Resubmissions

21-05-2024 06:19

240521-g3f2vsbb4x 3

21-05-2024 06:09

240521-gwwhzaac97 3

Analysis

  • max time kernel
    85s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 06:09

General

  • Target

    Speech.exe

  • Size

    1.3MB

  • MD5

    d2b55fb7762408c2d2509e86fc40e640

  • SHA1

    eddcfd1ddf35f789fc50a6dab16a1f779cad3f76

  • SHA256

    ed43f74fc5bfbb139150f3557c1f91218124b1230ef0a8a3629cf421ad577c38

  • SHA512

    628dc2056dbc73e8161049916bb3a0b684f52079a734fb45579f19bb3116132936a42019b6f164f416232c3f8348057737f7a4625d2d9bd30ae7a8cba69c156b

  • SSDEEP

    24576:gJduBn+/D/4isQZSti4tWZy3Q1EBiCjEXzExoLHKdEqgj:gJIRbisQqi4tWcycAtHKdwj

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Speech.exe
    "C:\Users\Admin\AppData\Local\Temp\Speech.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1284 -s 192
      2⤵
        PID:1148
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1312
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Users\Admin\AppData\Local\Temp\Speech.exe
          Speech.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2704 -s 192
            3⤵
              PID:2676
          • C:\Users\Admin\AppData\Local\Temp\Speech.exe
            Speech.exe -h
            2⤵
              PID:2504
          • C:\Users\Admin\AppData\Local\Temp\Speech.exe
            "C:\Users\Admin\AppData\Local\Temp\Speech.exe"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2828
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2828 -s 192
              2⤵
                PID:1124
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              1⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:1956

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1956-0-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB