Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-08-2022 19:31
Behavioral task
behavioral1
Sample
4c7c0f5f613c66060cf3e490aca57c39.exe
Resource
win7-20220812-en
General
-
Target
4c7c0f5f613c66060cf3e490aca57c39.exe
-
Size
203KB
-
MD5
4c7c0f5f613c66060cf3e490aca57c39
-
SHA1
cb79286c9ab591f426935c6cda60728985268b5d
-
SHA256
88ca9076cf95fda93c3ccc3d2dff800859ee13cae7043209a483b47812963b2b
-
SHA512
b056e8046cfa5bbc19cca73c7781daaf2303476b13729035bb814901b8b566ee32b5a6fdf62ce6dde19fa12fbcf220b3a38be233ed60d872a41fd994e8146d33
-
SSDEEP
3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIYRcungwenxmj35QX3Lqs2j3Go:MLV6Bta6dtJmakIM5TcxA5QHLqxio
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4c7c0f5f613c66060cf3e490aca57c39.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" 4c7c0f5f613c66060cf3e490aca57c39.exe -
Processes:
4c7c0f5f613c66060cf3e490aca57c39.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4c7c0f5f613c66060cf3e490aca57c39.exe -
Drops file in Program Files directory 2 IoCs
Processes:
4c7c0f5f613c66060cf3e490aca57c39.exedescription ioc process File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe 4c7c0f5f613c66060cf3e490aca57c39.exe File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe 4c7c0f5f613c66060cf3e490aca57c39.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4c7c0f5f613c66060cf3e490aca57c39.exepid process 1668 4c7c0f5f613c66060cf3e490aca57c39.exe 1668 4c7c0f5f613c66060cf3e490aca57c39.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
4c7c0f5f613c66060cf3e490aca57c39.exepid process 1668 4c7c0f5f613c66060cf3e490aca57c39.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4c7c0f5f613c66060cf3e490aca57c39.exedescription pid process Token: SeDebugPrivilege 1668 4c7c0f5f613c66060cf3e490aca57c39.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4c7c0f5f613c66060cf3e490aca57c39.exedescription pid process target process PID 1668 wrote to memory of 880 1668 4c7c0f5f613c66060cf3e490aca57c39.exe schtasks.exe PID 1668 wrote to memory of 880 1668 4c7c0f5f613c66060cf3e490aca57c39.exe schtasks.exe PID 1668 wrote to memory of 880 1668 4c7c0f5f613c66060cf3e490aca57c39.exe schtasks.exe PID 1668 wrote to memory of 880 1668 4c7c0f5f613c66060cf3e490aca57c39.exe schtasks.exe PID 1668 wrote to memory of 1052 1668 4c7c0f5f613c66060cf3e490aca57c39.exe schtasks.exe PID 1668 wrote to memory of 1052 1668 4c7c0f5f613c66060cf3e490aca57c39.exe schtasks.exe PID 1668 wrote to memory of 1052 1668 4c7c0f5f613c66060cf3e490aca57c39.exe schtasks.exe PID 1668 wrote to memory of 1052 1668 4c7c0f5f613c66060cf3e490aca57c39.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c7c0f5f613c66060cf3e490aca57c39.exe"C:\Users\Admin\AppData\Local\Temp\4c7c0f5f613c66060cf3e490aca57c39.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFEE9.tmp"2⤵
- Creates scheduled task(s)
PID:880
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp10C.tmp"2⤵
- Creates scheduled task(s)
PID:1052
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5981e126601526eaa5b0ad45c496c4465
SHA1d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA25611ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb
-
Filesize
1KB
MD5b251b92dd22966c7b58160514ac81dfd
SHA1c1a1c3a06ef0dc3f323d62120b9844be609f4ac6
SHA2562819149b5b5c963b834473bf8ed8ed107506fddc36b76626ff0c710cd7180a4e
SHA512e3e47c7ca69c76102e364742a6b0d02fc2e13bb33e21333f23a739df5f7438821fea326c31ec6fe53735d99457d0b5d4c972c2cff9e2a3b69ed542a961750b3b