Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 01:13
Behavioral task
behavioral1
Sample
2328e4546d4d1a40b04058646f979cd3.exe
Resource
win7-20231129-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
2328e4546d4d1a40b04058646f979cd3.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
2328e4546d4d1a40b04058646f979cd3.exe
-
Size
73KB
-
MD5
2328e4546d4d1a40b04058646f979cd3
-
SHA1
ffee6efcd76ad97b74a7bdcdf9ab06d018f5395b
-
SHA256
5d9ae3d59be53e98e849a2f7cd3c14ab89ada5ffa44530313c8999fa87ec779a
-
SHA512
9d02266331258e2d78b374ae863ad56380d35dcad60d2e899257a48e0d49967a2c788beccd2f51dd818890c1e922f09d271741f9aa1e95c790509c46e513a194
-
SSDEEP
1536:155u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rJ:dMSjOnrmBTMqqDL2/mr3IdE8we0Avu5h
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rnrernurzoc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2328e4546d4d1a40b04058646f979cd3.exe" 2328e4546d4d1a40b04058646f979cd3.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\N: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\O: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\B: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\E: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\H: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\J: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\L: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\P: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\R: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\U: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\A: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\K: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\V: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\X: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\Y: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\G: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\I: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\Q: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\S: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\T: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\W: 2328e4546d4d1a40b04058646f979cd3.exe File opened (read-only) \??\Z: 2328e4546d4d1a40b04058646f979cd3.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2328e4546d4d1a40b04058646f979cd3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2328e4546d4d1a40b04058646f979cd3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2328e4546d4d1a40b04058646f979cd3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2888 2328e4546d4d1a40b04058646f979cd3.exe 2888 2328e4546d4d1a40b04058646f979cd3.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2888 wrote to memory of 1684 2888 2328e4546d4d1a40b04058646f979cd3.exe 28 PID 2888 wrote to memory of 1684 2888 2328e4546d4d1a40b04058646f979cd3.exe 28 PID 2888 wrote to memory of 1684 2888 2328e4546d4d1a40b04058646f979cd3.exe 28 PID 2888 wrote to memory of 1684 2888 2328e4546d4d1a40b04058646f979cd3.exe 28 PID 2888 wrote to memory of 2652 2888 2328e4546d4d1a40b04058646f979cd3.exe 31 PID 2888 wrote to memory of 2652 2888 2328e4546d4d1a40b04058646f979cd3.exe 31 PID 2888 wrote to memory of 2652 2888 2328e4546d4d1a40b04058646f979cd3.exe 31 PID 2888 wrote to memory of 2652 2888 2328e4546d4d1a40b04058646f979cd3.exe 31 PID 2888 wrote to memory of 2088 2888 2328e4546d4d1a40b04058646f979cd3.exe 33 PID 2888 wrote to memory of 2088 2888 2328e4546d4d1a40b04058646f979cd3.exe 33 PID 2888 wrote to memory of 2088 2888 2328e4546d4d1a40b04058646f979cd3.exe 33 PID 2888 wrote to memory of 2088 2888 2328e4546d4d1a40b04058646f979cd3.exe 33 PID 2888 wrote to memory of 2480 2888 2328e4546d4d1a40b04058646f979cd3.exe 35 PID 2888 wrote to memory of 2480 2888 2328e4546d4d1a40b04058646f979cd3.exe 35 PID 2888 wrote to memory of 2480 2888 2328e4546d4d1a40b04058646f979cd3.exe 35 PID 2888 wrote to memory of 2480 2888 2328e4546d4d1a40b04058646f979cd3.exe 35 PID 2888 wrote to memory of 2452 2888 2328e4546d4d1a40b04058646f979cd3.exe 37 PID 2888 wrote to memory of 2452 2888 2328e4546d4d1a40b04058646f979cd3.exe 37 PID 2888 wrote to memory of 2452 2888 2328e4546d4d1a40b04058646f979cd3.exe 37 PID 2888 wrote to memory of 2452 2888 