Analysis
-
max time kernel
60s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2023 23:03
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win10v2004-20230220-en
General
-
Target
Setup.exe
-
Size
1.6MB
-
MD5
ce6eaa52767b2df78b34519231966588
-
SHA1
ab32d09951189022a1a39e9204ec9ce2926b3fcf
-
SHA256
40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
-
SHA512
36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067
-
SSDEEP
24576:Kqahn0IQ3i57AmG8W7+IZ0nwwoNR2+uBL8hxCMcIYwTxKAyuxCQyD2uG8wT5ngZx:KasHPBQxC/wTW2owTdIfpSKc
Malware Config
Signatures
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 api.db-ip.com 5 ipinfo.io 6 ipinfo.io 36 api.db-ip.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
taskmgr.exepid process 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 460 taskmgr.exe Token: SeSystemProfilePrivilege 460 taskmgr.exe Token: SeCreateGlobalPrivilege 460 taskmgr.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
Processes:
taskmgr.exepid process 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe -
Suspicious use of SendNotifyMessage 53 IoCs
Processes:
taskmgr.exepid process 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe 460 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/460-133-0x0000016106960000-0x0000016106961000-memory.dmpFilesize
4KB
-
memory/460-134-0x0000016106960000-0x0000016106961000-memory.dmpFilesize
4KB
-
memory/460-135-0x0000016106960000-0x0000016106961000-memory.dmpFilesize
4KB
-
memory/460-139-0x0000016106960000-0x0000016106961000-memory.dmpFilesize
4KB
-
memory/460-140-0x0000016106960000-0x0000016106961000-memory.dmpFilesize
4KB
-
memory/460-141-0x0000016106960000-0x0000016106961000-memory.dmpFilesize
4KB
-
memory/460-143-0x0000016106960000-0x0000016106961000-memory.dmpFilesize
4KB
-
memory/460-142-0x0000016106960000-0x0000016106961000-memory.dmpFilesize
4KB
-
memory/460-145-0x0000016106960000-0x0000016106961000-memory.dmpFilesize
4KB
-
memory/460-144-0x0000016106960000-0x0000016106961000-memory.dmpFilesize
4KB