971bb73356edcaae9f23a8aaf392b450e21220bd01508b38b37200aecc31e5de

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a66f9fc18440adedd1c42b33e568d175.exe
Size

73KB
MD5

a66f9fc18440adedd1c42b33e568d175
SHA1

f549ce643f9257719874846045ff83b502994fa4
SHA256

971bb73356edcaae9f23a8aaf392b450e21220bd01508b38b37200aecc31e5de
SHA512

43313a36cce73a9bfb7145bc2495ff49bb8f6c100109191887e8ff21b68cecdc48fee5b3b740e0daa8fd8be6ca4a77a4a9f91994eedc4bc80038639028a97ecf
SSDEEP

1536:z55u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rJ:vMSjOnrmBTMqqDL2/mr3IdE8we0Avu5h

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psbcnrjmoju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a66f9fc18440adedd1c42b33e568d175.exe"	a66f9fc18440adedd1c42b33e568d175.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\I:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\J:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\Y:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\Z:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\X:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\H:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\N:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\O:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\U:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\V:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\W:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\L:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\P:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\T:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\R:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\S:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\A:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\B:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\G:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\K:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\M:	a66f9fc18440adedd1c42b33e568d175.exe
File opened (read-only)	\??\Q:	a66f9fc18440adedd1c42b33e568d175.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a66f9fc18440adedd1c42b33e568d175.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a66f9fc18440adedd1c42b33e568d175.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a66f9fc18440adedd1c42b33e568d175.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2964	a66f9fc18440adedd1c42b33e568d175.exe
2964	a66f9fc18440adedd1c42b33e568d175.exe
2964	a66f9fc18440adedd1c42b33e568d175.exe
2964	a66f9fc18440adedd1c42b33e568d175.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 664	2964	a66f9fc18440adedd1c42b33e568d175.exe	90
PID 2964 wrote to memory of 664	2964	a66f9fc18440adedd1c42b33e568d175.exe	90
PID 2964 wrote to memory of 664	2964	a66f9fc18440adedd1c42b33e568d175.exe	90
PID 2964 wrote to memory of 5052	2964	a66f9fc18440adedd1c42b33e568d175.exe	99
PID 2964 wrote to memory of 5052	2964	a66f9fc18440adedd1c42b33e568d175.exe	99
PID 2964 wrote to memory of 5052	2964	a66f9fc18440adedd1c42b33e568d175.exe	99
PID 2964 wrote to memory of 4772	2964	a66f9fc18440adedd1c42b33e568d175.exe	101
PID 2964 wrote to memory of 4772	2964	a66f9fc18440adedd1c42b33e568d175.exe	101
PID 2964 wrote to memory of 4772	2964	a66f9fc18440adedd1c42b33e568d175.exe	101
PID 2964 wrote to memory of 1280	2964	a66f9fc18440adedd1c42b33e568d175.exe	104
PID 2964 wrote to memory of 1280	2964	a66f9fc18440adedd1c42b33e568d175.exe	104
PID 2964 wrote to memory of 1280	2964	a66f9fc18440adedd1c42b33e568d175.exe	104
PID 2964 wrote to memory of 3452	2964	a66f9fc18440adedd1c42b33e568d175.exe	106
PID 2964 wrote to memory of 3452	2964	a66f9fc18440adedd1c42b33e568d175.exe	106
PID 2964 wrote to memory of 3452	2964	a66f9fc18440adedd1c42b33e568d175.exe	106
PID 2964 wrote to memory of 4884	2964	a66f9fc18440adedd1c42b33e568d175.exe	108
PID 2964 wrote to memory of 4884	2964	a66f9fc18440adedd1c42b33e568d175.exe	108
PID 2964 wrote to memory of 4884	2964	a66f9fc18440adedd1c42b33e568d175.exe	108
PID 2964 wrote to memory of 2288	2964	a66f9fc18440adedd1c42b33e568d175.exe	111
PID 2964 wrote to memory of 2288	2964	a66f9fc18440adedd1c42b33e568d175.exe	111
PID 2964 wrote to memory of 2288	2964	a66f9fc18440adedd1c42b33e568d175.exe	111
PID 2964 wrote to memory of 3916	2964	a66f9fc18440adedd1c42b33e568d175.exe	112
PID 2964 wrote to memory of 3916	2964	a66f9fc18440adedd1c42b33e568d175.exe	112
PID 2964 wrote to memory of 3916	2964	a66f9fc18440adedd1c42b33e568d175.exe	112
PID 2964 wrote to memory of 4400	2964	a66f9fc18440adedd1c42b33e568d175.exe	114
PID 2964 wrote to memory of 4400	2964	a66f9fc18440adedd1c42b33e568d175.exe	114
PID 2964 wrote to memory of 4400	2964	a66f9fc18440adedd1c42b33e568d175.exe	114
PID 2964 wrote to memory of 744	2964	a66f9fc18440adedd1c42b33e568d175.exe	116
PID 2964 wrote to memory of 744	2964	a66f9fc18440adedd1c42b33e568d175.exe	116
PID 2964 wrote to memory of 744	2964	a66f9fc18440adedd1c42b33e568d175.exe	116
PID 2964 wrote to memory of 4496	2964	a66f9fc18440adedd1c42b33e568d175.exe	118
PID 2964 wrote to memory of 4496	2964	a66f9fc18440adedd1c42b33e568d175.exe	118
PID 2964 wrote to memory of 4496	2964	a66f9fc18440adedd1c42b33e568d175.exe	118
PID 2964 wrote to memory of 5060	2964	a66f9fc18440adedd1c42b33e568d175.exe	120
PID 2964 wrote to memory of 5060	2964	a66f9fc18440adedd1c42b33e568d175.exe	120
PID 2964 wrote to memory of 5060	2964	a66f9fc18440adedd1c42b33e568d175.exe	120
PID 2964 wrote to memory of 1012	2964	a66f9fc18440adedd1c42b33e568d175.exe	122
PID 2964 wrote to memory of 1012	2964	a66f9fc18440adedd1c42b33e568d175.exe	122
PID 2964 wrote to memory of 1012	2964	a66f9fc18440adedd1c42b33e568d175.exe	122
PID 2964 wrote to memory of 3936	2964	a66f9fc18440adedd1c42b33e568d175.exe	124
PID 2964 wrote to memory of 3936	2964	a66f9fc18440adedd1c42b33e568d175.exe	124
PID 2964 wrote to memory of 3936	2964	a66f9fc18440adedd1c42b33e568d175.exe	124

C:\Users\Admin\AppData\Local\Temp\a66f9fc18440adedd1c42b33e568d175.exe
"C:\Users\Admin\AppData\Local\Temp\a66f9fc18440adedd1c42b33e568d175.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:664
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:5052
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4772
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1280
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:3452
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4884
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:2288
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:3916
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4400
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:744
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:4496
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:5060
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1012
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:3936