Analysis
-
max time kernel
184s -
max time network
209s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 10:48
Behavioral task
behavioral1
Sample
a632a39ffdce2f2de984c6992d188986exe.exe
Resource
win7-20231215-en
General
-
Target
a632a39ffdce2f2de984c6992d188986exe.exe
-
Size
533KB
-
MD5
a632a39ffdce2f2de984c6992d188986
-
SHA1
7a1bb8fea06c819b7e575f9ef431af09151837eb
-
SHA256
6800905847788c228e211fd1086dad6a20aa745d1351c0bd43d5f89aa58b1c9e
-
SHA512
a7a6f0bc2448f3222652882893c9b14e21f073dce0dc0509c534bd0e1219a8860278be485a1b41333f7b9dc969431aacd54701f4ca7eb9d615ffdf192452244b
-
SSDEEP
12288:HLV6Btpmklh0YDwhTOSq5nyxUnfMgE9Pb/ji7u8LW:rApflh0Ik5vanhI/ku86
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCI Manager = "C:\\Program Files\\PCI Manager\\pcimgr.exe" a632a39ffdce2f2de984c6992d188986exe.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a632a39ffdce2f2de984c6992d188986exe.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\PCI Manager\pcimgr.exe a632a39ffdce2f2de984c6992d188986exe.exe File opened for modification C:\Program Files\PCI Manager\pcimgr.exe a632a39ffdce2f2de984c6992d188986exe.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2628 schtasks.exe 2568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2084 a632a39ffdce2f2de984c6992d188986exe.exe 2084 a632a39ffdce2f2de984c6992d188986exe.exe 2084 a632a39ffdce2f2de984c6992d188986exe.exe 2084 a632a39ffdce2f2de984c6992d188986exe.exe 2084 a632a39ffdce2f2de984c6992d188986exe.exe 2084 a632a39ffdce2f2de984c6992d188986exe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2084 a632a39ffdce2f2de984c6992d188986exe.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2084 a632a39ffdce2f2de984c6992d188986exe.exe Token: SeDebugPrivilege 2084 a632a39ffdce2f2de984c6992d188986exe.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2628 2084 a632a39ffdce2f2de984c6992d188986exe.exe 29 PID 2084 wrote to memory of 2628 2084 a632a39ffdce2f2de984c6992d188986exe.exe 29 PID 2084 wrote to memory of 2628 2084 a632a39ffdce2f2de984c6992d188986exe.exe 29 PID 2084 wrote to memory of 2568 2084 a632a39ffdce2f2de984c6992d188986exe.exe 32 PID 2084 wrote to memory of 2568 2084 a632a39ffdce2f2de984c6992d188986exe.exe 32 PID 2084 wrote to memory of 2568 2084 a632a39ffdce2f2de984c6992d188986exe.exe 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986exe.exe"C:\Users\Admin\AppData\Local\Temp\a632a39ffdce2f2de984c6992d188986exe.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "PCI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2971.tmp"2⤵
- Creates scheduled task(s)
PID:2628
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "PCI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp50B0.tmp"2⤵
- Creates scheduled task(s)
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5476c6c8093867de65de595366be3af7f
SHA1ce589448fefb0f8f2b8a12e53268950dfcd74260
SHA2566ac541e13827e456a1655a0d7d7a0ced95e80c9b21c531cd835cf533ba1445cf
SHA51279026709ab928ca9a48c8233bdc44d45897445dc883fac224e0de260fe3bbbf77fb501e831f0a941fb736e2d974a86a59b12ab0f4fc250eecc81905bcaeaca4e