Overview

overview

8

Static

static

3

Inazuma.exe

windows7-x64

8

Inazuma.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    67s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2024, 18:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Inazuma.exe

  • Size

    35.8MB

  • MD5

    4f87e755e07ef688dc899e7f5ffdc283

  • SHA1

    a93b9dc51c2d72a8e4bc311c29f72f572b293d97

  • SHA256

    41b1b8220f1f700712831d790a8e4dd8fd552748e445c6611ad0f9c7b2dd1d8b

  • SHA512

    5f5af06dbb27908fa450dfdb093a884f79217c6f29060076d855a59b0b63e5f3021b90e060f9538657e97268287802e5a948f43845995ba092d48ca53f202d68

  • SSDEEP

    786432:K7ACT5+AN6fQKQNDA1H2Bwd7ZlbCqE9kG3YUPS:K7ACTIsXzNDuH2w7PbJE3RS

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 50 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Inazuma.exe
    "C:\Users\Admin\AppData\Local\Temp\Inazuma.exe"
    1⤵
    • Drops file in Drivers directory
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Cls
      2⤵
        PID:1416
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Inazuma.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3492
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Inazuma.exe" MD5
          3⤵
            PID:2004
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            3⤵
              PID:4664
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              3⤵
                PID:4216
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /4
            1⤵
            • Checks SCSI registry key(s)
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2280
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:4332

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/2280-14-0x000001DA19090000-0x000001DA19091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2280-8-0x000001DA19090000-0x000001DA19091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2280-7-0x000001DA19090000-0x000001DA19091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2280-9-0x000001DA19090000-0x000001DA19091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2280-13-0x000001DA19090000-0x000001DA19091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2280-15-0x000001DA19090000-0x000001DA19091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2280-16-0x000001DA19090000-0x000001DA19091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2280-17-0x000001DA19090000-0x000001DA19091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2280-18-0x000001DA19090000-0x000001DA19091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2280-19-0x000001DA19090000-0x000001DA19091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2480-2-0x00007FFE26AE0000-0x00007FFE26AE2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/2480-3-0x0000000140000000-0x0000000143F5A000-memory.dmp

                    Filesize

                    63.4MB

                    Download

                  • memory/2480-1-0x00007FFE26AD0000-0x00007FFE26AD2000-memory.dmp

                    Filesize

                    8KB

                    Download