ce5d197fa3d2ad070ca03408e80052032c0c5c303af8982b7094952617ee41a8

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

818254d916f20affd2254e156e32cb91.exe
Size

73KB
MD5

818254d916f20affd2254e156e32cb91
SHA1

e50e8d35957284df86a4a16d118cd8c83fd0dc62
SHA256

ce5d197fa3d2ad070ca03408e80052032c0c5c303af8982b7094952617ee41a8
SHA512

fd5f32c0145056c359310179f2c4f2d4175b944302f5931724dfe3d43d0c80f0a86092db405527d447f7212fe08b627d5c64804a335e4a3938a5adcb3ac3623a
SSDEEP

1536:v55u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rJ:bMSjOnrmBTMqqDL2/mr3IdE8we0Avu5F

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

818254d916f20affd2254e156e32cb91.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dhobjbstdzs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\818254d916f20affd2254e156e32cb91.exe"	818254d916f20affd2254e156e32cb91.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

818254d916f20affd2254e156e32cb91.exe

description	ioc	process
File opened (read-only)	\??\I:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\O:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\Q:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\W:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\Z:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\E:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\H:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\Y:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\A:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\L:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\J:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\K:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\M:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\R:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\U:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\V:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\B:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\G:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\X:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\S:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\T:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\N:	818254d916f20affd2254e156e32cb91.exe
File opened (read-only)	\??\P:	818254d916f20affd2254e156e32cb91.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

818254d916f20affd2254e156e32cb91.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	818254d916f20affd2254e156e32cb91.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	818254d916f20affd2254e156e32cb91.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	818254d916f20affd2254e156e32cb91.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

818254d916f20affd2254e156e32cb91.exe

pid process

1920 818254d916f20affd2254e156e32cb91.exe
1920 818254d916f20affd2254e156e32cb91.exe

pid	process
1920	818254d916f20affd2254e156e32cb91.exe
1920	818254d916f20affd2254e156e32cb91.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

818254d916f20affd2254e156e32cb91.exe

description	pid	process	target process
PID 1920 wrote to memory of 2412	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 2412	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 2412	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 2412	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 2592	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 2592	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 2592	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 2592	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 1368	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 1368	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 1368	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 1368	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 1744	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 1744	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 1744	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 1744	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 3036	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 3036	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 3036	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe
PID 1920 wrote to memory of 3036	1920	818254d916f20affd2254e156e32cb91.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\818254d916f20affd2254e156e32cb91.exe
"C:\Users\Admin\AppData\Local\Temp\818254d916f20affd2254e156e32cb91.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
2⤵
PID:2412

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
2⤵
PID:2592

C:\Windows\SysWOW64\nslookup.exe
nslookup gandcrab.bit dns1.soprodns.ru
2⤵
PID:1368

C:\Windows\SysWOW64\nslookup.exe
nslookup nomoreransom.bit dns1.soprodns.ru
2⤵
PID:1744

C:\Windows\SysWOW64\nslookup.exe
nslookup emsisoft.bit dns1.soprodns.ru
2⤵
PID:3036

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads