Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 12:33
Static task
static1
Behavioral task
behavioral1
Sample
App.bin.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
App.bin.exe
-
Size
560KB
-
MD5
5518020384ceb599dd993c388c21acf3
-
SHA1
11c3c0a314b76eb980f69c5db4807cc147e3a1d6
-
SHA256
91b9e5401ca19ff3f45d8c3acce6a793f7cb713bc6920d9c5371197ad6a3b582
-
SHA512
7767e0edc52c158a1c3aca4c6dfba33bdade555238b238f82c25aa98e21db1cff479aaced3e570419e9767aabdbb10e03eb51debd016b93ba4c681b5432ce001
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
App.bin.exedescription pid process Token: SeDebugPrivilege 3656 App.bin.exe Token: SeDebugPrivilege 3656 App.bin.exe -
Drops file in Program Files directory 2 IoCs
Processes:
App.bin.exedescription ioc process File created C:\Program Files (x86)\SCSI Manager\scsimgr.exe App.bin.exe File opened for modification C:\Program Files (x86)\SCSI Manager\scsimgr.exe App.bin.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
App.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Manager = "C:\\Program Files (x86)\\SCSI Manager\\scsimgr.exe" App.bin.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
App.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA App.bin.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
App.bin.exedescription pid process target process PID 3656 wrote to memory of 512 3656 App.bin.exe schtasks.exe PID 3656 wrote to memory of 512 3656 App.bin.exe schtasks.exe PID 3656 wrote to memory of 512 3656 App.bin.exe schtasks.exe PID 3656 wrote to memory of 864 3656 App.bin.exe schtasks.exe PID 3656 wrote to memory of 864 3656 App.bin.exe schtasks.exe PID 3656 wrote to memory of 864 3656 App.bin.exe schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
App.bin.exepid process 3656 App.bin.exe 3656 App.bin.exe 3656 App.bin.exe 3656 App.bin.exe 3656 App.bin.exe 3656 App.bin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
App.bin.exepid process 3656 App.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\App.bin.exe"C:\Users\Admin\AppData\Local\Temp\App.bin.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Adds Run entry to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3656 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB948.tmp"2⤵
- Creates scheduled task(s)
PID:512 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBAA1.tmp"2⤵
- Creates scheduled task(s)
PID:864