Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2023, 11:11
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230221-en
windows10-2004-x64
General
-
Target
tmp.exe
-
Size
5.3MB
-
MD5
cb77eac7737661d48dfedbccd07e0d95
-
SHA1
ddb0c70e122a5970b76ab3e62aafa601a8326f51
-
SHA256
74d63f658c7d76570d226e2f5535ebe18b33fa1696653ce520810c14511b0266
-
SHA512
79cc356fc099a5c8b317bd2ff8e9e7703e49e6a873cafdf7fef8bef0169d4250686f4ec93b71b873a9682424225ef5e291585e444b663e2390511a498183c588
-
SSDEEP
98304:fZjbxmUu9NHQZKgVpQhRsuQOfAssiYD5XrEmZ5GMreeb8KJqfNLq6VqGjGt:RjbxfXZKJhlQhJiYrP5NiebsNBVqGS
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4376-134-0x00007FF683160000-0x00007FF683AA0000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: tmp.exe File opened (read-only) \??\N: tmp.exe File opened (read-only) \??\Q: tmp.exe File opened (read-only) \??\E: tmp.exe File opened (read-only) \??\F: tmp.exe File opened (read-only) \??\I: tmp.exe File opened (read-only) \??\M: tmp.exe File opened (read-only) \??\S: tmp.exe File opened (read-only) \??\T: tmp.exe File opened (read-only) \??\V: tmp.exe File opened (read-only) \??\W: tmp.exe File opened (read-only) \??\G: tmp.exe File opened (read-only) \??\K: tmp.exe File opened (read-only) \??\L: tmp.exe File opened (read-only) \??\O: tmp.exe File opened (read-only) \??\R: tmp.exe File opened (read-only) \??\U: tmp.exe File opened (read-only) \??\H: tmp.exe File opened (read-only) \??\J: tmp.exe File opened (read-only) \??\P: tmp.exe File opened (read-only) \??\X: tmp.exe File opened (read-only) \??\Y: tmp.exe File opened (read-only) \??\Z: tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe 4376 tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4376 tmp.exe
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300KB
MD5a40a214db11296040db96cdfd3969e08
SHA1f79b6b66ba9366f2e3b4bdef53191e79c122f5bb
SHA256185c9786657c6d08c7e4eb259f5ead74093b1d9191758a51203c528cf5a9fa2d
SHA51290500ad6b261335dc70a78b6efa2ad4016a299b5d9aad582e28f306098b7b03d6b2e02b26baab9fd417bf20517147e715a65393089b168c6e27c8053d927ea92