Analysis
-
max time kernel
119s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 10:23
Static task
static1
Behavioral task
behavioral1
Sample
abb84f7bbcc5585765153cd445c8c07d.exe
Resource
win7-20231215-en
General
-
Target
abb84f7bbcc5585765153cd445c8c07d.exe
-
Size
1.1MB
-
MD5
abb84f7bbcc5585765153cd445c8c07d
-
SHA1
69707e556ebd88aec6414c0c5a481b235ad2eead
-
SHA256
149e9d049c83abff4843e0fab7f6cde552aef61e32a53d61e76f6c5adc3db25f
-
SHA512
12752cdde51c29b3fb4afc16405881681f06e3f4abc8b4912c35f366af6d2bc84ae321110a6ee11f1b8d0ab557975c9892ca0977b149c59f24735c0076d33a38
-
SSDEEP
12288:TGPoV34JStlA/afwCtrduIyCuUy21lbyOuJOmBws5o8pewY3:T0uqipuIySjQes5oSel
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2452 Tayz Woofer.exe 2684 SecurityHealthService.exe -
Loads dropped DLL 4 IoCs
pid Process 2100 abb84f7bbcc5585765153cd445c8c07d.exe 2100 abb84f7bbcc5585765153cd445c8c07d.exe 2440 Process not Found 2100 abb84f7bbcc5585765153cd445c8c07d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files\\LAN Monitor\\lanmon.exe" SecurityHealthService.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecurityHealthService.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\LAN Monitor\lanmon.exe SecurityHealthService.exe File opened for modification C:\Program Files\LAN Monitor\lanmon.exe SecurityHealthService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2584 schtasks.exe 2940 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2684 SecurityHealthService.exe 2684 SecurityHealthService.exe 2684 SecurityHealthService.exe 2684 SecurityHealthService.exe 2684 SecurityHealthService.exe 2684 SecurityHealthService.exe 2684 SecurityHealthService.exe 2684 SecurityHealthService.exe 2684 SecurityHealthService.exe 2684 SecurityHealthService.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2684 SecurityHealthService.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2684 SecurityHealthService.exe Token: SeDebugPrivilege 2684 SecurityHealthService.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2452 2100 abb84f7bbcc5585765153cd445c8c07d.exe 28 PID 2100 wrote to memory of 2452 2100 abb84f7bbcc5585765153cd445c8c07d.exe 28 PID 2100 wrote to memory of 2452 2100 abb84f7bbcc5585765153cd445c8c07d.exe 28 PID 2100 wrote to memory of 2452 2100 abb84f7bbcc5585765153cd445c8c07d.exe 28 PID 2100 wrote to memory of 2684 2100 abb84f7bbcc5585765153cd445c8c07d.exe 30 PID 2100 wrote to memory of 2684 2100 abb84f7bbcc5585765153cd445c8c07d.exe 30 PID 2100 wrote to memory of 2684 2100 abb84f7bbcc5585765153cd445c8c07d.exe 30 PID 2100 wrote to memory of 2684 2100 abb84f7bbcc5585765153cd445c8c07d.exe 30 PID 2684 wrote to memory of 2584 2684 SecurityHealthService.exe 31 PID 2684 wrote to memory of 2584 2684 SecurityHealthService.exe 31 PID 2684 wrote to memory of 2584 2684 SecurityHealthService.exe 31 PID 2684 wrote to memory of 2940 2684 SecurityHealthService.exe 33 PID 2684 wrote to memory of 2940 2684 SecurityHealthService.exe 33 PID 2684 wrote to memory of 2940 2684 SecurityHealthService.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\abb84f7bbcc5585765153cd445c8c07d.exe"C:\Users\Admin\AppData\Local\Temp\abb84f7bbcc5585765153cd445c8c07d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\Tayz Woofer.exe"C:\Users\Admin\AppData\Local\Temp\Tayz Woofer.exe"2⤵
- Executes dropped EXE
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthService.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthService.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9425.tmp"3⤵
- Creates scheduled task(s)
PID:2584
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9628.tmp"3⤵
- Creates scheduled task(s)
PID:2940
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
533KB
MD5a632a39ffdce2f2de984c6992d188986
SHA17a1bb8fea06c819b7e575f9ef431af09151837eb
SHA2566800905847788c228e211fd1086dad6a20aa745d1351c0bd43d5f89aa58b1c9e
SHA512a7a6f0bc2448f3222652882893c9b14e21f073dce0dc0509c534bd0e1219a8860278be485a1b41333f7b9dc969431aacd54701f4ca7eb9d615ffdf192452244b
-
Filesize
1KB
MD503622b0c91662ec4ada74d25f655232f
SHA17272a7d3acd8726fa58987ad322fa06ce7a23208
SHA25668a618959190a38c260d20dde35209ed7c8f8ef336c8f6af4abdf416ea2e8b67
SHA5126d6ddb25cf1a0793bcea2ce25e866db318400eef864c1608441c529ab094be604c9e98264219c933a2187ec63abc77124edddeb324744999872d150ce7e73dd2
-
Filesize
1KB
MD55ed3301e36e3359905df2c1d8fee55f9
SHA187f3dd865a35a183a95b70670837aff59acab4c1
SHA256b6b1ccf23addd989edab37c3c63997814126559be20653e5b219bfcb0afef0f8
SHA5125b2eaa5ad2f0cedb509b459407e0260bee6760cca7ca04f62afad6d5b2ae7dbdd19a443012e7d71476f5f6433a72d6c4b111580b7b592010c1e966155cd828a4
-
Filesize
567KB
MD58a172477569fd0f1b554ecaa42a59d9d
SHA158adf1c1f27215d13e280364c15008df293d90fb
SHA256391915fb3b7aa3df83c7d95c0867e3d24ee8906e657344666bbd87ea4e61a82a
SHA5128aae52a6af70795cc938a7ad107bfa2ab383ea2f8f86777ac2084eba0bbac6175bbe432569a8706541122b9dc417748f5fe54e829ddd77be0b7a6b5c26999a85