Analysis
-
max time kernel
209s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
10-10-2023 13:48
General
-
Target
http://www.tekdefense.com/downloads/malware-samples/340s.exe.zip
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 60 IoCs
-
Suspicious use of SendNotifyMessage 51 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://www.tekdefense.com/downloads/malware-samples/340s.exe.zip"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://www.tekdefense.com/downloads/malware-samples/340s.exe.zip2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2452.0.360836586\70102158" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {771557cc-8382-428c-9604-c2697f26f044} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" 1964 1653d7d9058 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2452.1.1186748185\1997460787" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 21676 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5366d02-df1c-446e-aba2-6cbdddac7484} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" 2384 16530d71c58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2452.2.1733330722\716667382" -childID 1 -isForBrowser -prefsHandle 3104 -prefMapHandle 3144 -prefsLen 21714 -prefMapSize 232645 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7899480e-7432-4573-8ddb-c4a2a7cf26c6} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" 2948 165413f3158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2452.3.236591982\1300473557" -childID 2 -isForBrowser -prefsHandle 3632 -prefMapHandle 3628 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8ed20bd-7325-4b58-b834-98b0c7a91f6e} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" 3644 16530d68758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2452.5.576543537\1191525669" -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5364 -prefsLen 26633 -prefMapSize 232645 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87facef9-ac33-480d-8564-5dad05d0c8f0} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" 5352 16544555e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2452.6.501739774\1528722948" -childID 5 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 26633 -prefMapSize 232645 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d8ea7dc-0eab-44e2-9ffc-2edca326be6d} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" 5224 16544556758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2452.4.253023678\818591263" -childID 3 -isForBrowser -prefsHandle 5220 -prefMapHandle 5216 -prefsLen 26633 -prefMapSize 232645 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ff89429-0070-448b-a73b-fc26500a19f2} 2452 "\\.\pipe\gecko-crash-server-pipe.2452" 5224 16544558258 tab3⤵
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\340s.exe.zip"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\Desktop\340s.exe"C:\Users\Admin\Desktop\340s.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Dygao\esnoa.exe"C:\Users\Admin\AppData\Roaming\Dygao\esnoa.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpade8a93f.bat"3⤵
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Roaming\Dygao\esnoa.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Roaming\Dygao\tyghhfg.zip"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO8DA3DF4A\esnoa.exe"3⤵
- Opens file in notepad (likely ransom note)
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5765fd2fdea4b53c5b42304abd9a9e1c4
SHA1a2eaab59ccbdee092f26392a46b9682f3150a68d
SHA256e3bd03a84fd7006fcc74ecac4786601c359b08701705c66ed038ecbfc0340a7c
SHA5123457365e5d81a9fb5c6cabd780998d17ab06fa5e0423b697256772679536d20e086ae59859644e1e7614bad5d5be3d958864b5c5d3d563c294a1ebc9ed96212e
-
Filesize
348KB
MD5553877fc160523d45bcd6390d32587a1
SHA17b62e4fe6fab14b08ef5a6c99639cd55185ed31a
SHA2561cddee7c56bb52ae1a0238f5c194d84cd3f9498c893852e44640d4d91d3c8f69
