0c1b85246a116eaa77a283650155a6bd515b6fa9
SHA256 8f84777b58a326ea37fd248bf46945a8ab1d6e0692060d0f75d6ffcde5ed55a2
SHA512 957bb411577a86db44dd563c6b5693f2073bba2d8e3fda0e1fd73ee2f153d4f12a935d3c6f11624d14f9a409dfbc0140dff826f3a726e95cd8eabbda173c867c

C:\Users\Admin\AppData\Local\Temp\_MEI33962\sqlite3.dll

MD5 bf361e2ab295d15a06cc4a2404101669
SHA1 02242fc9cb5162d5f208e4ea4d7939a392d885a2
SHA256 1438dcbfb39493542d5e89d36abd92c22a84427fbf14b909e489afe02e9424bf
SHA512 618e6cb38fb7d9bf8653c212940498ab9f6aba62ff320fc1d1db6077a0a87bcc66f1b13b1f8e79abfe9036e58f2b9a3225fdedfe267a7a6ef49a88bd244bd9f6

C:\Users\Admin\AppData\Local\Temp\_MEI33962\select.pyd

MD5 bdc5ddf0b75c8f2daeb62a0841362fa1
SHA1 87e62c3c307647936fbde68f81663f6803877bc9
SHA256 763ba787ae1755b7e07e5fec6e08d71eee3b137ee76b4bb6598b794516e57b9d
SHA512 af88e23f9b71a0777c811a6a1a9deb8d735e35527ca2b3f8decf5ae45ccc1b114bce3deca70df6bbdb06cc2425f7afa9016b4348c7f4a5ff9efaa65ce2450d49

C:\Users\Admin\AppData\Local\Temp\_MEI33962\pyexpat.pyd

MD5 f1eb3fd4863dad5334de8d3ac089da8e
SHA1 fae563f74ac73e91252c14e0b8bf1add20437471
SHA256 4ccb954209a0162c5ae9bb3f9a6be0a264b14c6e8521d2f1de7dfa1fe88c7867
SHA512 b60225ad8608b0a2b82653d95374c9e68fa4f8d48b530c97b89f341bcee0345939785aebd23419472daa6dccae0201f33e965c033d56402f2912fb093e1ad2ea

C:\Users\Admin\AppData\Local\Temp\_MEI33962\libssl-1_1.dll

MD5 fcde85ec96fc889ab7e32309faed5f0c
SHA1 d9a6138fd56d08a4ba874c078d2e50da0fc75170
SHA256 df11c11a0290374527193d19b6edc1045e93286fb7a641e63682157b78267435
SHA512 c93c8ba3ecb318d66f98939e61af1b2fd7d0529afb342812ffd0095dc015e06ab0b0b52bbede84136b115194fb2720a70d2e98f7b488863c9ef7cf815d9c989e

C:\Users\Admin\AppData\Local\Temp\_MEI33962\libopus-0.x64.dll

MD5 e56f1b8c782d39fd19b5c9ade735b51b
SHA1 3d1dc7e70a655ba9058958a17efabe76953a00b4
SHA256 fa8715dd0df84fdedbe4aa17763b2ab0db8941fa33421b6d42e25e59c4ae8732
SHA512 b7702e48b20a8991a5c537f5ba22834de8bb4ba55862b75024eace299263963b953606ee29e64d68b438bb0904273c4c20e71f22ccef3f93552c36fb2d1b2c46

C:\Users\Admin\AppData\Local\Temp\_MEI33962\crypto_clipper.json

MD5 8bff94a9573315a9d1820d9bb710d97f
SHA1 e69a43d343794524b771d0a07fd4cb263e5464d5
SHA256 3f7446866f42bcbeb8426324d3ea58f386f3171abe94279ea7ec773a4adde7d7
SHA512 d5ece1ea9630488245c578cb22d6d9d902839e53b4550c6232b4fb9389ef6c5d5392426ea4a9e3c461979d6d6aa94ddf3b2755f48e9988864788b530cdfcf80f

C:\Users\Admin\AppData\Local\Temp\_MEI33962\libffi-7.dll

MD5 be02e3ba1fddb2bef792c6f179442431
SHA1 1b87681c55e0d343c217ceaee48f6e5a73b33ce1
SHA256 c763cceb2134aef0cfa4dbd201e9f60c1441e169886d8a80e09eff855396f997
SHA512 a5e5d383c419433592a6d8c6a36e0ecb8a2ddb5b15dffa22b94fe2cbda1fae07404ae2fdce93222c2c10397375eb7725d4dd44afe8624222adfa7724ba54f021

memory/4160-81-0x00000000742B0000-0x0000000074502000-memory.dmp

memory/4160-87-0x0000000074600000-0x0000000074A82000-memory.dmp

memory/4160-90-0x0000000074510000-0x0000000074522000-memory.dmp

memory/4160-91-0x00000000742B0000-0x0000000074502000-memory.dmp

memory/4160-89-0x0000000074530000-0x000000007453C000-memory.dmp

memory/4160-88-0x0000000074540000-0x0000000074562000-memory.dmp