Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2023, 10:19
Behavioral task
behavioral1
Sample
0x00070000000120b7-4.exe
Resource
win7-20231020-en
8 signatures
150 seconds
General
-
Target
0x00070000000120b7-4.exe
-
Size
202KB
-
MD5
63c5f6a42be7ba7fdd175360549a8176
-
SHA1
ed3f0ecf1f6e83d5ea8c27b5397ff2e2191bdc22
-
SHA256
5a8277de5871436e5e2b605eb07a1c29def195d649725b985be59732c1e5236b
-
SHA512
08797431fdba358a65a19e4f080dd9bf792aeaa991e0b82db321792da8ba9f063858efae17c35c719f64e597438c329f0f5c090e5af71351f9ff17fca69cb2cf
-
SSDEEP
6144:wLV6Bta6dtJmakIM5alWUu5LYkO0TrWS/:wLV6BtpmkJlM5LYkO0TKK
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" 0x00070000000120b7-4.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0x00070000000120b7-4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe 0x00070000000120b7-4.exe File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe 0x00070000000120b7-4.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3544 0x00070000000120b7-4.exe 3544 0x00070000000120b7-4.exe 3544 0x00070000000120b7-4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3544 0x00070000000120b7-4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3544 0x00070000000120b7-4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x00070000000120b7-4.exe"C:\Users\Admin\AppData\Local\Temp\0x00070000000120b7-4.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3544