2c9ab1aa0fd428f8bb0ea204ce3aa9cde7cb5c9c2328db5928dd75d5c71b4a63

Resubmissions

20/11/2024, 14:10

241120-rgxgtsxqgx 7

18/11/2024, 22:26

241118-2czrhawfng 7

Analysis

max time kernel
22s
max time network
29s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20/11/2024, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EliteServer.exe
Size

100.3MB
MD5

b4eda54a8c090e1698449e8161e1f651
SHA1

79ac77a647ba80eb8833b69deda01182feb30603
SHA256

2c9ab1aa0fd428f8bb0ea204ce3aa9cde7cb5c9c2328db5928dd75d5c71b4a63
SHA512

792ee7102e81dc7091170e11d5319b1269498fc627372efc0cb8220670764057661167a564384250d68a48ea6f58fc462533e7fe6e4516a8e51cfca78ae02388
SSDEEP

786432:RkPPzDMv988j32JAX/VDVxmV2vCRvJmjQwNRflbVSWQ0+zOYh:KTovmiX5mV2vCRvJmjQgbAPlh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2500	EliteServer.exe

Loads dropped DLL 46 IoCs

pid	Process
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe
2500	EliteServer.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x00280000000451b2-105.dat	embeds_openssl

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2500	2080	EliteServer.exe	90
PID 2080 wrote to memory of 2500	2080	EliteServer.exe	90

C:\Users\Admin\AppData\Local\Temp\EliteServer.exe
"C:\Users\Admin\AppData\Local\Temp\EliteServer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\EliteServer.exe
  C:\Users\Admin\AppData\Local\Temp\EliteServer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd

Filesize
69KB

MD5
90a38a8271379a371a2a4c580e9cd97d

SHA1
3fde48214fd606114d7df72921cf66ef84bc04c5

SHA256
3b46fa8f966288ead65465468c8e300b9179f5d7b39aa25d7231ff3702ca7887

SHA512
3bde0b274f959d201f7820e3c01896c24e4909348c0bc748ade68610a13a4d1e980c50dab33466469cdd19eb90915b45593faab6c3609ae3f616951089de1fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
156KB

MD5
9e94fac072a14ca9ed3f20292169e5b2

SHA1
1eeac19715ea32a65641d82a380b9fa624e3cf0d

SHA256
a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f

SHA512
b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
81KB

MD5
69801d1a0809c52db984602ca2653541

SHA1
0f6e77086f049a7c12880829de051dcbe3d66764

SHA256
67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3

SHA512
5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
174KB

MD5
90f080c53a2b7e23a5efd5fd3806f352

SHA1
e3b339533bc906688b4d885bdc29626fbb9df2fe

SHA256
fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4

SHA512
4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_wmi.pyd

Filesize
36KB

MD5
827615eee937880862e2f26548b91e83

SHA1
186346b816a9de1ba69e51042faf36f47d768b6c

SHA256
73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32

SHA512
45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\bson\_cbson.pyd

Filesize
46KB

MD5
7832220385a2794080d2ad202f0995e1

SHA1
f0bb8d9a808ef541b764cec03a17e3276ba10c26

SHA256
5039feb979f79151841e4480d2fe9d2df5c5933039abf833a9fa1b3b420c2257

SHA512
6b10990b52b11692bc1be6f2bf86d9c15b323a6717cb37aa1d6e26cae6bef21c68d6583069983b38fd6050723e95b49f1644aa835c43d9d58531f53e2c6ce308

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.5MB

MD5
81ad4f91bb10900e3e2e8eaf917f42c9

SHA1
840f7aef02cda6672f0e3fc7a8d57f213ddd1dc6

SHA256
5f20d6cec04685075781996a9f54a78dc44ab8e39eb5a2bcf3234e36bef4b190

SHA512
11cd299d6812cdf6f0a74ba86eb44e9904ce4106167ebd6e0b81f60a5fcd04236cef5cff81e51ed391f5156430663056393dc07353c4a70a88024194768ffe9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\markupsafe\_speedups.pyd

Filesize
15KB

MD5
06399d9b7b75206a86a9de42d71d4bce

SHA1
40d36ded4b40f125d5885a7288cbd0e02b43bd1b

SHA256
08bcfc9349a9bccf9d80b3f47921e91981e6f2c8651b15e80a29c0d76ce01ec6

SHA512
337f93f3f16445540d0986a8149ecc27f51ff170621c8a4ccafd030fe642a4c78aa08ee09682e83c8fcf30b38701db391bc9dd9facb130f5e9ecf5b2c04477c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
30KB

MD5
7c14c7bc02e47d5c8158383cb7e14124

SHA1
5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3

SHA256
00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5

SHA512
af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
20708935fdd89b3eddeea27d4d0ea52a

SHA1
85a9fe2c7c5d97fd02b47327e431d88a1dc865f7

SHA256
11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375

SHA512
f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
43bbe5d04460bd5847000804234321a6

