Analysis
-
max time kernel
54s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
14/12/2022, 04:15
Static task
static1
Behavioral task
behavioral1
Sample
SAVE CORTANA.cmd
Resource
win10v2004-20221111-en
windows10-2004-x64
6 signatures
1800 seconds
General
-
Target
SAVE CORTANA.cmd
-
Size
158B
-
MD5
a648aea2d35cbc9ed1d5827cea95020e
-
SHA1
370a1e387f453464de24a45e30e47befa7e15172
-
SHA256
ebe18180b32bc2185a0e276c7efb3c33df2a49e40f5dc0d756400ce700ecdbc6
-
SHA512
909f73ab648fd7d2fc7ffa66861121d4d59a63ef479560fb4b4c8b5e571b2304c277c9c0b53f4b284cd02b30f1f2c533b15c977ff4fa0195fad2999d7416d6ee
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3296 taskmgr.exe Token: SeSystemProfilePrivilege 3296 taskmgr.exe Token: SeCreateGlobalPrivilege 3296 taskmgr.exe Token: 33 3296 taskmgr.exe Token: SeIncBasePriorityPrivilege 3296 taskmgr.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe -
Suspicious use of SendNotifyMessage 44 IoCs
pid Process 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe 3296 taskmgr.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SAVE CORTANA.cmd"1⤵PID:876
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3296