Analysis
-
max time kernel
80s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 06:36
Static task
static1
Behavioral task
behavioral1
Sample
services.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
services.exe
-
Size
9.1MB
-
MD5
b3e5debd7d5b6ed4c78a092d66b5be41
-
SHA1
802453435b6f5321a0bff4e9d32ff7a4dee3c784
-
SHA256
95de9b9ee0e8194cb2733def70e428b7c25c47c2b7bb407226fc2dd3695ccd82
-
SHA512
b13de41b4fcb3f38fcc19f39e0dddae25564cdb7ee59f865fe6eb83b7bada349924cdc6697b5187a81dcae3952328a3c79615c7bfadeedb96d030f744cfee80b
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\1601268389\3068621934.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
taskmgr.exepid process 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 2472 taskmgr.exe Token: SeSystemProfilePrivilege 2472 taskmgr.exe Token: SeCreateGlobalPrivilege 2472 taskmgr.exe Token: 33 2472 taskmgr.exe Token: SeIncBasePriorityPrivilege 2472 taskmgr.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
Processes:
taskmgr.exepid process 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
taskmgr.exepid process 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe 2472 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\services.exe"C:\Users\Admin\AppData\Local\Temp\services.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage