Analysis
-
max time kernel
35s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 12:31
Static task
static1
Behavioral task
behavioral1
Sample
IDM 激活工具.cmd
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
IDM 激活工具.cmd
Resource
win10v2004-20220812-en
General
-
Target
IDM 激活工具.cmd
-
Size
25KB
-
MD5
419b8e559eb9f6de0fc42c5dae34356f
-
SHA1
e723bd40034e3486173840a4a38154548b1cee56
-
SHA256
7dd95b809be00973b158bbb749ebabd3cba95381661a7bc00c2cc9d4044314b8
-
SHA512
04c75326779a30cb1ac99ec5083b4d3991536c422f57d2b75e7516793e716210e49349d90ebbda7d033392c37b8459ceba1ff5e0f2dc4295a54f3c417be68f65
-
SSDEEP
192:ewVLk373E1zU0eRB/x56PmX+BFq+EOIyKatBBLiffE7myr5W0bt/8wVaTfCElzEd:E3739dRJqTg7YOgcugPZ5SAJkYltq
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
reg.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier reg.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
cmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1404 wrote to memory of 844 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 844 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 844 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1628 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1628 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1628 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1720 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1720 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1720 1404 cmd.exe cmd.exe PID 1720 wrote to memory of 1712 1720 cmd.exe reg.exe PID 1720 wrote to memory of 1712 1720 cmd.exe reg.exe PID 1720 wrote to memory of 1712 1720 cmd.exe reg.exe PID 1404 wrote to memory of 1496 1404 cmd.exe reg.exe PID 1404 wrote to memory of 1496 1404 cmd.exe reg.exe PID 1404 wrote to memory of 1496 1404 cmd.exe reg.exe PID 1404 wrote to memory of 1540 1404 cmd.exe reg.exe PID 1404 wrote to memory of 1540 1404 cmd.exe reg.exe PID 1404 wrote to memory of 1540 1404 cmd.exe reg.exe PID 1404 wrote to memory of 1780 1404 cmd.exe find.exe PID 1404 wrote to memory of 1780 1404 cmd.exe find.exe PID 1404 wrote to memory of 1780 1404 cmd.exe find.exe PID 1404 wrote to memory of 1508 1404 cmd.exe mode.com PID 1404 wrote to memory of 1508 1404 cmd.exe mode.com PID 1404 wrote to memory of 1508 1404 cmd.exe mode.com PID 1404 wrote to memory of 1312 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1312 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1312 1404 cmd.exe cmd.exe PID 1312 wrote to memory of 1800 1312 cmd.exe reg.exe PID 1312 wrote to memory of 1800 1312 cmd.exe reg.exe PID 1312 wrote to memory of 1800 1312 cmd.exe reg.exe PID 1404 wrote to memory of 908 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 908 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 908 1404 cmd.exe cmd.exe PID 908 wrote to memory of 328 908 cmd.exe reg.exe PID 908 wrote to memory of 328 908 cmd.exe reg.exe PID 908 wrote to memory of 328 908 cmd.exe reg.exe PID 1404 wrote to memory of 1664 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1664 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1664 1404 cmd.exe cmd.exe PID 1664 wrote to memory of 1816 1664 cmd.exe reg.exe PID 1664 wrote to memory of 1816 1664 cmd.exe reg.exe PID 1664 wrote to memory of 1816 1664 cmd.exe reg.exe PID 1404 wrote to memory of 268 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 268 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 268 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 1904 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 1904 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 1904 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 1296 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 1296 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 1296 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 340 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 340 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 340 1404 cmd.exe findstr.exe PID 1404 wrote to memory of 776 1404 cmd.exe choice.exe PID 1404 wrote to memory of 776 1404 cmd.exe choice.exe PID 1404 wrote to memory of 776 1404 cmd.exe choice.