9ac5f2706cee09c809a4bbd6959021d4974aa5b677af05bd22e4c0d439ee47a8

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/03/2023, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

3.0MB
MD5

b352cf5548ef51387d9e4a55073853ea
SHA1

117e972c1ffa3d7c3ddf157569d8d5155335afd4
SHA256

9ac5f2706cee09c809a4bbd6959021d4974aa5b677af05bd22e4c0d439ee47a8
SHA512

8949ae81cb32f31f0ff9543a60ae14879d53e7cbb53741dd5ba7f25c951c143149ab2dd4c1f0af13540b05ed6e8d07b1d3138588c45ee41c071459777edd4e05
SSDEEP

49152:lNDnB3dQQ/Fv4Nwd8G0pteuhG7NKj+g1c8aSBBNoP0lpiUT9S41NUZEnk2O:lNrFv4F3QSGMSg1Pa+X8U9Uqnk2O

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\B:	tmp.exe
File opened (read-only)	\??\F:	tmp.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\Y:	tmp.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\S:	tmp.exe
File opened (read-only)	\??\W:	tmp.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\Z:	tmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

pid	Process
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe
1252	tmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tmp.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1252	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1252	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1252-54-0x0000000000400000-0x0000000000880000-memory.dmp

Filesize
4.5MB

Download
memory/1252-55-0x0000000075B70000-0x0000000075BB7000-memory.dmp

Filesize
284KB

Download
memory/1252-461-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-464-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-463-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-462-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-465-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-466-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-467-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-469-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-470-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-468-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-471-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-473-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-472-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-475-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-474-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-477-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-481-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-490-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-489-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-491-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-492-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-488-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-487-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-486-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-485-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-494-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-495-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-493-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-484-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-483-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-496-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-497-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-482-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-498-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-501-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-502-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-500-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-508-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-507-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-523-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-522-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-521-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-520-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-519-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-518-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-517-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-516-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-515-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-514-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-513-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-512-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-511-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-510-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-509-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-506-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-505-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-504-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-503-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-499-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-480-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-479-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-478-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-476-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-1504-0x00000000022D0000-0x00000000023D0000-memory.dmp

Filesize
1024KB

Download
memory/1252-1506-0x0000000002690000-0x0000000002811000-memory.dmp

Filesize
1.5MB

Download
memory/1252-4807-0x00000000022D0000-0x00000000023D0000-memory.dmp

Filesize
1024KB

Download
memory/1252-4808-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/1252-4818-0x0000000002550000-0x0000000002651000-memory.dmp

Filesize
1.0MB

Download
memory/1252-4819-0x0000000000880000-0x0000000000921000-memory.dmp

Filesize
644KB

Download
memory/1252-4829-0x0000000000400000-0x0000000000880000-memory.dmp

Filesize
4.5MB

Download