Analysis
-
max time kernel
177s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 09:58
Behavioral task
behavioral1
Sample
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe
Resource
win10v2004-20220812-en
General
-
Target
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe
-
Size
7.1MB
-
MD5
2fd80bf77f8856070463b44b18919c9d
-
SHA1
f42052504e9c17694c154261419cfcc2aee72ca5
-
SHA256
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f
-
SHA512
bbd3a7c6ddd88136ec8e64dc8c46aa23f60af445e7ef52544cd50df045062eb7a4afa94939a92ba062e03e292c2fcd03d7472e1ed964035584c5e13a100f1348
-
SSDEEP
98304:LkcUxnuKnohw32w9BISOc6wMxV23dbOIWV0fUKCg8snR1JLmOWCLCl9Y/d/uV5xg:AIKntkSbrMx0NbOIs6UKLZrJnEjzSZH
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4372-132-0x00007FF62B680000-0x00007FF62C51D000-memory.dmp vmprotect behavioral2/memory/4372-139-0x00007FF62B680000-0x00007FF62C51D000-memory.dmp vmprotect -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4372-132-0x00007FF62B680000-0x00007FF62C51D000-memory.dmp autoit_exe behavioral2/memory/4372-139-0x00007FF62B680000-0x00007FF62C51D000-memory.dmp autoit_exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe -
NTFS ADS 1 IoCs
Processes:
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel = impersonate}!\root\cimv2 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exepid process 4372 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe 4372 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe 4372 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe 4372 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe 4372 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe 4372 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.execmd.exedescription pid process target process PID 4372 wrote to memory of 5112 4372 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe cmd.exe PID 4372 wrote to memory of 5112 4372 445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe cmd.exe PID 5112 wrote to memory of 1908 5112 cmd.exe ARP.EXE PID 5112 wrote to memory of 1908 5112 cmd.exe ARP.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe"C:\Users\Admin\AppData\Local\Temp\445a192db610b22ba12739fea17053bc900d752efc57bece999d6a9a493c457f.exe"1⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -g 10.127.0.12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ARP.EXEarp -g 10.127.0.13⤵