Analysis
-
max time kernel
118s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 14:43
Behavioral task
behavioral1
Sample
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe
Resource
win7-20240221-en
General
-
Target
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe
-
Size
280KB
-
MD5
681457fa460dff885eef657f166d5ef8
-
SHA1
44cac83393e0d6d083f0f2ae064090e2478f715b
-
SHA256
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f
-
SHA512
369d299957327e6260f636933756054a0cd6ca78c4e585544aaac56c87fc6da8c9140e0ab0db51c601c06b95566ffa75d1f9699bc53369994eb0ab6d19eb2180
-
SSDEEP
6144:s068sLPlQBdpbFl37RYeuFAeQKWQcAfoOGCR/4jTHazM80WLXTT9Bvl:s068sLPlQBdpbFl3l0FAepWQcMdu+Ymt
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3044 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.execmd.exedescription pid process target process PID 1392 wrote to memory of 1072 1392 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe cmd.exe PID 1392 wrote to memory of 1072 1392 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe cmd.exe PID 1392 wrote to memory of 1072 1392 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe cmd.exe PID 1392 wrote to memory of 1072 1392 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe cmd.exe PID 1072 wrote to memory of 3044 1072 cmd.exe timeout.exe PID 1072 wrote to memory of 3044 1072 cmd.exe timeout.exe PID 1072 wrote to memory of 3044 1072 cmd.exe timeout.exe PID 1072 wrote to memory of 3044 1072 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\jsifovfmbIp & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe