Analysis
-
max time kernel
151s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/03/2024, 03:32
Behavioral task
behavioral1
Sample
ba91c40089b50a78e3710f099599c71c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ba91c40089b50a78e3710f099599c71c.exe
Resource
win10v2004-20240226-en
General
-
Target
ba91c40089b50a78e3710f099599c71c.exe
-
Size
83KB
-
MD5
ba91c40089b50a78e3710f099599c71c
-
SHA1
48fef76d9df5a426eb954a2bdfd1b7ee9d092826
-
SHA256
62c2b59d3e1afdeb303e40dc993e1adaa846c57ed90bac9a954d998b62f55ab8
-
SHA512
1fdd413b455f588b5679c3cfe094b4cfe0ed91c596258dc980ec97d933bb6e967dd9254b77b75380c1e99bde37a43224352ff2a7a04c7c72aa837b864ca509d9
-
SSDEEP
1536:G55u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5r5:sMSjOnrmBTMqqDL2/mr3IdE8we0Avu5l
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldkjzmrzbyu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ba91c40089b50a78e3710f099599c71c.exe" ba91c40089b50a78e3710f099599c71c.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\I: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\J: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\M: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\Y: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\Z: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\O: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\R: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\A: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\K: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\L: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\P: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\S: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\T: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\W: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\X: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\B: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\G: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\H: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\N: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\Q: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\U: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\V: ba91c40089b50a78e3710f099599c71c.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ba91c40089b50a78e3710f099599c71c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ba91c40089b50a78e3710f099599c71c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ba91c40089b50a78e3710f099599c71c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1696 ba91c40089b50a78e3710f099599c71c.exe 1696 ba91c40089b50a78e3710f099599c71c.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 1696 wrote to memory of 2784 1696 ba91c40089b50a78e3710f099599c71c.exe 29 PID 1696 wrote to memory of 2784 1696 ba91c40089b50a78e3710f099599c71c.exe 29 PID 1696 wrote to memory of 2784 1696 ba91c40089b50a78e3710f099599c71c.exe 29 PID 1696 wrote to memory of 2784 1696 ba91c40089b50a78e3710f099599c71c.exe 29 PID 1696 wrote to memory of 2472 1696 ba91c40089b50a78e3710f099599c71c.exe 32 PID 1696 wrote to memory of 2472 1696 ba91c40089b50a78e3710f099599c71c.exe 32 PID 1696 wrote to memory of 2472 1696 ba91c40089b50a78e3710f099599c71c.exe 32 PID 1696 wrote to memory of 2472 1696 ba91c40089b50a78e3710f099599c71c.exe 32 PID 1696 wrote to memory of 524 1696 ba91c40089b50a78e3710f099599c71c.exe 36 PID 1696 wrote to memory of 524 1696 ba91c40089b50a78e3710f099599c71c.exe 36 PID 1696 wrote to memory of 524 1696 ba91c40089b50a78e3710f099599c71c.exe 36 PID 1696 wrote to memory of 524 1696 ba91c40089b50a78e3710f099599c71c.exe 36 PID 1696 wrote to memory of 3012 1696 ba91c40089b50a78e3710f099599c71c.exe 38 PID 1696 wrote to memory of 3012 1696 ba91c40089b50a78e3710f099599c71c.exe 38 PID 1696 wrote to memory of 3012 1696 ba91c40089b50a78e3710f099599c71c.exe 38 PID 1696 wrote to memory of 3012 1696 ba91c40089b50a78e3710f099599c71c.exe 38 PID 1696 wrote to memory of 2068 1696 ba91c40089b50a78e3710f099599c71c.exe 40 PID 1696 wrote to