SHA1
3cae8c4982bbd73af26eb8c6413671425828dbb7

SHA256
faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45

SHA512
dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
fee13d4fb947835dbb62aca7eaff44ef

SHA1
7cc088ab68f90c563d1fe22d5e3c3f9e414efc04

SHA256
3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543

SHA512
dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\Crypto\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
4d9182783ef19411ebd9f1f864a2ef2f

SHA1
ddc9f878b88e7b51b5f68a3f99a0857e362b0361

SHA256
c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd

SHA512
8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\_bz2.pyd

Filesize
83KB

MD5
30f396f8411274f15ac85b14b7b3cd3d

SHA1
d3921f39e193d89aa93c2677cbfb47bc1ede949c

SHA256
cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f

SHA512
7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\_cffi_backend.pyd

Filesize
175KB

MD5
fcb71ce882f99ec085d5875e1228bdc1

SHA1
763d9afa909c15fea8e016d321f32856ec722094

SHA256
86f136553ba301c70e7bada8416b77eb4a07f76ccb02f7d73c2999a38fa5fa5b

SHA512
4a0e98ab450453fd930edc04f0f30976abb9214b693db4b6742d784247fb062c57fafafb51eb04b7b4230039ab3b07d2ffd3454d6e261811f34749f2e35f04d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\_ctypes.pyd

Filesize
122KB

MD5
5377ab365c86bbcdd998580a79be28b4

SHA1
b0a6342df76c4da5b1e28a036025e274be322b35

SHA256
6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93

SHA512
56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\_decimal.pyd

Filesize
251KB

MD5
7ae94f5a66986cbc1a2b3c65a8d617f3

SHA1
28abefb1df38514b9ffe562f82f8c77129ca3f7d

SHA256
da8bb3d54bbba20d8fa6c2fd0a4389aec80ab6bd490b0abef5bd65097cbc0da4

SHA512
fbb599270066c43b5d3a4e965fb2203b085686479af157cd0bb0d29ed73248b6f6371c5158799f6d58b1f1199b82c01abe418e609ea98c71c37bb40f3226d8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\_hashlib.pyd

Filesize
64KB

MD5
a25bc2b21b555293554d7f611eaa75ea

SHA1
a0dfd4fcfae5b94d4471357f60569b0c18b30c17

SHA256
43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d

SHA512
b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\_overlapped.pyd

Filesize
54KB

MD5
737f46e8dac553427a823c5f0556961c

SHA1
30796737caec891a5707b71cf0ad1072469dd9de

SHA256
2187281a097025c03991cd8eb2c9ca416278b898bd640a8732421b91ada607e8

SHA512
f0f4b9045d5328335dc5d779f7ef5ce322eaa8126ec14a84be73edd47efb165f59903bff95eb0661eba291b4bb71474dd0b0686edc132f2fba305c47bb3d019f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\_queue.pyd

Filesize
31KB

MD5
e1c6ff3c48d1ca755fb8a2ba700243b2

SHA1
2f2d4c0f429b8a7144d65b179beab2d760396bfb

SHA256
0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa

SHA512
55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\_uuid.pyd

Filesize
25KB

MD5
d8c6d60ea44694015ba6123ff75bd38d

SHA1
813deb632f3f3747fe39c5b8ef67bada91184f62

SHA256
8ae23bfa84ce64c3240c61bedb06172bfd76be2ad30788d4499cb24047fce09f

SHA512
d3d408c79e291ed56ca3135b5043e555e53b70dff45964c8c8d7ffa92b27c6cdea1e717087b79159181f1258f9613fe6d05e3867d9c944f43a980b5bf27a75ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\pymongo\_cmessage.pyd

Filesize
56KB

MD5
533cd349c2cba67922f907f8679554de

SHA1
08f8fd3eacbe4e13ddda78331b39fdf44d71529d

SHA256
db0c39408359b362c40c7b298ca366812299877cc76fa8518eb2f0b47e291742

SHA512
60f8d249fd3ce9fc3e0fc63cea30c50d7027da5397ebac9a46f6dbf27e8d89394e24ad05672888f1de1eba49579d20d8284b03580121ca9f3478e9955d43bfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\python3.dll

Filesize
66KB

MD5
5eace36402143b0205635818363d8e57

SHA1
ae7b03251a0bac083dec3b1802b5ca9c10132b4c

SHA256
25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2

SHA512
7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2080_133765854774542038\unicodedata.pyd

Filesize
1.1MB

MD5
a8ed52a66731e78b89d3c6c6889c485d

SHA1
781e5275695ace4a5c3ad4f2874b5e375b521638

SHA256
bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7

SHA512
1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

Download Submit
memory/2080-124-0x00007FF641510000-0x00007FF642510000-memory.dmp

Filesize
16.0MB

Download
memory/2500-125-0x00007FF79E9A0000-0x00007FF7A364C000-memory.dmp

Filesize
76.7MB

Download