SHA512c58df5ec486eae814b4c45cc8716c82a67cada89e5b44ce5a2f99b8f8b2f4669f678b6c261d3a9e3bf9ef5f72125aa4fc6496196a56f28a607e1e76852ee0de4
-
Filesize
165B
MD5caa7ad71f1139f7267fcd118d533018b
SHA18f3debacc573220c5c43c1420f7da011d634a670
SHA25604a233bd5cb9fd8d9ad1de92fb73cd734b1f6eb2befdc6f054f23447c4ccf626
SHA51289e28fb5a19b586aeb61fa9c6ddf9ecb27647b5cd62507ee118b96ff942856597ee8b650483c002edf0e344c52c5e8722939489e452b5e0dcc2ec69aeeb76235
-
Filesize
348KB
MD5553877fc160523d45bcd6390d32587a1
SHA17b62e4fe6fab14b08ef5a6c99639cd55185ed31a
SHA2561cddee7c56bb52ae1a0238f5c194d84cd3f9498c893852e44640d4d91d3c8f69
SHA512c58df5ec486eae814b4c45cc8716c82a67cada89e5b44ce5a2f99b8f8b2f4669f678b6c261d3a9e3bf9ef5f72125aa4fc6496196a56f28a607e1e76852ee0de4
-
Filesize
348KB
MD5553877fc160523d45bcd6390d32587a1
SHA17b62e4fe6fab14b08ef5a6c99639cd55185ed31a
SHA2561cddee7c56bb52ae1a0238f5c194d84cd3f9498c893852e44640d4d91d3c8f69
SHA512c58df5ec486eae814b4c45cc8716c82a67cada89e5b44ce5a2f99b8f8b2f4669f678b6c261d3a9e3bf9ef5f72125aa4fc6496196a56f28a607e1e76852ee0de4
-
Filesize
348KB
MD5553877fc160523d45bcd6390d32587a1
SHA17b62e4fe6fab14b08ef5a6c99639cd55185ed31a
SHA2561cddee7c56bb52ae1a0238f5c194d84cd3f9498c893852e44640d4d91d3c8f69
SHA512c58df5ec486eae814b4c45cc8716c82a67cada89e5b44ce5a2f99b8f8b2f4669f678b6c261d3a9e3bf9ef5f72125aa4fc6496196a56f28a607e1e76852ee0de4
-
Filesize
6KB
MD508f9b7a50681a7cc5d2fbd1e156260ba
SHA1bfd74fb318ef80eb711c15e4b3b00b78c9d0edbc
SHA2564c08cb43d535bbdb30c1d13f23ef87e738d3e02ac149f676466cb47457ed67a7
SHA5127fbeab02cd4f184ccd5af089582ec3ac787df0bf4d5040694b98f11babe8487aa40460e1f8b35e65651135d5e5db4da58bcf96134dcece790b9c100e662c70ce
-
Filesize
6KB
MD55babc50752472e9d0828361a757b63f4
SHA12707efb9ad63dad7b637832b8a2dd1fc17897871
SHA256b307e595517efcc0245d167e4432e0bd1a4bf59cdb553b04ea764592d2e00572
SHA512857e6194d8aee95f271f3cc67c2f57ac75c9301c3ffa7f442077205d86f977f514d46ccd6fad3ee9470e910dee7b3c14377963132b2d681ffbbe7a3902cb4d9b
-
Filesize
6KB
MD57871a6175c73b03ddabc7446d687f465
SHA1c4fe1fa3dbac37080d05e5f0bc2ee6243248cb60
SHA256486f7d263ff81d1f3e75a6e50768114c7d76383059fc138370d273e1d7ad6fa6
SHA512533165c173305a4f0468351f55993d3d8d42ea0c83e4bc38673716237688bf258daaee1f5194307ae2b5b1671392fb05e839bb7463c43355fb0c3b507186de3f
-
Filesize
288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
Filesize
880B
MD541f366722a85a5deda0e2f3758502f18
SHA1a084b34529f1cd70cbca4900754d6216cf7311b3
SHA256c9038c71fa9cf048c0d8d207a1852c549069158d4b57bcb6acef731f1b076591
SHA5128fec20199491a94efb88279da6f0d8a98a6df5df3a243027c52baafecb954f3aea3af5c1e4acc4418416f6f80ef77d759b37ba0721b2c28caea845a942c69db9
-
Filesize
348KB
MD548cd89827939b3a8976d9bb0993bc338
SHA1dd1e7e6cae69fd7520cef4269af3e0318af42bfa
SHA256761de33e1c3d08865f5f2d0cfc84c3b5401c7915a2953ca6b8c2fddbb007556b
SHA51248067b6478e79b812e8b7f3e47a79ce2975a15c7d8ccbac006066c0daae4e2dd9446b2510e379f6d1acb15ffe3d6e28f9315c49f83017dd485a186023c1522df
-
Filesize
348KB
MD548cd89827939b3a8976d9bb0993bc338
SHA1dd1e7e6cae69fd7520cef4269af3e0318af42bfa
SHA256761de33e1c3d08865f5f2d0cfc84c3b5401c7915a2953ca6b8c2fddbb007556b
SHA51248067b6478e79b812e8b7f3e47a79ce2975a15c7d8ccbac006066c0daae4e2dd9446b2510e379f6d1acb15ffe3d6e28f9315c49f83017dd485a186023c1522df
-
Filesize
274KB
MD527cb168f160b065e3a3f4c8305b6a7e6
SHA1fac125aebc3c05ed06343e0a531f87c4779a7365
SHA25678cb65344e391ac016cac2f0281256b63705cf397218de7613bf34d1cf06b0b5
SHA512c5389137c423b829099175921368e8e936675f8a16d0fa216e28d6d81d86e7caa6c515d68cc61655f1869ff1fd786b2344a0ddf8fc088dad77affea8ebc4f98e
-
Filesize
274KB
MD527cb168f160b065e3a3f4c8305b6a7e6
SHA1fac125aebc3c05ed06343e0a531f87c4779a7365
SHA25678cb65344e391ac016cac2f0281256b63705cf397218de7613bf34d1cf06b0b5
SHA512c5389137c423b829099175921368e8e936675f8a16d0fa216e28d6d81d86e7caa6c515d68cc61655f1869ff1fd786b2344a0ddf8fc088dad77affea8ebc4f98e
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
280KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
280KB