Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/03/2024, 03:32

General

  • Target

    ba91c40089b50a78e3710f099599c71c.exe

  • Size

    83KB

  • MD5

    ba91c40089b50a78e3710f099599c71c

  • SHA1

    48fef76d9df5a426eb954a2bdfd1b7ee9d092826

  • SHA256

    62c2b59d3e1afdeb303e40dc993e1adaa846c57ed90bac9a954d998b62f55ab8

  • SHA512

    1fdd413b455f588b5679c3cfe094b4cfe0ed91c596258dc980ec97d933bb6e967dd9254b77b75380c1e99bde37a43224352ff2a7a04c7c72aa837b864ca509d9

  • SSDEEP

    1536:G55u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5r5:sMSjOnrmBTMqqDL2/mr3IdE8we0Avu5l

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba91c40089b50a78e3710f099599c71c.exe
    "C:\Users\Admin\AppData\Local\Temp\ba91c40089b50a78e3710f099599c71c.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup nomoreransom.bit dns1.soprodns.ru
      2⤵
        PID:2636
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup emsisoft.bit dns1.soprodns.ru
        2⤵
          PID:4944
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup gandcrab.bit dns1.soprodns.ru
          2⤵
            PID:3320
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup nomoreransom.bit dns1.soprodns.ru
            2⤵
              PID:4372
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup emsisoft.bit dns1.soprodns.ru
              2⤵
                PID:3532
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup gandcrab.bit dns1.soprodns.ru
                2⤵
                  PID:4368
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup nomoreransom.bit dns1.soprodns.ru
                  2⤵
                    PID:2992
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup emsisoft.bit dns1.soprodns.ru
                    2⤵
                      PID:1812
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup gandcrab.bit dns1.soprodns.ru
                      2⤵
                        PID:2656
                      • C:\Windows\SysWOW64\nslookup.exe
                        nslookup nomoreransom.bit dns1.soprodns.ru
                        2⤵
                          PID:4720
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup emsisoft.bit dns1.soprodns.ru
                          2⤵
                            PID:3456
                          • C:\Windows\SysWOW64\nslookup.exe
                            nslookup gandcrab.bit dns1.soprodns.ru
                            2⤵
                              PID:3676
                            • C:\Windows\SysWOW64\nslookup.exe
                              nslookup nomoreransom.bit dns1.soprodns.ru
                              2⤵
                                PID:4048
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
                              1⤵
                                PID:3144

                              Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads