Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 03:33
Behavioral task
behavioral1
Sample
818254d916f20affd2254e156e32cb91.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
818254d916f20affd2254e156e32cb91.exe
Resource
win10v2004-20240611-en
General
-
Target
818254d916f20affd2254e156e32cb91.exe
-
Size
73KB
-
MD5
818254d916f20affd2254e156e32cb91
-
SHA1
e50e8d35957284df86a4a16d118cd8c83fd0dc62
-
SHA256
ce5d197fa3d2ad070ca03408e80052032c0c5c303af8982b7094952617ee41a8
-
SHA512
fd5f32c0145056c359310179f2c4f2d4175b944302f5931724dfe3d43d0c80f0a86092db405527d447f7212fe08b627d5c64804a335e4a3938a5adcb3ac3623a
-
SSDEEP
1536:v55u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rJ:bMSjOnrmBTMqqDL2/mr3IdE8we0Avu5F
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
818254d916f20affd2254e156e32cb91.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cqjkdcthsci = "C:\\Users\\Admin\\AppData\\Local\\Temp\\818254d916f20affd2254e156e32cb91.exe" 818254d916f20affd2254e156e32cb91.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
818254d916f20affd2254e156e32cb91.exedescription ioc process File opened (read-only) \??\L: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\R: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\X: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\V: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\B: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\I: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\K: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\M: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\O: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\S: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\T: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\Y: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\A: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\H: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\N: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\Q: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\Z: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\E: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\G: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\J: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\P: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\U: 818254d916f20affd2254e156e32cb91.exe File opened (read-only) \??\W: 818254d916f20affd2254e156e32cb91.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
818254d916f20affd2254e156e32cb91.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 818254d916f20affd2254e156e32cb91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 818254d916f20affd2254e156e32cb91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 818254d916f20affd2254e156e32cb91.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
818254d916f20affd2254e156e32cb91.exepid process 2836 818254d916f20affd2254e156e32cb91.exe 2836 818254d916f20affd2254e156e32cb91.exe 2836 818254d916f20affd2254e156e32cb91.exe 2836 818254d916f20affd2254e156e32cb91.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
818254d916f20affd2254e156e32cb91.exedescription pid process target process PID 2836 wrote to memory of 2136 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 2136 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 2136 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3236 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3236 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3236 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 2808 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 2808 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 2808 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 4648 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 4648 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 4648 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 2636 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 2636 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 2636 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 5020 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 5020 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 5020 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3612 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3612 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3612 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 2000 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 2000 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 2000 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3788 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3788 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3788 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 4176 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 4176 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 4176 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3292 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3292 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3292 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 4848 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 4848 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 4848 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 228 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 228 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 228 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3856 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3856 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 3856 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 1220 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 1220 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe PID 2836 wrote to memory of 1220 2836 818254d916f20affd2254e156e32cb91.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\818254d916f20affd2254e156e32cb91.exe"C:\Users\Admin\AppData\Local\Temp\818254d916f20affd2254e156e32cb91.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