Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:28
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7v20201028
General
-
Target
file.exe
-
Size
253KB
-
MD5
94d715c76354182482dcc8fb446a1be7
-
SHA1
3d6497669c371e33c2e4055f9eb8c00dc5104387
-
SHA256
a2f4d3da25e52d88eafb7a7da242e9bb507fe4626af58ca3b8c1a13e391c2000
-
SHA512
e85e1ae231318c403a3aea0af312f587abbf55392fb8677543e363d9245054a939ad635a0094c0884b01f2e0171eb2919b43c556b472724bb103637cee206965
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\Taskmgrk.exe" file.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
Taskmgrk.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Taskmgrk.exe -
Executes dropped EXE 1 IoCs
Processes:
Taskmgrk.exepid process 3272 Taskmgrk.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exe upx C:\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation file.exe -
Processes:
Taskmgrk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Taskmgrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Taskmgrk.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file.exeTaskmgrk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskmgrk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\Taskmgrk.exe" file.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskmgrk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp\\Taskmgrk.exe" Taskmgrk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance file.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
file.exeTaskmgrk.exedescription pid process Token: SeIncreaseQuotaPrivilege 4696 file.exe Token: SeSecurityPrivilege 4696 file.exe Token: SeTakeOwnershipPrivilege 4696 file.exe Token: SeLoadDriverPrivilege 4696 file.exe Token: SeSystemProfilePrivilege 4696 file.exe Token: SeSystemtimePrivilege 4696 file.exe Token: SeProfSingleProcessPrivilege 4696 file.exe Token: SeIncBasePriorityPrivilege 4696 file.exe Token: SeCreatePagefilePrivilege 4696 file.exe Token: SeBackupPrivilege 4696 file.exe Token: SeRestorePrivilege 4696 file.exe Token: SeShutdownPrivilege 4696 file.exe Token: SeDebugPrivilege 4696 file.exe Token: SeSystemEnvironmentPrivilege 4696 file.exe Token: SeChangeNotifyPrivilege 4696 file.exe Token: SeRemoteShutdownPrivilege 4696 file.exe Token: SeUndockPrivilege 4696 file.exe Token: SeManageVolumePrivilege 4696 file.exe Token: SeImpersonatePrivilege 4696 file.exe Token: SeCreateGlobalPrivilege 4696 file.exe Token: 33 4696 file.exe Token: 34 4696 file.exe Token: 35 4696 file.exe Token: 36 4696 file.exe Token: SeIncreaseQuotaPrivilege 3272 Taskmgrk.exe Token: SeSecurityPrivilege 3272 Taskmgrk.exe Token: SeTakeOwnershipPrivilege 3272 Taskmgrk.exe Token: SeLoadDriverPrivilege 3272 Taskmgrk.exe Token: SeSystemProfilePrivilege 3272 Taskmgrk.exe Token: SeSystemtimePrivilege 3272 Taskmgrk.exe Token: SeProfSingleProcessPrivilege 3272 Taskmgrk.exe Token: SeIncBasePriorityPrivilege 3272 Taskmgrk.exe Token: SeCreatePagefilePrivilege 3272 Taskmgrk.exe Token: SeBackupPrivilege 3272 Taskmgrk.exe Token: SeRestorePrivilege 3272 Taskmgrk.exe Token: SeShutdownPrivilege 3272 Taskmgrk.exe Token: SeDebugPrivilege 3272 Taskmgrk.exe Token: SeSystemEnvironmentPrivilege 3272 Taskmgrk.exe Token: SeChangeNotifyPrivilege 3272 Taskmgrk.exe Token: SeRemoteShutdownPrivilege 3272 Taskmgrk.exe Token: SeUndockPrivilege 3272 Taskmgrk.exe Token: SeManageVolumePrivilege 3272 Taskmgrk.exe Token: SeImpersonatePrivilege 3272 Taskmgrk.exe Token: SeCreateGlobalPrivilege 3272 Taskmgrk.exe Token: 33 3272 Taskmgrk.exe Token: 34 3272 Taskmgrk.exe Token: 35 3272 Taskmgrk.exe Token: 36 3272 Taskmgrk.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Taskmgrk.exepid process 3272 Taskmgrk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
file.exedescription pid process target process PID 4696 wrote to memory of 3272 4696 file.exe Taskmgrk.exe PID 4696 wrote to memory of 3272 4696 file.exe Taskmgrk.exe PID 4696 wrote to memory of 3272 4696 file.exe Taskmgrk.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Taskmgrk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Taskmgrk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Taskmgrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Taskmgrk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exe"C:\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exeMD5
94d715c76354182482dcc8fb446a1be7
SHA13d6497669c371e33c2e4055f9eb8c00dc5104387
SHA256a2f4d3da25e52d88eafb7a7da242e9bb507fe4626af58ca3b8c1a13e391c2000
SHA512e85e1ae231318c403a3aea0af312f587abbf55392fb8677543e363d9245054a939ad635a0094c0884b01f2e0171eb2919b43c556b472724bb103637cee206965
-
C:\Users\Admin\AppData\Local\Temp\Temp\Taskmgrk.exeMD5
94d715c76354182482dcc8fb446a1be7
SHA13d6497669c371e33c2e4055f9eb8c00dc5104387
SHA256a2f4d3da25e52d88eafb7a7da242e9bb507fe4626af58ca3b8c1a13e391c2000
SHA512e85e1ae231318c403a3aea0af312f587abbf55392fb8677543e363d9245054a939ad635a0094c0884b01f2e0171eb2919b43c556b472724bb103637cee206965
-
memory/3272-0-0x0000000000000000-mapping.dmp