Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08-01-2023 02:19
General
-
Target
New-Client.exe
-
Size
28KB
-
MD5
595eb9160ea60139e2834f8216667ab8
-
SHA1
4ada679c3e5bd7b17171f77a062132f2d9b0805a
-
SHA256
945b71b62abed5c7bca32598ce35d828e6519a87611e22d8bafdbd8580b88926
-
SHA512
21938877df6b97325794e493cb51655f05b5e75269d8ac0e58c232acc95f037680d43cf1d795dc6af096cc0639770bd886e8f6012c44b12888fc720c4dd4a976
-
SSDEEP
384:By+SbjTNKb186ki1AHJ/OWqD8A+kqvDKNrCeJE3WNgO3V/CpOcgvR5EQro3lc79Q:A+bm6ki1wJbA+ko45Nz/wOc85mrj
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3624 New-Client.exe Token: SeDebugPrivilege 3624 New-Client.exe Token: SeDebugPrivilege 484 taskmgr.exe Token: SeSystemProfilePrivilege 484 taskmgr.exe Token: SeCreateGlobalPrivilege 484 taskmgr.exe Token: 33 484 taskmgr.exe Token: SeIncBasePriorityPrivilege 484 taskmgr.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe 484 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New-Client.exe"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:484