Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03-03-2024 23:16
Static task
static1
Behavioral task
behavioral1
Sample
b0a383649505829364efcbf05d137cb6.exe
Resource
win7-20240220-en
General
-
Target
b0a383649505829364efcbf05d137cb6.exe
-
Size
52KB
-
MD5
b0a383649505829364efcbf05d137cb6
-
SHA1
94339534d586146aef7d328dd857813251973b34
-
SHA256
d717c14daab8c2ca198c247568f63fe92448f104588545c9f689603551d0251b
-
SHA512
0bbd1381a1f5d022c499beacc74db3553e6fb8b05f6499705e9ea66b25ebc14faa98424067365bd30ded69ece1d0bc7eb1db54d2b4ab9c3262a4a0a0b6c336ec
-
SSDEEP
384:Yiraroxo8brZBJGAvveCnu9wB1jxA4WnAW:YEbvJv490C
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2796 SecurityHealth.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1712 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2728 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1708 b0a383649505829364efcbf05d137cb6.exe 1708 b0a383649505829364efcbf05d137cb6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1708 b0a383649505829364efcbf05d137cb6.exe Token: SeDebugPrivilege 2796 SecurityHealth.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2608 1708 b0a383649505829364efcbf05d137cb6.exe 28 PID 1708 wrote to memory of 2608 1708 b0a383649505829364efcbf05d137cb6.exe 28 PID 1708 wrote to memory of 2608 1708 b0a383649505829364efcbf05d137cb6.exe 28 PID 1708 wrote to memory of 2660 1708 b0a383649505829364efcbf05d137cb6.exe 30 PID 1708 wrote to memory of 2660 1708 b0a383649505829364efcbf05d137cb6.exe 30 PID 1708 wrote to memory of 2660 1708 b0a383649505829364efcbf05d137cb6.exe 30 PID 2608 wrote to memory of 1712 2608 cmd.exe 32 PID 2608 wrote to memory of 1712 2608 cmd.exe 32 PID 2608 wrote to memory of 1712 2608 cmd.exe 32 PID 2660 wrote to memory of 2728 2660 cmd.exe 33 PID 2660 wrote to memory of 2728 2660 cmd.exe 33 PID 2660 wrote to memory of 2728 2660 cmd.exe 33 PID 2660 wrote to memory of 2796 2660 cmd.exe 34 PID 2660 wrote to memory of 2796 2660 cmd.exe 34 PID 2660 wrote to memory of 2796 2660 cmd.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0a383649505829364efcbf05d137cb6.exe"C:\Users\Admin\AppData\Local\Temp\b0a383649505829364efcbf05d137cb6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SecurityHealth" /tr '"C:\Users\Admin\AppData\Roaming\Security\SecurityHealth.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "SecurityHealth" /tr '"C:\Users\Admin\AppData\Roaming\Security\SecurityHealth.exe"'3⤵
- Creates scheduled task(s)
PID:1712
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6EE9.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2728
-
-
C:\Users\Admin\AppData\Roaming\Security\SecurityHealth.exe"C:\Users\Admin\AppData\Roaming\Security\SecurityHealth.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167B
MD56f436fe3d3648464156ceb272f76d6ee
SHA1f1e9b2fbe22d950ebe60065d9fdcc02afb817cb9
SHA2562e9a8d04e347d6292b2b910abb9274f4fd366802cc081540e65494ae841068ed
SHA51248038733304a3b7d77e35ca7d7a2bc0ce50a45f9182cbe0a66ae4fe4708276a1fda2b37b1b0312802b537533bdc8046a5fdcbc20f97c3afeb6a3b79245e93aef
-
Filesize
52KB
MD5b0a383649505829364efcbf05d137cb6
SHA194339534d586146aef7d328dd857813251973b34
SHA256d717c14daab8c2ca198c247568f63fe92448f104588545c9f689603551d0251b
SHA5120bbd1381a1f5d022c499beacc74db3553e6fb8b05f6499705e9ea66b25ebc14faa98424067365bd30ded69ece1d0bc7eb1db54d2b4ab9c3262a4a0a0b6c336ec