Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 03:33
Behavioral task
behavioral1
Sample
818254d916f20affd2254e156e32cb91.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
818254d916f20affd2254e156e32cb91.exe
Resource
win10v2004-20240611-en
General
-
Target
818254d916f20affd2254e156e32cb91.exe
-
Size
73KB
-
MD5
818254d916f20affd2254e156e32cb91
-
SHA1
e50e8d35957284df86a4a16d118cd8c83fd0dc62
-
SHA256
ce5d197fa3d2ad070ca03408e80052032c0c5c303af8982b7094952617ee41a8
-
SHA512
fd5f32c0145056c359310179f2c4f2d4175b944302f5931724dfe3d43d0c80f0a86092db405527d447f7212fe08b627d5c64804a335e4a3938a5adcb3ac3623a
-
SSDEEP
1536:v55u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rJ:bMSjOnrmBTMqqDL2/mr3IdE8we0Avu5F
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
818254d916f20affd2254e156e32cb91.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dhobjbstdzs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\818254d916f20affd2254e156e32cb91.exe" 818254d916f20affd2254e156e32cb91.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
818254d916f20affd2254e156e32cb91.exedescription ioc process File opened (read-only) \??\I: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\O: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\Q: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\W: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\Z: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\E: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\H: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\Y: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\A: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\L: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\J: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\K: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\M: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\R: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\U: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\V: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\B: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\G: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\X: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\S: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\T: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\N: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\P: 818254d916f20affd2254e156e32cb91.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
818254d916f20affd2254e156e32cb91.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 818254d916f20affd2254e156e32cb91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 818254d916f20affd2254e156e32cb91.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 818254d916f20affd2254e156e32cb91.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
818254d916f20affd2254e156e32cb91.exepid process 1920 818254d916f20affd2254e156e32cb91.exe 1920 818254d916f20affd2254e156e32cb91.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
818254d916f20affd2254e156e32cb91.exedescription pid process target process PID 1920 wrote to memory of 2412 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 2412 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 2412 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 2412 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 2592 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 2592 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 2592 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 2592 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 1368 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 1368 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 1368 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 1368 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 1744 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 1744 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 1744 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 1744 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 3036 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 3036 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 3036 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 1920 wrote to memory of 3036 1920 818254d916f20affd2254e156e32cb91.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\818254d916f20affd2254e156e32cb91.exe"C:\Users\Admin\AppData\Local\Temp\818254d916f20affd2254e156e32cb91.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