Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 21:07
Behavioral task
behavioral1
Sample
QP8ZfH7.exe
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
QP8ZfH7.exe
Resource
win10v2004-20240226-en
10 signatures
150 seconds
Behavioral task
behavioral3
Sample
guardian2.pyc
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral4
Sample
guardian2.pyc
Resource
win10v2004-20240226-en
3 signatures
150 seconds
General
-
Target
guardian2.pyc
-
Size
2KB
-
MD5
d9ddbc3982e67e6e29fdfa9b7ed45782
-
SHA1
a30e91632c73e7c3f835942f68fee399a8772e90
-
SHA256
82a38bfbdcd5849a43e0df271ca056be1395cd5265a4f7c58d7d6e40b8bd7152
-
SHA512
4ee1baee0c20c0f1761bc928016e718b2167bbfbf66762ced4755375eff0e539df0ca6c47cd91876c72e18639c7ea5eb1e311b3f2186053c9145336499a01b2b
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 2056 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1888 wrote to memory of 2056 1888 cmd.exe rundll32.exe PID 1888 wrote to memory of 2056 1888 cmd.exe rundll32.exe PID 1888 wrote to memory of 2056 1888 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\guardian2.pyc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\guardian2.pyc2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam