dd3e0029349bfba1e82fbb012bca02799a6da90f35f2691f3cee21f10e8b0bc5

Analysis

max time kernel
315s
max time network
1614s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
24/02/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

flxtra_beta_.exe
Size

1.1MB
MD5

c19b8fb3599ccc75cc3950d12595b619
SHA1

96a216da7575d751c565d8699eb5338ef7a2e4fb
SHA256

dd3e0029349bfba1e82fbb012bca02799a6da90f35f2691f3cee21f10e8b0bc5
SHA512

da3046672d93beaf0e2bba326011ff7eba10f19b3f6f551b1218972a9bac386728d9c23d87591551ca028c2c37fedf9764b741a5e52f991e6d9854ae298a3593
SSDEEP

24576:kbv5T+JoPIN7DuQXEJj77fvHdHSWfbem40UKM4n7JBG:kb5T+JKa76EEJr9SWfim40

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	taskmgr.exe
Token: SeSystemProfilePrivilege	4784	taskmgr.exe
Token: SeCreateGlobalPrivilege	4784	taskmgr.exe
Token: 33	4784	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4784	taskmgr.exe
Token: SeDebugPrivilege	4140	taskmgr.exe
Token: SeSystemProfilePrivilege	4140	taskmgr.exe
Token: SeCreateGlobalPrivilege	4140	taskmgr.exe
Token: 33	4140	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4140	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\flxtra_beta_.exe
"C:\Users\Admin\AppData\Local\Temp\flxtra_beta_.exe"
1⤵
PID:3972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:216

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4784

C:\Windows\System32\tjbbns.exe
"C:\Windows\System32\tjbbns.exe"
1⤵
PID:2136

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
88d1a08654eada219625b6cf26a7e529

SHA1
470a770dddcabd536a7b47ccb2cde54df83530cd

SHA256
f3bc439681f579d52d28e715f12c408174a1b1797f0d381391b3a1a64d5a66f9

SHA512
8322dafe790901ead1d8763cc83e31f6350ad0edd8bdc49e0e020183879ea4e7fa6762b18c26aa5b08a05d0c07d3509fff9595edace88300d6faad09a7a9813a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.pri

Filesize
162KB

MD5
0d02b03a068d671348931cc20c048422

SHA1
67b6deacf1303acfcbab0b158157fdc03a02c8d5

SHA256
44f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0

SHA512
805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\810424605.pri

Filesize
2KB

MD5
a2942665b12ed000cd2ac95adef8e0cc

SHA1
ac194f8d30f659131d1c73af8d44e81eccab7fde

SHA256
bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374

SHA512
4e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9

Download Submit