Analysis
-
max time kernel
130s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16/11/2022, 17:22
Behavioral task
behavioral1
Sample
0x00070000000133dd-55.exe
Resource
win7-20221111-en
General
-
Target
0x00070000000133dd-55.exe
-
Size
203KB
-
MD5
1f09eca585c701bbbf4a63ce5e1771f6
-
SHA1
8b3405e33b91e3d6b3860afa86e6c98a5e908abb
-
SHA256
b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b
-
SHA512
4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c
-
SSDEEP
3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIqhDcdg0nZfileCvGZ49hpUOwZ:sLV6Bta6dtJmakIM59V0wQr8aOwZ
Malware Config
Signatures
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0x00070000000133dd-55.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 956 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1304 0x00070000000133dd-55.exe 1304 0x00070000000133dd-55.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1304 0x00070000000133dd-55.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1304 0x00070000000133dd-55.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1304 wrote to memory of 956 1304 0x00070000000133dd-55.exe 28 PID 1304 wrote to memory of 956 1304 0x00070000000133dd-55.exe 28 PID 1304 wrote to memory of 956 1304 0x00070000000133dd-55.exe 28 PID 1304 wrote to memory of 956 1304 0x00070000000133dd-55.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe"C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFBA.tmp"2⤵
- Creates scheduled task(s)
PID:956
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5072ceb82811717faf72e59a39f27e9a2
SHA1d70d266cd6448ede16c77da0358a158f2e785e49
SHA2563f4e7b4932f31d0af570b83f4cf98112f168736f2a97bab88c69b2f1a56edfef
SHA512caf754391f13b9e668ca385642c0212fae1f8ef2cfb9a03c2f3a3fb8f87eac55a9f4a91f7b41d85769338be48d1e511f0b354ed0a41fdab573b1094faab1b80f