Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2024, 03:32
Behavioral task
behavioral1
Sample
ba91c40089b50a78e3710f099599c71c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ba91c40089b50a78e3710f099599c71c.exe
Resource
win10v2004-20240226-en
General
-
Target
ba91c40089b50a78e3710f099599c71c.exe
-
Size
83KB
-
MD5
ba91c40089b50a78e3710f099599c71c
-
SHA1
48fef76d9df5a426eb954a2bdfd1b7ee9d092826
-
SHA256
62c2b59d3e1afdeb303e40dc993e1adaa846c57ed90bac9a954d998b62f55ab8
-
SHA512
1fdd413b455f588b5679c3cfe094b4cfe0ed91c596258dc980ec97d933bb6e967dd9254b77b75380c1e99bde37a43224352ff2a7a04c7c72aa837b864ca509d9
-
SSDEEP
1536:G55u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5r5:sMSjOnrmBTMqqDL2/mr3IdE8we0Avu5l
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lrbfuwzjyiw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ba91c40089b50a78e3710f099599c71c.exe" ba91c40089b50a78e3710f099599c71c.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\M: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\R: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\T: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\X: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\Y: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\E: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\P: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\V: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\A: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\I: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\L: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\O: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\S: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\U: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\W: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\G: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\H: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\K: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\N: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\Q: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\Z: ba91c40089b50a78e3710f099599c71c.exe File opened (read-only) \??\B: ba91c40089b50a78e3710f099599c71c.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ba91c40089b50a78e3710f099599c71c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ba91c40089b50a78e3710f099599c71c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ba91c40089b50a78e3710f099599c71c.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4028 ba91c40089b50a78e3710f099599c71c.exe 4028 ba91c40089b50a78e3710f099599c71c.exe 4028 ba91c40089b50a78e3710f099599c71c.exe 4028 ba91c40089b50a78e3710f099599c71c.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4028 wrote to memory of 2636 4028 ba91c40089b50a78e3710f099599c71c.exe 100 PID 4028 wrote to memory of 2636 4028 ba91c40089b50a78e3710f099599c71c.exe 100 PID 4028 wrote to memory of 2636 4028 ba91c40089b50a78e3710f099599c71c.exe 100 PID 4028 wrote to memory of 4944 4028 ba91c40089b50a78e3710f099599c71c.exe 107 PID 4028 wrote to memory of 4944 4028 ba91c40089b50a78e3710f099599c71c.exe 107 PID 4028 wrote to memory of 4944 4028 ba91c40089b50a78e3710f099599c71c.exe 107 PID 4028 wrote to memory of 3320 4028 ba91c40089b50a78e3710f099599c71c.exe 112 PID 4028 wrote to memory of 3320 4028 ba91c40089b50a78e3710f099599c71c.exe 112 PID 4028 wrote to memory of 3320 4028 ba91c40089b50a78e3710f099599c71c.exe 112 PID 4028 wrote to memory of 4372 4028 ba91c40089b50a78e3710f099599c71c.exe 115 PID 4028 wrote to memory of 4372 4028 ba91c40089b50a78e3710f099599c71c.exe 115 PID 4028 wrote to memory of 4372 4028 ba91c40089b50a78e3710f099599c71c.exe 115 PID 4028 wrote to memory of 3532 4028 ba91c40089b50a78e3710f099599c71c.exe 118 PID 4028 wrote to memory of 3532 4028 ba91c40089b50a78e3710f099599c71c.exe 118 PID 4028 wrote to memory of 3532 4028 ba91c40089b50a78e3710f099599c71c.exe 118 PID 4028 wrote to memory of 4368 4028 ba91c40089b50a78e3710f099599c71c.exe 120 PID 4028 wrote to memory of 4368 4028 ba91c40089b50a78e3710f099599c71c.exe 120 PID 4028 wrote to memory of 4368 4028 ba91c40089b50a78e3710f099599c71c.exe 120 PID 4028 wrote to memory of 2992 4028 ba91c40089b50a78e3710f099599c71c.exe 122 PID 4028 wrote to memory of 2992 4028 ba91c40089b50a78e3710f099599c71c.exe 122 PID 4028 wrote to memory of 2992 4028 ba91c40089b50a78e3710f099599c71c.exe 122 PID 4028 wrote to memory of 1812 4028 ba91c40089b50a78e3710f099599c71c.exe 125 PID 4028 wrote to memory of 1812 4028 ba91c40089b50a78e3710f099599c71c.exe 125 PID 4028 wrote to memory of 1812 4028 ba91c40089b50a78e3710f099599c71c.exe 125 PID 4028 wrote to memory of 2656 4028 ba91c40089b50a78e3710f099599c71c.exe 127 PID 4028 wrote to memory of 2656 4028 ba91c40089b50a78e3710f099599c71c.exe 127 PID 4028 wrote to memory of 2656 4028 ba91c40089b50a78e3710f099599c71c.exe 127 PID 4028 wrote to memory of 4720 4028 ba91c40089b50a78e3710f099599c71c.exe 129 PID 4028 wrote to memory of 4720 4028 ba91c40089b50a78e3710f099599c71c.exe 129 PID 4028 wrote to memory of 4720 4028 ba91c40089b50a78e3710f099599c71c.exe 129 PID 4028 wrote to memory of 3456 4028 ba91c40089b50a78e3710f099599c71c.exe 139 PID 4028 wrote to memory of 3456 4028 ba91c40089b50a78e3710f099599c71c.exe 139 PID 4028 wrote to memory of 3456 4028 ba91c40089b50a78e3710f099599c71c.exe 139 PID 4028 wrote to memory of 3676 4028 ba91c40089b50a78e3710f099599c71c.exe 141 PID 4028 wrote to memory of 3676 4028 ba91c40089b50a78e3710f099599c71c.exe 141 PID 4028 wrote to memory of 3676 4028 ba91c40089b50a78e3710f099599c71c.exe 141 PID 4028 wrote to memory of 4048 4028 ba91c40089b50a78e3710f099599c71c.exe 143 PID 4028 wrote to memory of 4048 4028 ba91c40089b50a78e3710f099599c71c.exe 143 PID 4028 wrote to memory of 4048 4028 ba91c40089b50a78e3710f099599c71c.exe 143
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba91c40089b50a78e3710f099599c71c.exe"C:\Users\Admin\AppData\Local\Temp\ba91c40089b50a78e3710f099599c71c.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2636
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:4944
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3320
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4372
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:3532
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:4368
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2992
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:1812
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2656
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4720
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:3456
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:3676
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:4048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:3144