memory of 2068 1696 ba91c40089b50a78e3710f099599c71c.exe 40 PID 1696 wrote to memory of 2068 1696 ba91c40089b50a78e3710f099599c71c.exe 40 PID 1696 wrote to memory of 2068 1696 ba91c40089b50a78e3710f099599c71c.exe 40 PID 1696 wrote to memory of 2320 1696 ba91c40089b50a78e3710f099599c71c.exe 42 PID 1696 wrote to memory of 2320 1696 ba91c40089b50a78e3710f099599c71c.exe 42 PID 1696 wrote to memory of 2320 1696 ba91c40089b50a78e3710f099599c71c.exe 42 PID 1696 wrote to memory of 2320 1696 ba91c40089b50a78e3710f099599c71c.exe 42 PID 1696 wrote to memory of 1820 1696 ba91c40089b50a78e3710f099599c71c.exe 44 PID 1696 wrote to memory of 1820 1696 ba91c40089b50a78e3710f099599c71c.exe 44 PID 1696 wrote to memory of 1820 1696 ba91c40089b50a78e3710f099599c71c.exe 44 PID 1696 wrote to memory of 1820 1696 ba91c40089b50a78e3710f099599c71c.exe 44 PID 1696 wrote to memory of 1164 1696 ba91c40089b50a78e3710f099599c71c.exe 46 PID 1696 wrote to memory of 1164 1696 ba91c40089b50a78e3710f099599c71c.exe 46 PID 1696 wrote to memory of 1164 1696 ba91c40089b50a78e3710f099599c71c.exe 46 PID 1696 wrote to memory of 1164 1696 ba91c40089b50a78e3710f099599c71c.exe 46 PID 1696 wrote to memory of 2736 1696 ba91c40089b50a78e3710f099599c71c.exe 48 PID 1696 wrote to memory of 2736 1696 ba91c40089b50a78e3710f099599c71c.exe 48 PID 1696 wrote to memory of 2736 1696 ba91c40089b50a78e3710f099599c71c.exe 48 PID 1696 wrote to memory of 2736 1696 ba91c40089b50a78e3710f099599c71c.exe 48 PID 1696 wrote to memory of 1116 1696 ba91c40089b50a78e3710f099599c71c.exe 50 PID 1696 wrote to memory of 1116 1696 ba91c40089b50a78e3710f099599c71c.exe 50 PID 1696 wrote to memory of 1116 1696 ba91c40089b50a78e3710f099599c71c.exe 50 PID 1696 wrote to memory of 1116 1696 ba91c40089b50a78e3710f099599c71c.exe 50 PID 1696 wrote to memory of 2084 1696 ba91c40089b50a78e3710f099599c71c.exe 52 PID 1696 wrote to memory of 2084 1696 ba91c40089b50a78e3710f099599c71c.exe 52 PID 1696 wrote to memory of 2084 1696 ba91c40089b50a78e3710f099599c71c.exe 52 PID 1696 wrote to memory of 2084 1696 ba91c40089b50a78e3710f099599c71c.exe 52 PID 1696 wrote to memory of 2100 1696 ba91c40089b50a78e3710f099599c71c.exe 54 PID 1696 wrote to memory of 2100 1696 ba91c40089b50a78e3710f099599c71c.exe 54 PID 1696 wrote to memory of 2100 1696 ba91c40089b50a78e3710f099599c71c.exe 54 PID 1696 wrote to memory of 2100 1696 ba91c40089b50a78e3710f099599c71c.exe 54 PID 1696 wrote to memory of 1916 1696 ba91c40089b50a78e3710f099599c71c.exe 56 PID 1696 wrote to memory of 1916 1696 ba91c40089b50a78e3710f099599c71c.exe 56 PID 1696 wrote to memory of 1916 1696 ba91c40089b50a78e3710f099599c71c.exe 56 PID 1696 wrote to memory of 1916 1696 ba91c40089b50a78e3710f099599c71c.exe 56 PID 1696 wrote to memory of 2844 1696 ba91c40089b50a78e3710f099599c71c.exe 58 PID 1696 wrote to memory of 2844 1696 ba91c40089b50a78e3710f099599c71c.exe 58 PID 1696 wrote to memory of 2844 1696 ba91c40089b50a78e3710f099599c71c.exe 58 PID 1696 wrote to memory of 2844 1696 ba91c40089b50a78e3710f099599c71c.exe 58
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba91c40089b50a78e3710f099599c71c.exe"C:\Users\Admin\AppData\Local\Temp\ba91c40089b50a78e3710f099599c71c.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2784
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2472
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:524
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:3012
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2068
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2320
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1820
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:1164
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2736
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1116
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2084
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2100
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1916
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2844
-