Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2024 09:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
flower_cracked.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
flower_cracked.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
flower_cracked.exe
-
Size
2.0MB
-
MD5
a9e8452e49bc005c900efcfd44a61827
-
SHA1
23a8648c67cae5c7b585e7799f28fde92f0b13e6
-
SHA256
21427e770ace36295c64388b491f757a4bb540c8dc4c78a534a8db21bd96b59f
-
SHA512
5fbf8257d17c8ea2343cf35c20bf66b38aa62f344be295076b4355a4c49770c4ad0f28f47d047cc91d715848ac96fd5281254d6923b8d3f7d5cd921a7d2f4f0b
-
SSDEEP
12288:aV9WSZOSjCaQSeI2ELUwcnC/dOxVzR+H/3n7Z6kpnvrMDOyfu2K:T2QS1LlJdOx5RC/IkpnvgS2u2K
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2024 strnmap.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\driver.sys flower_cracked.exe File created C:\Windows\System32\strnmap.exe flower_cracked.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe 1804 flower_cracked.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1804 wrote to memory of 4272 1804 flower_cracked.exe 91 PID 1804 wrote to memory of 4272 1804 flower_cracked.exe 91 PID 1804 wrote to memory of 3888 1804 flower_cracked.exe 92 PID 1804 wrote to memory of 3888 1804 flower_cracked.exe 92 PID 1804 wrote to memory of 1412 1804 flower_cracked.exe 96 PID 1804 wrote to memory of 1412 1804 flower_cracked.exe 96 PID 1412 wrote to memory of 680 1412 cmd.exe 97 PID 1412 wrote to memory of 680 1412 cmd.exe 97 PID 1412 wrote to memory of 5052 1412 cmd.exe 98 PID 1412 wrote to memory of 5052 1412 cmd.exe 98 PID 1412 wrote to memory of 1480 1412 cmd.exe 99 PID 1412 wrote to memory of 1480 1412 cmd.exe 99 PID 1804 wrote to memory of 4204 1804 flower_cracked.exe 100 PID 1804 wrote to memory of 4204 1804 flower_cracked.exe 100 PID 1804 wrote to memory of 3288 1804 flower_cracked.exe 101 PID 1804 wrote to memory of 3288 1804 flower_cracked.exe 101 PID 3288 wrote to memory of 2024 3288 cmd.exe 102 PID 3288 wrote to memory of 2024 3288 cmd.exe 102 PID 1804 wrote to memory of 4944 1804 flower_cracked.exe 103 PID 1804 wrote to memory of 4944 1804 flower_cracked.exe 103 PID 1804 wrote to memory of 2888 1804 flower_cracked.exe 104 PID 1804 wrote to memory of 2888 1804 flower_cracked.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\flower_cracked.exe"C:\Users\Admin\AppData\Local\Temp\flower_cracked.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color E2⤵PID:3888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\flower_cracked.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\flower_cracked.exe" MD53⤵PID:680
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:5052
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:1480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\strnmap.exe C:\Windows\System32\driver.sys2⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\System32\strnmap.exeC:\Windows\System32\strnmap.exe C:\Windows\System32\driver.sys3⤵
- Executes dropped EXE
PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color E2⤵PID:2888
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530KB
MD554ed683eba9340abf6783bd8d7b39445
SHA1950e3c11c71354097c8440529b31f8ac2b3c32a8
SHA2562d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70
SHA5129ff8c110823bad1e0a79a810b151e1d5557022080af0c8aaa9ff76996bd040747346f62459c50468cf86f49389c0e5fb7f057e9bd30fa31fed49ae5692d50ae2