Analysis
-
max time kernel
122s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 08:00
Behavioral task
behavioral1
Sample
a632a39ffdce2f2de984c6992d188986.exe
Resource
win7-20231215-en
General
-
Target
a632a39ffdce2f2de984c6992d188986.exe
-
Size
533KB
-
MD5
a632a39ffdce2f2de984c6992d188986
-
SHA1
7a1bb8fea06c819b7e575f9ef431af09151837eb
-
SHA256
6800905847788c228e211fd1086dad6a20aa745d1351c0bd43d5f89aa58b1c9e
-
SHA512
a7a6f0bc2448f3222652882893c9b14e21f073dce0dc0509c534bd0e1219a8860278be485a1b41333f7b9dc969431aacd54701f4ca7eb9d615ffdf192452244b
-
SSDEEP
12288:HLV6Btpmklh0YDwhTOSq5nyxUnfMgE9Pb/ji7u8LW:rApflh0Ik5vanhI/ku86
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files\\LAN Monitor\\lanmon.exe" a632a39ffdce2f2de984c6992d188986.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a632a39ffdce2f2de984c6992d188986.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\LAN Monitor\lanmon.exe a632a39ffdce2f2de984c6992d188986.exe File opened for modification C:\Program Files\LAN Monitor\lanmon.exe a632a39ffdce2f2de984c6992d188986.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1528 schtasks.exe 2824 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2448 a632a39ffdce2f2de984c6992d188986.exe 2448 a632a39ffdce2f2de984c6992d188986.exe 2448 a632a39ffdce2f2de984c6992d188986.exe 2448 a632a39ffdce2f2de984c6992d188986.exe 2448 a632a39ffdce2f2de984c6992d188986.exe 2448 a632a39ffdce2f2de984c6992d188986.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2448 a632a39ffdce2f2de984c6992d188986.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2448 a632a39ffdce2f2de984c6992d188986.exe Token: SeDebugPrivilege 2448 a632a39ffdce2f2de984c6992d188986.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2448 wrote to memory of 1528 2448 a632a39ffdce2f2de984c6992d188986.exe 28 PID 2448 wrote to memory of 1528 2448 a632a39ffdce2f2de984c6992d188986.exe 28 PID 2448 wrote to memory of 1528 2448 a632a39ffdce2f2de984c6992d188986.exe 28 PID 2448 wrote to memory of 2824 2448 a632a39ffdce2f2de984c6992d188986.exe 30 PID 2448 wrote to memory of 2824 2448 a632a39ffdce2f2de984c6992d188986.exe 30 PID 2448 wrote to memory of 2824 2448 a632a39ffdce2f2de984c6992d188986.exe 30 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe"C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7D89.tmp"2⤵
- Creates scheduled task(s)
PID:1528
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp85F3.tmp"2⤵
- Creates scheduled task(s)
PID:2824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5029e60b39959bba895979975e33b96a5
SHA1ebd492c14ffb3733d315adc7378175a4de8d4104
SHA256037de60417e4d3866d82505a021651fd8101ad0c4270e86a1cc3c272dde08196
SHA5128977daaa0da4713c3802562402731d201c063385cd86728e81528a4b419f8a8302f6408e53906b69ebace2fc83b5567c2a6b6cf25958b3f73db3874909ef82bd
-
Filesize
1KB
MD55ed3301e36e3359905df2c1d8fee55f9
SHA187f3dd865a35a183a95b70670837aff59acab4c1
SHA256b6b1ccf23addd989edab37c3c63997814126559be20653e5b219bfcb0afef0f8
SHA5125b2eaa5ad2f0cedb509b459407e0260bee6760cca7ca04f62afad6d5b2ae7dbdd19a443012e7d71476f5f6433a72d6c4b111580b7b592010c1e966155cd828a4