Analysis
-
max time kernel
120s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 20:32
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
General
-
Target
tmp.exe
-
Size
210KB
-
MD5
f598543eb3fca36826b95c8934c18440
-
SHA1
d01513a81db37519eaae0faa8e54ee194d73103c
-
SHA256
1b0f0f68bba4c25b14187378bebf8db9dce85ec634e7375b53a287ad2dc12ea2
-
SHA512
dd971a469879b3c2b7c8b8f2edeca47ef9a0f6f12e788f3a3958f924b7f7442372ec8392e057489f32f12d35c456a8888e677d1995c0f1f68fd1272ed97dfe5a
-
SSDEEP
6144:gLV6Bta6dtJmakIM5c/C++adghMiGFajp8:gLV6Btpmk7/Csdghbsn
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files (x86)\\LAN Monitor\\lanmon.exe" tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tmp.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\LAN Monitor\lanmon.exe tmp.exe File opened for modification C:\Program Files (x86)\LAN Monitor\lanmon.exe tmp.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2736 schtasks.exe 2784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2884 tmp.exe 2884 tmp.exe 2884 tmp.exe 2884 tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2884 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2884 tmp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2736 2884 tmp.exe 28 PID 2884 wrote to memory of 2736 2884 tmp.exe 28 PID 2884 wrote to memory of 2736 2884 tmp.exe 28 PID 2884 wrote to memory of 2736 2884 tmp.exe 28 PID 2884 wrote to memory of 2784 2884 tmp.exe 30 PID 2884 wrote to memory of 2784 2884 tmp.exe 30 PID 2884 wrote to memory of 2784 2884 tmp.exe 30 PID 2884 wrote to memory of 2784 2884 tmp.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7A5E.tmp"2⤵
- Creates scheduled task(s)
PID:2736
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7C62.tmp"2⤵
- Creates scheduled task(s)
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53f4dcafa44c36f23e4db2b2315fd09da
SHA18c83089d6f6c887a77af9b42ca09969f3b2f83f6
SHA256b8475eb97200b8a15eaf07e0a2cddc5c95e5bc3e7a98685364c9796480de57dc
SHA512e0624dd6cf0d5e014e96a323d2f7ebe13b683af71bd6ddafa3005cdc2f3c764cfca509262d442fc844b4b390d241ccf3eb36d30043d3d6f6e955a2ee9f792678
-
Filesize
1KB
MD5ecf141ec69adbb2a5c3dd5c85cd0ec39
SHA10ad224632fa58d103142c05c44a142f3d7208291
SHA25664d8cfa0b25afee269839cd5fc0b66e5643bc318e5f4d3ce1b9dba2456c83316
SHA5124821b062d6672f3ed07833cfd7ab9abb533850b451b632d781fbfad8238fcd5ac52855f1f239547ae2d1c1477959f022430302a75cfd3c19a8473af72a1ef201