Analysis
-
max time kernel
33s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 09:58
Behavioral task
behavioral1
Sample
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe
Resource
win10v2004-20220812-en
General
-
Target
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe
-
Size
7.1MB
-
MD5
2fd80bf77f8856070463b44b18919c9d
-
SHA1
f42052504e9c17694c154261419cfcc2aee72ca5
-
SHA256
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f
-
SHA512
bbd3a7c6ddd88136ec8e64dc8c46aa23f60af445e7ef52544cd50df045062eb7a4afa94939a92ba062e03e292c2fcd03d7472e1ed964035584c5e13a100f1348
-
SSDEEP
98304:LkcUxnuKnohw32w9BISOc6wMxV23dbOIWV0fUKCg8snR1JLmOWCLCl9Y/d/uV5xg:AIKntkSbrMx0NbOIs6UKLZrJnEjzSZH
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1112-55-0x000000013F120000-0x000000013FFBD000-memory.dmp vmprotect behavioral1/memory/1112-59-0x000000013F120000-0x000000013FFBD000-memory.dmp vmprotect behavioral1/memory/1112-62-0x000000013F120000-0x000000013FFBD000-memory.dmp vmprotect -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1112-55-0x000000013F120000-0x000000013FFBD000-memory.dmp autoit_exe behavioral1/memory/1112-59-0x000000013F120000-0x000000013FFBD000-memory.dmp autoit_exe behavioral1/memory/1112-62-0x000000013F120000-0x000000013FFBD000-memory.dmp autoit_exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe -
NTFS ADS 1 IoCs
Processes:
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel = impersonate}!\root\cimv2 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exepid process 1112 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe 1112 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe 1112 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.execmd.exedescription pid process target process PID 1112 wrote to memory of 2004 1112 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe cmd.exe PID 1112 wrote to memory of 2004 1112 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe cmd.exe PID 1112 wrote to memory of 2004 1112 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe cmd.exe PID 2004 wrote to memory of 1724 2004 cmd.exe ARP.EXE PID 2004 wrote to memory of 1724 2004 cmd.exe ARP.EXE PID 2004 wrote to memory of 1724 2004 cmd.exe ARP.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe"C:\Users\Admin\AppData\Local\Temp\445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe"1⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -g 10.127.0.12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ARP.EXEarp -g 10.127.0.13⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmpFilesize
8KB
-
memory/1112-55-0x000000013F120000-0x000000013FFBD000-memory.dmpFilesize
14.6MB
-
memory/1112-59-0x000000013F120000-0x000000013FFBD000-memory.dmpFilesize
14.6MB
-
memory/1112-62-0x000000013F120000-0x000000013FFBD000-memory.dmpFilesize
14.6MB
-
memory/1724-61-0x0000000000000000-mapping.dmp
-
memory/2004-60-0x0000000000000000-mapping.dmp