pysilon | df1000c60f21c7d520e0b9c15e9a2c1974a81f628082611a01869f98c938ae8a | Triage

Submit
Reports

Overview

overview

Static

static

source_prepared.exe

windows7-x64

7

source_prepared.exe

windows10-2004-x64

8

Sharing

General

Target

source_prepared.zip
Size

30.0MB
Sample

250223-s8mx5sspbq
MD5

5b2a07386d55398d58726addc9b8d3c1
SHA1

47270a6780c48c21a7e8622533c604aec2c512d2
SHA256

df1000c60f21c7d520e0b9c15e9a2c1974a81f628082611a01869f98c938ae8a
SHA512

80374377608c3ee70aeb009a9e91451b6e9b1117f07ab2501f868c387aec1a2d4960e4be85b9a5a895377b77fee0d136d6cee3f1aeeae83f216551507978db55
SSDEEP

393216:I82L62LqCeYw/lLOZW82tSqGINOfH6rl8J3PXf0dfY8soVL/gYiVOq3MVJeeO:/ow/lOW82lO2l8dPXAflsol/1mcVQeO

Score

10^/10

pysilon discovery persistence privilege_escalation pyinstaller upx

Static task

static1

pyinstaller pysilon

4 signatures

Behavioral task

behavioral1

Sample

source_prepared.exe

Resource

win7-20240903-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

source_prepared.exe

Resource

win10v2004-20250217-en

discovery persistence privilege_escalation upx

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  source_prepared.exe
- Size
  
  30.0MB
- MD5
  
  733d2b43a13226f45acb529e93a65b22
- SHA1
  
  8013d197610d4d7afd782a502e534e957c0fb3cc
- SHA256
  
  44b7a85d8ce947e944a1a17e3d914259a7dd49b42f2ab6952814fa979b13b89f
- SHA512
  
  8f9dd3274bb0768378412bdbbc99e83abce8f6d0826b2f1d623312fd9d9ecd40c7e1f92152dec9ab13da213f23a23726249915c7429dacf9e4caa73b8d062dda
- SSDEEP
  
  393216:p82L62LqCeYw/lLOZW82tSqGINOfH6rl8J3PXf0dfY8soVL/gYiVOq3MVJee:iow/lOW82lO2l8dPXAflsol/1mcVQe
Score

8^/10

upx discovery persistence privilege_escalation
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

pyinstallerpysilon

behavioral1

behavioral2

discoverypersistenceprivilege_escalationupx

© 2018-2025

Terms | Privacy