Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
17-11-2023 01:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Client.exe
Resource
win10-20231020-en
windows10-1703-x64
11 signatures
150 seconds
General
-
Target
Client.exe
-
Size
156KB
-
MD5
a0e75a2c85b92f57dacfc23abca49e13
-
SHA1
7ac5d02431ba56e5409957e08f8ac0fff28dff5c
-
SHA256
eca3ebb192d70aad680a4c202d6d894c2393f73f52f34e215f970eb280c132ca
-
SHA512
0931d46dfb89fe09afbf3b61f0b53e8de26a4a6de6db5739e070cae105d5515e2ff9ed731d81c015bc7f0f4a0e0723249edab7f02e7289d267be710fd77982e2
-
SSDEEP
3072:s2pPQ/UD9czWHsp10bEJrkv8nzDpw6EnERND6a9l3Wb1j+D:s2poMBLo1GEJrkH6EniJUb
Score
9/10
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Client.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Client.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Client.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Client.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Client.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2216 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2288 Client.exe Token: SeDebugPrivilege 2216 taskmgr.exe Token: SeSystemProfilePrivilege 2216 taskmgr.exe Token: SeCreateGlobalPrivilege 2216 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2216