Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2023 08:13
Static task
static1
Behavioral task
behavioral1
Sample
$R4295TC.exe
Resource
win7-20230220-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
$R4295TC.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
$R4295TC.exe
-
Size
704KB
-
MD5
6654ca07a1ddf0171872417ec5fa6c10
-
SHA1
bfa6bbd7137f70e9b5e48ad0b42bed0b98461d42
-
SHA256
dc27e3afaa0f30ad02fb6413c662952b98ae599a44ef2025ff0903839f5b055c
-
SHA512
144b5fe71c475d8d045f0256084fd88bc8648c6522448624ffbfa4d378d97890c622eb012779a95adbb34e9b5bca3d750130511454a027929c74c1e2215c836a
-
SSDEEP
12288:BcfGSFEwmcP+4CxrprcqSRSb9EPSn4DmWtFqtjfmTax2pcZbT:BcfPEMLYFGUEPSnKVEQrIbT
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4264 2228 WerFault.exe 83 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3512 taskmgr.exe Token: SeSystemProfilePrivilege 3512 taskmgr.exe Token: SeCreateGlobalPrivilege 3512 taskmgr.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe -
Suspicious use of SendNotifyMessage 58 IoCs
pid Process 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe 3512 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$R4295TC.exe"C:\Users\Admin\AppData\Local\Temp\$R4295TC.exe"1⤵PID:2228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 4842⤵
- Program crash
PID:4264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2228 -ip 22281⤵PID:2020
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3512