Analysis
-
max time kernel
111s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2023 17:13
Static task
static1
Behavioral task
behavioral1
Sample
message.js
Resource
win7-20230220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
message.js
Resource
win10v2004-20230221-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
message.js
-
Size
34KB
-
MD5
47e5fb9ea1387c2fad8ff5d4a7ee89f5
-
SHA1
97af46fce0c87dced5a7fc3f1279de1ef38dd8e7
-
SHA256
628815d11c5aa782840f177991583669e4bd6474d0558a9b357e601d43406f8f
-
SHA512
0ac2366927d7bed64bb5e4ff014cbdcd005bf2de9152e6544e401678dc8ab282f2ff3c045d02226cf4edabe046acd153634618e95e7a67d5626e0abcfc22eb39
-
SSDEEP
384:EdL4toYmWWHJ+gLyTwV0O/ETTxTTINYACU8E:EdUXEHJ+gmFTTxTTK7
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1852 taskmgr.exe Token: SeSystemProfilePrivilege 1852 taskmgr.exe Token: SeCreateGlobalPrivilege 1852 taskmgr.exe Token: 33 1852 taskmgr.exe Token: SeIncBasePriorityPrivilege 1852 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe 1852 taskmgr.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\message.js1⤵PID:3492
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1852