Analysis
-
max time kernel
85s -
max time network
28s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 06:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Speech.exe
Resource
win7-20240508-en
windows7-x64
5 signatures
300 seconds
Behavioral task
behavioral2
Sample
Speech.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
300 seconds
General
-
Target
Speech.exe
-
Size
1.3MB
-
MD5
d2b55fb7762408c2d2509e86fc40e640
-
SHA1
eddcfd1ddf35f789fc50a6dab16a1f779cad3f76
-
SHA256
ed43f74fc5bfbb139150f3557c1f91218124b1230ef0a8a3629cf421ad577c38
-
SHA512
628dc2056dbc73e8161049916bb3a0b684f52079a734fb45579f19bb3116132936a42019b6f164f416232c3f8348057737f7a4625d2d9bd30ae7a8cba69c156b
-
SSDEEP
24576:gJduBn+/D/4isQZSti4tWZy3Q1EBiCjEXzExoLHKdEqgj:gJIRbisQqi4tWcycAtHKdwj
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1956 taskmgr.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1284 wrote to memory of 1148 1284 Speech.exe 29 PID 1284 wrote to memory of 1148 1284 Speech.exe 29 PID 1284 wrote to memory of 1148 1284 Speech.exe 29 PID 2528 wrote to memory of 2704 2528 cmd.exe 34 PID 2528 wrote to memory of 2704 2528 cmd.exe 34 PID 2528 wrote to memory of 2704 2528 cmd.exe 34 PID 2704 wrote to memory of 2676 2704 Speech.exe 35 PID 2704 wrote to memory of 2676 2704 Speech.exe 35 PID 2704 wrote to memory of 2676 2704 Speech.exe 35 PID 2528 wrote to memory of 2504 2528 cmd.exe 36 PID 2528 wrote to memory of 2504 2528 cmd.exe 36 PID 2528 wrote to memory of 2504 2528 cmd.exe 36 PID 2828 wrote to memory of 1124 2828 Speech.exe 42 PID 2828 wrote to memory of 1124 2828 Speech.exe 42 PID 2828 wrote to memory of 1124 2828 Speech.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\Speech.exe"C:\Users\Admin\AppData\Local\Temp\Speech.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1284 -s 1922⤵PID:1148
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1312
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\Speech.exeSpeech.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2704 -s 1923⤵PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\Speech.exeSpeech.exe -h2⤵PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\Speech.exe"C:\Users\Admin\AppData\Local\Temp\Speech.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2828 -s 1922⤵PID:1124
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1956