2328e4546d4d1a40b04058646f979cd3.exe 37 PID 2888 wrote to memory of 1964 2888 2328e4546d4d1a40b04058646f979cd3.exe 41 PID 2888 wrote to memory of 1964 2888 2328e4546d4d1a40b04058646f979cd3.exe 41 PID 2888 wrote to memory of 1964 2888 2328e4546d4d1a40b04058646f979cd3.exe 41 PID 2888 wrote to memory of 1964 2888 2328e4546d4d1a40b04058646f979cd3.exe 41 PID 2888 wrote to memory of 1972 2888 2328e4546d4d1a40b04058646f979cd3.exe 43 PID 2888 wrote to memory of 1972 2888 2328e4546d4d1a40b04058646f979cd3.exe 43 PID 2888 wrote to memory of 1972 2888 2328e4546d4d1a40b04058646f979cd3.exe 43 PID 2888 wrote to memory of 1972 2888 2328e4546d4d1a40b04058646f979cd3.exe 43 PID 2888 wrote to memory of 956 2888 2328e4546d4d1a40b04058646f979cd3.exe 45 PID 2888 wrote to memory of 956 2888 2328e4546d4d1a40b04058646f979cd3.exe 45 PID 2888 wrote to memory of 956 2888 2328e4546d4d1a40b04058646f979cd3.exe 45 PID 2888 wrote to memory of 956 2888 2328e4546d4d1a40b04058646f979cd3.exe 45 PID 2888 wrote to memory of 1636 2888 2328e4546d4d1a40b04058646f979cd3.exe 47 PID 2888 wrote to memory of 1636 2888 2328e4546d4d1a40b04058646f979cd3.exe 47 PID 2888 wrote to memory of 1636 2888 2328e4546d4d1a40b04058646f979cd3.exe 47 PID 2888 wrote to memory of 1636 2888 2328e4546d4d1a40b04058646f979cd3.exe 47 PID 2888 wrote to memory of 1564 2888 2328e4546d4d1a40b04058646f979cd3.exe 49 PID 2888 wrote to memory of 1564 2888 2328e4546d4d1a40b04058646f979cd3.exe 49 PID 2888 wrote to memory of 1564 2888 2328e4546d4d1a40b04058646f979cd3.exe 49 PID 2888 wrote to memory of 1564 2888 2328e4546d4d1a40b04058646f979cd3.exe 49 PID 2888 wrote to memory of 2076 2888 2328e4546d4d1a40b04058646f979cd3.exe 51 PID 2888 wrote to memory of 2076 2888 2328e4546d4d1a40b04058646f979cd3.exe 51 PID 2888 wrote to memory of 2076 2888 2328e4546d4d1a40b04058646f979cd3.exe 51 PID 2888 wrote to memory of 2076 2888 2328e4546d4d1a40b04058646f979cd3.exe 51 PID 2888 wrote to memory of 2124 2888 2328e4546d4d1a40b04058646f979cd3.exe 53 PID 2888 wrote to memory of 2124 2888 2328e4546d4d1a40b04058646f979cd3.exe 53 PID 2888 wrote to memory of 2124 2888 2328e4546d4d1a40b04058646f979cd3.exe 53 PID 2888 wrote to memory of 2124 2888 2328e4546d4d1a40b04058646f979cd3.exe 53 PID 2888 wrote to memory of 708 2888 2328e4546d4d1a40b04058646f979cd3.exe 55 PID 2888 wrote to memory of 708 2888 2328e4546d4d1a40b04058646f979cd3.exe 55 PID 2888 wrote to memory of 708 2888 2328e4546d4d1a40b04058646f979cd3.exe 55 PID 2888 wrote to memory of 708 2888 2328e4546d4d1a40b04058646f979cd3.exe 55 PID 2888 wrote to memory of 1644 2888 2328e4546d4d1a40b04058646f979cd3.exe 57 PID 2888 wrote to memory of 1644 2888 2328e4546d4d1a40b04058646f979cd3.exe 57 PID 2888 wrote to memory of 1644 2888 2328e4546d4d1a40b04058646f979cd3.exe 57 PID 2888 wrote to memory of 1644 2888 2328e4546d4d1a40b04058646f979cd3.exe 57 PID 2888 wrote to memory of 1516 2888 2328e4546d4d1a40b04058646f979cd3.exe 59 PID 2888 wrote to memory of 1516 2888 2328e4546d4d1a40b04058646f979cd3.exe 59 PID 2888 wrote to memory of 1516 2888 2328e4546d4d1a40b04058646f979cd3.exe 59 PID 2888 wrote to memory of 1516 2888 2328e4546d4d1a40b04058646f979cd3.exe 59
Processes
-
C:\Users\Admin\AppData\Local\Temp\2328e4546d4d1a40b04058646f979cd3.exe"C:\Users\Admin\AppData\Local\Temp\2328e4546d4d1a40b04058646f979cd3.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1684
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2652
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2088
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2480
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2452
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1964
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1972
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:956
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1636
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1564
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2076
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2124
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:708
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:1644
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1516
-