Analysis
-
max time kernel
209s -
max time network
193s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
01-02-2024 22:51
Static task
static1
Behavioral task
behavioral1
Sample
6.txt
Resource
win10-20231215-en
windows10-1703-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
6.txt
Resource
win10v2004-20231215-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
6.txt
-
Size
13KB
-
MD5
557d6800e7d26267c7b4416d5aa514ad
-
SHA1
2c335ad989c6490603d22bdd32f90e0407416416
-
SHA256
53a1e26cbf460dd0b4fa92fbab79bb6adea6eee391bd2dce7b8c292577c5c91d
-
SHA512
549db299c25ec4a48cd893b2aac04748b3b56c4ddc15e3261bebd0b5f1a174b6d5b4d36758438b79166c6144cf9afb3a2867baf214d93225d4ff455f912bcdae
-
SSDEEP
192:uJMUqXIW2TClpMsb+QMU3tDP0corSCrVau1VCaQEhT/G3HL6gkoqa3HBK:aM//jbMsbKcBP0XS8R+3HLDk1SHBK
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4340 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1432 taskmgr.exe Token: SeSystemProfilePrivilege 1432 taskmgr.exe Token: SeCreateGlobalPrivilege 1432 taskmgr.exe Token: 33 1432 taskmgr.exe Token: SeIncBasePriorityPrivilege 1432 taskmgr.exe Token: SeDebugPrivilege 3952 taskmgr.exe Token: SeSystemProfilePrivilege 3952 taskmgr.exe Token: SeCreateGlobalPrivilege 3952 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 4340 NOTEPAD.EXE 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 1432 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe 3952 taskmgr.exe
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\6.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4340
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1432
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162KB
MD50d02b03a068d671348931cc20c048422
SHA167b6deacf1303acfcbab0b158157fdc03a02c8d5
SHA25644f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0
SHA512805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358
-
Filesize
2KB
MD5a2942665b12ed000cd2ac95adef8e0cc
SHA1ac194f8d30f659131d1c73af8d44e81eccab7fde
SHA256bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374
SHA5124e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9