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\IDM 激活工具.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\DownloadManager" /v ExePath 2>nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" /v ExePath3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-192⤵
-
C:\Windows\System32\reg.exereg query "HKLM\Hardware\Description\System\CentralProcessor\0" /v "Identifier"2⤵
- Checks processor information in registry
-
C:\Windows\System32\find.exefind /i "x86"2⤵
-
C:\Windows\System32\mode.commode 65, 252⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall 2>nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall 2>nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall 2>nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall3⤵
- Modifies registry key
-
C:\Windows\System32\findstr.exefindstr /a:07 /f:`.txt "."2⤵
-
C:\Windows\System32\findstr.exefindstr /a:0C /f:`.txt "."2⤵
-
C:\Windows\System32\findstr.exefindstr /a:07 /f:`.txt "."2⤵
-
C:\Windows\System32\findstr.exefindstr /a:0A /f:`.txt "."2⤵
-
C:\Windows\System32\choice.exechoice /C:12345 /N2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\'Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Windows\Temp\'Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Windows\Temp\`.txtFilesize
42B
MD53b7939a5c1dfa88776d8383f755026b3
SHA1ee64a23dd8d898962c777b15631cec84932ad449
SHA256e5a1828df77774c461e591d1232c6c19126b88f764c7fb7d1bdfd4de8781703f
SHA512b27c5bb2902408d5aa945e68402752cb8ddebe21af1d548014960c65af11c30f607a9c2c2d6015c7bbfc4288eaac4ab764699236096baa63bbff3fe8d04e8edf
-
C:\Windows\Temp\`.txtFilesize
17B
MD5cabc561b03f9a4ef0535932b6eaf08a0
SHA1da58171d7dd97bbf8c6d38f64dcfda4cee3d465c
SHA256d30e98e8b15e2388b0ea2a42677d26a2b0894506720ac8cbbae70662e76dfdd2
SHA512dd0402ed32c8247b700aea2c7fdc4bd7e5cdc8979e1d9ae5953fe13b1b15622cb73dd1a749e3984027120456b1420548270002bdb3383cdd3c7aec2595f56682
-
C:\Windows\Temp\`.txtFilesize
15B
MD54388ac7767c5a9f29cb1ba7cd68338bf
SHA102930012ae546abcf97021d381109f84343cb6b7
SHA256dcd2da047ccc3bb6ea24d1fa2caca43b27668c65d0e03f04a94e4103b27afc37
SHA5126b3d370790b284d91fb442073cbcc4f306d7a745773aa6bce399852e3f83ed4f5d18e8a37e43a4b0b76c23443e3e9ef3f4977ac5fd4a7e9403077a6f4fe9d863
-
C:\Windows\Temp\`.txtFilesize
40B
MD583b20a41c2aee29f137d86131bf8833c
SHA171523bb2c2514458f2f0c1cffe81dd8c8c49fc3c
SHA2567164f5410e90ffc72bc3e21dbfb671331222c5b2cb7a30e957a4c52b8109d2c1
SHA5126af3491ef30a18c00d09e04951f3150da42437c2cd3908b04a0174b928eabd7a5107198f735fdd4bc33464126e0a55de0e731adcef8da1b3127414bc72007527
-
memory/268-68-0x0000000000000000-mapping.dmp
-
memory/328-65-0x0000000000000000-mapping.dmp
-
memory/340-76-0x0000000000000000-mapping.dmp
-
memory/776-78-0x0000000000000000-mapping.dmp
-
memory/844-54-0x0000000000000000-mapping.dmp
-
memory/908-64-0x0000000000000000-mapping.dmp
-
memory/1296-73-0x0000000000000000-mapping.dmp
-
memory/1312-62-0x0000000000000000-mapping.dmp
-
memory/1496-58-0x0000000000000000-mapping.dmp
-
memory/1508-61-0x0000000000000000-mapping.dmp
-
memory/1540-59-0x0000000000000000-mapping.dmp
-
memory/1628-55-0x0000000000000000-mapping.dmp
-
memory/1664-66-0x0000000000000000-mapping.dmp
-
memory/1712-57-0x0000000000000000-mapping.dmp
-
memory/1720-56-0x0000000000000000-mapping.dmp
-
memory/1780-60-0x0000000000000000-mapping.dmp
-
memory/1800-63-0x0000000000000000-mapping.dmp
-
memory/1816-67-0x0000000000000000-mapping.dmp
-
memory/1904-71-0x0000000000000000-mapping.dmp