Analysis
-
max time kernel
88s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 20:32
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
General
-
Target
tmp.exe
-
Size
210KB
-
MD5
f598543eb3fca36826b95c8934c18440
-
SHA1
d01513a81db37519eaae0faa8e54ee194d73103c
-
SHA256
1b0f0f68bba4c25b14187378bebf8db9dce85ec634e7375b53a287ad2dc12ea2
-
SHA512
dd971a469879b3c2b7c8b8f2edeca47ef9a0f6f12e788f3a3958f924b7f7442372ec8392e057489f32f12d35c456a8888e677d1995c0f1f68fd1272ed97dfe5a
-
SSDEEP
6144:gLV6Bta6dtJmakIM5c/C++adghMiGFajp8:gLV6Btpmk7/Csdghbsn
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tmp.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe tmp.exe File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe tmp.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2792 schtasks.exe 1360 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3056 tmp.exe 3056 tmp.exe 3056 tmp.exe 3056 tmp.exe 3056 tmp.exe 3056 tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3056 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3056 tmp.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2792 3056 tmp.exe 88 PID 3056 wrote to memory of 2792 3056 tmp.exe 88 PID 3056 wrote to memory of 2792 3056 tmp.exe 88 PID 3056 wrote to memory of 1360 3056 tmp.exe 91 PID 3056 wrote to memory of 1360 3056 tmp.exe 91 PID 3056 wrote to memory of 1360 3056 tmp.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp41FA.tmp"2⤵
- Creates scheduled task(s)
PID:2792
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4259.tmp"2⤵
- Creates scheduled task(s)
PID:1360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53f4dcafa44c36f23e4db2b2315fd09da
SHA18c83089d6f6c887a77af9b42ca09969f3b2f83f6
SHA256b8475eb97200b8a15eaf07e0a2cddc5c95e5bc3e7a98685364c9796480de57dc
SHA512e0624dd6cf0d5e014e96a323d2f7ebe13b683af71bd6ddafa3005cdc2f3c764cfca509262d442fc844b4b390d241ccf3eb36d30043d3d6f6e955a2ee9f792678
-
Filesize
1KB
MD50339b45ef206f4becc88be0d65e24b9e
SHA16503a1851f4ccd8c80a31f96bd7ae40d962c9fad
SHA2563d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83
SHA512c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551