5f7d9ee253fbd18a7f7ede3f9427d15d4957ca26e7f1e8c5d9a8c99235945eed | Triage

Analysis

max time kernel
133s
max time network
137s
platform
windows10-1703_x64
resource
win10-20231129-en
resource tags

arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
submitted
11/12/2023, 01:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

902KB
MD5

34a98268ac65cb4ab39175f4035d95ef
SHA1

37aae493e8ca8caa792fb7a4a26859826f3c28e5
SHA256

8e127555bfa80d79e62cf239f53fe66783dc11f5dbe1e42925a0ee9535a85c31
SHA512

2c3775145e1397fa8e2ad8c546079a6e747d241d0bdf30478cc97e378fa62fd66445762fe70d24004b720e56b53b42db38d45c0eb8477a2c65ebc19bf7aa1222
SSDEEP

6144:cedQzQcAKMRUOUqN+0sE6I9raFU4t9nF20bK4rLxWYqaUGrJ+bHpq1:ced6QmMRrNL6e4TFbEYqazrJMg1

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
4336	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe
4892	2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4892	2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	2.exe
Token: 33	1832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1832	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4892	2.exe
4892	2.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4336	4892	2.exe	45
PID 4892 wrote to memory of 4336	4892	2.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn CClanarTask /tr C:\Users\Admin\AppData\Local\Temp\2.exe
  2⤵
  - Creates scheduled task(s)
  PID:4336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x394
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Users\Admin\AppData\Local\Temp\2.exe
C:\Users\Admin\AppData\Local\Temp\2.exe
1⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\2.exe
C:\Users\Admin\AppData\Local\Temp\2.exe
1⤵
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\2.exe.log

Filesize
774B

MD5
f0943f59d8efaf34fb55545bc6ad563a

SHA1
b475689f93b636e1773c958d04b7b3a0e5677396

SHA256
5b74f9ea64bf24af07fd3ac7416729bd4b76db85607465b9f2c2fe4b9e15af6f

SHA512
1fb2526d272d4ed7d7922c8c74cca4ae04911a253c7a397c628758c6a5a215c95f7c7870a893abc0dff99a2a6588d28645b9621b1a0b240fe7dc8b11bda272d5

Download Submit
memory/2060-62-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/2060-66-0x00007FFC06540000-0x00007FFC06EE0000-memory.dmp

Filesize
9.6MB

Download
memory/2060-63-0x00007FFC06540000-0x00007FFC06EE0000-memory.dmp

Filesize
9.6MB

Download
memory/2060-61-0x00007FFC06540000-0x00007FFC06EE0000-memory.dmp

Filesize
9.6MB

Download
memory/3420-71-0x00007FFC06540000-0x00007FFC06EE0000-memory.dmp

Filesize
9.6MB

Download
memory/3420-68-0x00007FFC06540000-0x00007FFC06EE0000-memory.dmp

Filesize
9.6MB

Download
memory/3420-70-0x00007FFC06540000-0x00007FFC06EE0000-memory.dmp

Filesize
9.6MB

Download
memory/3420-69-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/4892-0-0x000000001B5D0000-0x000000001B676000-memory.dmp

Filesize
664KB

Download
memory/4892-8-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-37-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-38-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-54-0x00007FFC06540000-0x00007FFC06EE0000-memory.dmp

Filesize
9.6MB

Download
memory/4892-55-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-57-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-56-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-58-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-59-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-60-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-36-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-9-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-2-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4892-64-0x0000000020C50000-0x0000000020C74000-memory.dmp

Filesize
144KB

Download
memory/4892-7-0x000000001C250000-0x000000001C29C000-memory.dmp

Filesize
304KB

Download
memory/4892-6-0x000000001B480000-0x000000001B488000-memory.dmp

Filesize
32KB

Download
memory/4892-1-0x00007FFC06540000-0x00007FFC06EE0000-memory.dmp

Filesize
9.6MB

Download
memory/4892-3-0x000000001BB50000-0x000000001C01E000-memory.dmp

Filesize
4.8MB

Download
memory/4892-4-0x00007FFC06540000-0x00007FFC06EE0000-memory.dmp

Filesize
9.6MB

Download
memory/4892-5-0x000000001C0F0000-0x000000001C18C000-memory.dmp

Filesize
624KB

Download