Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2023 18:01
Behavioral task
behavioral1
Sample
6e4c12c9c719b9exeexeexeex.exe
Resource
win7-20230703-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
6e4c12c9c719b9exeexeexeex.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
6e4c12c9c719b9exeexeexeex.exe
-
Size
73KB
-
MD5
6e4c12c9c719b96b7e51d79625f1770a
-
SHA1
c3c0bf854d6333c5e6fdbb48b60fda27b8ab1447
-
SHA256
16d99d11e7be47f5796df17a40779084db0ac4db8c4e614710790d32fe1747eb
-
SHA512
1767a013e4d7b15290c2ac4163ede7d6cdd85afa34ffc907801c7aa4ca7da7dfc4c65ac123906fd678c7ca9d54baad85fa2232aa6fa2c659a8428a340d503968
-
SSDEEP
1536:b555555555555pmgSeGDjtQhnwmmB0yXMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rC:8MSjOnrmBPMqqDL2/mr3IdE8we0Avu5h
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcrsciqbdqo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6e4c12c9c719b9exeexeexeex.exe" 6e4c12c9c719b9exeexeexeex.exe Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 6e4c12c9c719b9exeexeexeex.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\A: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\G: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\I: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\J: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\M: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\V: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\B: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\E: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\P: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\R: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\U: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\L: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\N: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\S: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\T: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\W: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\Z: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\H: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\K: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\Q: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\X: 6e4c12c9c719b9exeexeexeex.exe File opened (read-only) \??\Y: 6e4c12c9c719b9exeexeexeex.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6e4c12c9c719b9exeexeexeex.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6e4c12c9c719b9exeexeexeex.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 6e4c12c9c719b9exeexeexeex.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3584 6e4c12c9c719b9exeexeexeex.exe 3584 6e4c12c9c719b9exeexeexeex.exe 3584 6e4c12c9c719b9exeexeexeex.exe 3584 6e4c12c9c719b9exeexeexeex.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3584 wrote to memory of 4572 3584 6e4c12c9c719b9exeexeexeex.exe 89 PID 3584 wrote to memory of 4572 3584 6e4c12c9c719b9exeexeexeex.exe 89 PID 3584 wrote to memory of 4572 3584 6e4c12c9c719b9exeexeexeex.exe 89 PID 3584 wrote to memory of 3448 3584 6e4c12c9c719b9exeexeexeex.exe 93 PID 3584 wrote to memory of 3448 3584 6e4c12c9c719b9exeexeexeex.exe 93 PID 3584 wrote to memory of 3448 3584 6e4c12c9c719b9exeexeexeex.exe 93 PID 3584 wrote to memory of 636 3584 6e4c12c9c719b9exeexeexeex.exe 95 PID 3584 wrote to memory of 636 3584 6e4c12c9c719b9exeexeexeex.exe 95 PID 3584 wrote to memory of 636 3584 6e4c12c9c719b9exeexeexeex.exe 95 PID 3584 wrote to memory of 2960 3584 6e4c12c9c719b9exeexeexeex.exe 100 PID 3584 wrote to memory of 2960 3584 6e4c12c9c719b9exeexeexeex.exe 100 PID 3584 wrote to memory of 2960 3584 6e4c12c9c719b9exeexeexeex.exe 100 PID 3584 wrote to memory of 2896 3584 6e4c12c9c719b9exeexeexeex.exe 102 PID 3584 wrote to memory of 2896 3584 6e4c12c9c719b9exeexeexeex.exe 102 PID 3584 wrote to memory of 2896 3584 6e4c12c9c719b9exeexeexeex.exe 102 PID 3584 wrote to memory of 1932 3584 6e4c12c9c719b9exeexeexeex.exe 104 PID 3584 wrote to memory of 1932 3584 6e4c12c9c719b9exeexeexeex.exe 104 PID 3584 wrote to memory of 1932 3584 6e4c12c9c719b9exeexeexeex.exe 104 PID 3584 wrote to memory of 1740 3584 6e4c12c9c719b9exeexeexeex.exe 106 PID 3584 wrote to memory of 1740 3584 6e4c12c9c719b9exeexeexeex.exe 106 PID 3584 wrote to memory of 1740 3584 6e4c12c9c719b9exeexeexeex.exe 106 PID 3584 wrote to memory of 4424 3584 6e4c12c9c719b9exeexeexeex.exe 108 PID 3584 wrote to memory of 4424 3584 6e4c12c9c719b9exeexeexeex.exe 108 PID 3584 wrote to memory of 4424 3584 6e4c12c9c719b9exeexeexeex.exe 108 PID 3584 wrote to memory of 3124 3584 6e4c12c9c719b9exeexeexeex.exe 110 PID 3584 wrote to memory of 3124 3584 6e4c12c9c719b9exeexeexeex.exe 110 PID 3584 wrote to memory of 3124 3584 6e4c12c9c719b9exeexeexeex.exe 110 PID 3584 wrote to memory of 2560 3584 6e4c12c9c719b9exeexeexeex.exe 112 PID 3584 wrote to memory of 2560 3584 6e4c12c9c719b9exeexeexeex.exe 112 PID 3584 wrote to memory of 2560 3584 6e4c12c9c719b9exeexeexeex.exe 112 PID 3584 wrote to memory of 116 3584 6e4c12c9c719b9exeexeexeex.exe 114 PID 3584 wrote to memory of 116 3584 6e4c12c9c719b9exeexeexeex.exe 114 PID 3584 wrote to memory of 116 3584 6e4c12c9c719b9exeexeexeex.exe 114 PID 3584 wrote to memory of 3596 3584 6e4c12c9c719b9exeexeexeex.exe 118 PID 3584 wrote to memory of 3596 3584 6e4c12c9c719b9exeexeexeex.exe 118 PID 3584 wrote to memory of 3596 3584 6e4c12c9c719b9exeexeexeex.exe 118 PID 3584 wrote to memory of 2948 3584 6e4c12c9c719b9exeexeexeex.exe 120 PID 3584 wrote to memory of 2948 3584 6e4c12c9c719b9exeexeexeex.exe 120 PID 3584 wrote to memory of 2948 3584 6e4c12c9c719b9exeexeexeex.exe 120 PID 3584 wrote to memory of 2248 3584 6e4c12c9c719b9exeexeexeex.exe 122 PID 3584 wrote to memory of 2248 3584 6e4c12c9c719b9exeexeexeex.exe 122 PID 3584 wrote to memory of 2248 3584 6e4c12c9c719b9exeexeexeex.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e4c12c9c719b9exeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\6e4c12c9c719b9exeexeexeex.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4572
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:3448
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:636
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2960
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2896
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1932
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1740
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:4424
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3124
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2560
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:116
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3596
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2948
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2248
-