Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:31
Static task
static1
Behavioral task
behavioral1
Sample
IDM 激活工具.cmd
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
IDM 激活工具.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
IDM 激活工具.cmd
-
Size
25KB
-
MD5
419b8e559eb9f6de0fc42c5dae34356f
-
SHA1
e723bd40034e3486173840a4a38154548b1cee56
-
SHA256
7dd95b809be00973b158bbb749ebabd3cba95381661a7bc00c2cc9d4044314b8
-
SHA512
04c75326779a30cb1ac99ec5083b4d3991536c422f57d2b75e7516793e716210e49349d90ebbda7d033392c37b8459ceba1ff5e0f2dc4295a54f3c417be68f65
-
SSDEEP
192:ewVLk373E1zU0eRB/x56PmX+BFq+EOIyKatBBLiffE7myr5W0bt/8wVaTfCElzEd:E3739dRJqTg7YOgcugPZ5SAJkYltq
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
reg.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier reg.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4780 wrote to memory of 5100 4780 cmd.exe cmd.exe PID 4780 wrote to memory of 5100 4780 cmd.exe cmd.exe PID 4780 wrote to memory of 3104 4780 cmd.exe cmd.exe PID 4780 wrote to memory of 3104 4780 cmd.exe cmd.exe PID 3104 wrote to memory of 1720 3104 cmd.exe cmd.exe PID 3104 wrote to memory of 1720 3104 cmd.exe cmd.exe PID 3104 wrote to memory of 1556 3104 cmd.exe cmd.exe PID 3104 wrote to memory of 1556 3104 cmd.exe cmd.exe PID 4780 wrote to memory of 4932 4780 cmd.exe cmd.exe PID 4780 wrote to memory of 4932 4780 cmd.exe cmd.exe PID 4932 wrote to memory of 4844 4932 cmd.exe reg.exe PID 4932 wrote to memory of 4844 4932 cmd.exe reg.exe PID 4780 wrote to memory of 4828 4780 cmd.exe reg.exe PID 4780 wrote to memory of 4828 4780 cmd.exe reg.exe PID 4780 wrote to memory of 4892 4780 cmd.exe reg.exe PID 4780 wrote to memory of 4892 4780 cmd.exe reg.exe PID 4780 wrote to memory of 4632 4780 cmd.exe find.exe PID 4780 wrote to memory of 4632 4780 cmd.exe find.exe PID 4780 wrote to memory of 1072 4780 cmd.exe mode.com PID 4780 wrote to memory of 1072 4780 cmd.exe mode.com PID 4780 wrote to memory of 4160 4780 cmd.exe cmd.exe PID 4780 wrote to memory of 4160 4780 cmd.exe cmd.exe PID 4160 wrote to memory of 1640 4160 cmd.exe reg.exe PID 4160 wrote to memory of 1640 4160 cmd.exe reg.exe PID 4780 wrote to memory of 1580 4780 cmd.exe cmd.exe PID 4780 wrote to memory of 1580 4780 cmd.exe cmd.exe PID 1580 wrote to memory of 4972 1580 cmd.exe reg.exe PID 1580 wrote to memory of 4972 1580 cmd.exe reg.exe PID 4780 wrote to memory of 1780 4780 cmd.exe cmd.exe PID 4780 wrote to memory of 1780 4780 cmd.exe cmd.exe PID 1780 wrote to memory of 3712 1780 cmd.exe reg.exe PID 1780 wrote to memory of 3712 1780 cmd.exe reg.exe PID 4780 wrote to memory of 2336 4780 cmd.exe choice.exe PID 4780 wrote to memory of 2336 4780 cmd.exe choice.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IDM 激活工具.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "3⤵
-
C:\Windows\System32\cmd.execmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\DownloadManager" /v ExePath 2>nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" /v ExePath3⤵
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-192⤵
-
C:\Windows\System32\reg.exereg query "HKLM\Hardware\Description\System\CentralProcessor\0" /v "Identifier"2⤵
- Checks processor information in registry
-
C:\Windows\System32\find.exefind /i "x86"2⤵
-
C:\Windows\System32\mode.commode 65, 252⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall 2>nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall 2>nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall 2>nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall3⤵
- Modifies registry key
-
C:\Windows\System32\choice.exechoice /C:12345 /N2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-141-0x0000000000000000-mapping.dmp
-
memory/1556-135-0x0000000000000000-mapping.dmp
-
memory/1580-144-0x0000000000000000-mapping.dmp
-
memory/1640-143-0x0000000000000000-mapping.dmp
-
memory/1720-134-0x0000000000000000-mapping.dmp
-
memory/1780-146-0x0000000000000000-mapping.dmp
-
memory/2336-148-0x0000000000000000-mapping.dmp
-
memory/3104-133-0x0000000000000000-mapping.dmp
-
memory/3712-147-0x0000000000000000-mapping.dmp
-
memory/4160-142-0x0000000000000000-mapping.dmp
-
memory/4632-140-0x0000000000000000-mapping.dmp
-
memory/4828-138-0x0000000000000000-mapping.dmp
-
memory/4844-137-0x0000000000000000-mapping.dmp
-
memory/4892-139-0x0000000000000000-mapping.dmp
-
memory/4932-136-0x0000000000000000-mapping.dmp
-
memory/4972-145-0x0000000000000000-mapping.dmp
-
memory/5100-132-0x0000000000000000-mapping.dmp