Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2023 11:04
Behavioral task
behavioral1
Sample
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe
Resource
win7-20230220-en
General
-
Target
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe
-
Size
203KB
-
MD5
1e22a8cf1859f0d1a75e71d719ea989d
-
SHA1
74c8f071a1ecee655576adebe57dea9d1b28ed67
-
SHA256
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed
-
SHA512
bad49ab1ab9e0dc05076eba1103039f12ac73c3663d2b5aa27b9d565de8eec42f9e089fba59a0fa49acf757ee97c590855b3958b217a3c4608a6630d7320c7c3
-
SSDEEP
3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIvl4CGa26WwEx4JRCDqEvwtwQt:MLV6Bta6dtJmakIM544ba26SAED1wtDt
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAAS Monitor = "C:\\Program Files (x86)\\SAAS Monitor\\saasmon.exe" 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Drops file in Program Files directory 2 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exedescription ioc process File created C:\Program Files (x86)\SAAS Monitor\saasmon.exe 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe File opened for modification C:\Program Files (x86)\SAAS Monitor\saasmon.exe 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3428 schtasks.exe 1256 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exepid process 2992 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe 2992 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe 2992 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exepid process 2992 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exedescription pid process Token: SeDebugPrivilege 2992 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exedescription pid process target process PID 2992 wrote to memory of 3428 2992 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 2992 wrote to memory of 3428 2992 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 2992 wrote to memory of 3428 2992 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 2992 wrote to memory of 1256 2992 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 2992 wrote to memory of 1256 2992 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe PID 2992 wrote to memory of 1256 2992 1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe"C:\Users\Admin\AppData\Local\Temp\1070dee071d8bb8f8f267bbd512bf24741602941071d22a59c8da62fc2574bed.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SAAS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEA26.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SAAS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEC98.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEA26.tmpFilesize
1KB
MD57874fe7b7625be67910dcf6e30d9f02f
SHA1c31fb91af3ad2b26d05abcdaa5162a856a200a2b
SHA2568a8dff441220ec99772114013607f1e20c5de18d5aebec6d28cd15106725f6d7
SHA51251bd5f4ccc6e16cde02e93f74c44e3247f441990dfb8bd57be20c8fdadbdc008610581b5f58cff4a08a634dad09d11378691de3f59783c35664156e6351a8385
-
C:\Users\Admin\AppData\Local\Temp\tmpEC98.tmpFilesize
1KB
MD58a92e4176a36b704a55c4888e04853e2
SHA16efbd8d0097e2632ca90083974b845f93e5b6a5c
SHA25691f88494715f51246ed7255ad4bba50e2f5dec26bef203f31450a6a8e1443cdd
SHA5124ea87f28391b022cfad5e0f695c2413a5addb18a6e9fdf9c56c4121253cf6e532110da8200b1c57b43ee85ed047f1530b1516a7c689c9574af069176114fa157
-
memory/2992-133-0x00000000007A0000-0x00000000007B0000-memory.dmpFilesize
64KB
-
memory/2992-141-0x00000000007A0000-0x00000000007B0000-memory.dmpFilesize
64KB
-
memory/2992-142-0x00000000007A0000-0x00000000007B0000-memory.dmpFilesize
64KB