Resubmissions
25-02-2024 04:58
240225-flvy1scg6z 1023-02-2024 22:16
240223-165zyaab42 1023-02-2024 14:27
240223-rsk8yaba65 10Analysis
-
max time kernel
209s -
max time network
212s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 04:58
Behavioral task
behavioral1
Sample
NOT A VIRUS.exe
Resource
win7-20240221-en
10 signatures
1200 seconds
General
-
Target
NOT A VIRUS.exe
-
Size
214KB
-
MD5
e431cae2c2e7c1d50e2264102d898310
-
SHA1
7eae6955815fda22dd9ed02302d5f0ca4596854f
-
SHA256
ff86000c39c061650d004894837d8f618d0724ce3b2a2ef24072c784b2ceb67f
-
SHA512
74be155fefe642006b7df93aeef53ba34cb950d6172d40782de768ef7437061491b63e7950ef1038d8dbec70e60fa900ce212fd804fb9cb555f337176d99cb1c
-
SSDEEP
6144:4hQ9z8vM92B+64kQ2EJam2dNREz9FdOZMJwGuE4QyZom8exsrPR5TE7D0XuDTTo6:4hDs2B+64kQHam2dNREz9FdOZMJwGuEu
Score
7/10
Malware Config
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe NOT A VIRUS.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url NOT A VIRUS.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe NOT A VIRUS.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS.exe\" .." NOT A VIRUS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NOT A VIRUS.exe\" .." NOT A VIRUS.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 11 0.tcp.eu.ngrok.io 20 0.tcp.eu.ngrok.io 32 0.tcp.eu.ngrok.io 2 0.tcp.eu.ngrok.io -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe NOT A VIRUS.exe -
Kills process with taskkill 2 IoCs
pid Process 3012 TASKKILL.exe 2852 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe 2864 NOT A VIRUS.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeDebugPrivilege 2864 NOT A VIRUS.exe Token: SeDebugPrivilege 2852 TASKKILL.exe Token: SeDebugPrivilege 3012 TASKKILL.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: SeDebugPrivilege 2792 taskmgr.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: SeDebugPrivilege 956 taskmgr.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: SeDebugPrivilege 1124 taskmgr.exe Token: SeDebugPrivilege 1648 taskmgr.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe Token: 33 2864 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 2864 NOT A VIRUS.exe -
Suspicious use of FindShellTrayWindow 17 IoCs
pid Process 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 1124 taskmgr.exe 1124 taskmgr.exe 1124 taskmgr.exe 1648 taskmgr.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 2792 taskmgr.exe 1124 taskmgr.exe 1124 taskmgr.exe 1124 taskmgr.exe 1648 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2864 wrote to memory of 3012 2864 NOT A VIRUS.exe 28 PID 2864 wrote to memory of 3012 2864 NOT A VIRUS.exe 28 PID 2864 wrote to memory of 3012 2864 NOT A VIRUS.exe 28 PID 2864 wrote to memory of 3012 2864 NOT A VIRUS.exe 28 PID 2864 wrote to memory of 2852 2864 NOT A VIRUS.exe 29 PID 2864 wrote to memory of 2852 2864 NOT A VIRUS.exe 29 PID 2864 wrote to memory of 2852 2864 NOT A VIRUS.exe 29 PID 2864 wrote to memory of 2852 2864 NOT A VIRUS.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS.exe"C:\Users\Admin\AppData\Local\Temp\NOT A VIRUS.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2792
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
PID:956
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1124
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1648
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:2348
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:2988