Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2023 12:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
Client-built.exe
-
Size
247KB
-
MD5
deb4b02c26f7e261ca702e5074085bd0
-
SHA1
ed4f05f5fc5655daf48171e2e29dd2789ef215bd
-
SHA256
1e385183216df19a0faef80759e96e4617fcd01be3e9399cc226fad07771b736
-
SHA512
4359c4c32b688260d012e5850e3d7eab3fab03b801fd2c0c84ab602128c015864b5d46a767471a99fbbde7ab695469cedee02b17611970a117461833b02fe4e6
-
SSDEEP
6144:QWw35DFVd3bWp7QxA4bV2MxoJbtJ1bCWd:sDjd3bWh6bquWd
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1rVoaR3XjZIMbYwUCsZwzA7Un18WZ0Rq1OVdntW2cpo= = "C:\\Users\\Admin\\AppData\\Roaming\\NRGrH6o9muRgVea6UPDgyQIS9mYNXF0qN5xR+fqx3Ng=\\uZ6cnerV9yKdhYZM7whgzjqJJvUJA9k7SwLs1lfrEF4=" Client-built.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings Client-built.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4344 Client-built.exe Token: SeDebugPrivilege 816 taskmgr.exe Token: SeSystemProfilePrivilege 816 taskmgr.exe Token: SeCreateGlobalPrivilege 816 taskmgr.exe Token: 33 816 taskmgr.exe Token: SeIncBasePriorityPrivilege 816 taskmgr.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3908 OpenWith.exe 3908 OpenWith.exe 3908 OpenWith.exe 3908 OpenWith.exe 3908 OpenWith.exe 3908 OpenWith.exe 3908 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4344
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3908
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NRGrH6o9muRgVea6UPDgyQIS9mYNXF0qN5xR+fqx3Ng=\uZ6cnerV9yKdhYZM7whgzjqJJvUJA9k7SwLs1lfrEF4=
Filesize247KB
MD5deb4b02c26f7e261ca702e5074085bd0
SHA1ed4f05f5fc5655daf48171e2e29dd2789ef215bd
SHA2561e385183216df19a0faef80759e96e4617fcd01be3e9399cc226fad07771b736
SHA5124359c4c32b688260d012e5850e3d7eab3fab03b801fd2c0c84ab602128c015864b5d46a767471a99fbbde7ab695469cedee02b17611970a117461833b02fe4e6