Analysis
-
max time kernel
78s -
max time network
81s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
02-02-2023 11:40
Static task
static1
Behavioral task
behavioral1
Sample
VoicemodDesktop.exe
Resource
win10-20220812-en
windows10-1703-x64
8 signatures
150 seconds
General
-
Target
VoicemodDesktop.exe
-
Size
2.3MB
-
MD5
a7a9f1e62af46756fa9a398273bd532d
-
SHA1
70336382aa5b56b7056b5595f43045d336656072
-
SHA256
b523b5c8e00d17dcccf9361de60b55a94b82b7c3f99e7a1bc8f360dfbf0085d3
-
SHA512
bd9e1c0cd2f8f5019c5e51ddd27d022a383f28897fc771af85d0f38c8ee1e72ea334e4f50b395d084a5bf2e0d1bf835d82209ef153da8f493f2ddbf9cca2ad5b
-
SSDEEP
24576:IGLjWwo2aKdZqMx6v1UpexYxxNFscBh66afIaYYXpviEwromNzWF60O8wr+i:IgDq0GAlF7LafIXYXpdwBPew
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4744 2832 WerFault.exe 65 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4836 taskmgr.exe Token: SeSystemProfilePrivilege 4836 taskmgr.exe Token: SeCreateGlobalPrivilege 4836 taskmgr.exe Token: 33 4836 taskmgr.exe Token: SeIncBasePriorityPrivilege 4836 taskmgr.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe -
Suspicious use of SendNotifyMessage 50 IoCs
pid Process 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe 4836 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VoicemodDesktop.exe"C:\Users\Admin\AppData\Local\Temp\VoicemodDesktop.exe"1⤵PID:2832
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2832 -s 9242⤵
- Program crash
PID:4744
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4836
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3956