Analysis
-
max time kernel
32s -
max time network
25s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-04-2024 17:34
Behavioral task
behavioral1
Sample
RemBuild.exe
Resource
win11-20240221-en
5 signatures
1800 seconds
General
-
Target
RemBuild.exe
-
Size
483KB
-
MD5
969cc7009c2bfae610c9f03fb1b62b6a
-
SHA1
fd4f4467cff9873582038665bfc2da97b5c7c6a2
-
SHA256
b6fa0443564d16a046341addae783cdd610aa5eace7135153c141eda7dc7fa64
-
SHA512
c080a1f6ffa0ff4991cce29f49e6e5c717d8bd99e0d5c1ee35ce68aa9780093130c3f0f15af67f53399759401d9889c28473c377f2b253b69ad9c5ec2ca01313
-
SSDEEP
6144:WXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNS5Gv:WX7tPMK8ctGe4Dzl4h2QnuPs/ZDXcv
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
Taskmgr.exepid Process 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Taskmgr.exedescription pid Process Token: SeDebugPrivilege 3756 Taskmgr.exe Token: SeSystemProfilePrivilege 3756 Taskmgr.exe Token: SeCreateGlobalPrivilege 3756 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
Taskmgr.exepid Process 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
Taskmgr.exepid Process 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe 3756 Taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RemBuild.exe"C:\Users\Admin\AppData\Local\Temp\RemBuild.exe"1⤵PID:2320
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3756