Analysis
-
max time kernel
32s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 14:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
rundll32.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
300 seconds
Behavioral task
behavioral2
Sample
rundll32.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
300 seconds
Behavioral task
behavioral3
Sample
rundll32.exe
Resource
win11-20240221-en
windows11-21h2-x64
0 signatures
300 seconds
General
-
Target
rundll32.exe
-
Size
70KB
-
MD5
100f56a73211e0b2bcd076a55e6393fd
-
SHA1
2576c63f45fbe13dbdc619c39124fade94e002d0
-
SHA256
00be065f405e93233cc2f0012defdcbb1d6817b58969d5ffd9fd72fc4783c6f4
-
SHA512
43f515356a073effebeeb723b4439fa6235619e2a96206290fb3c6c888395d8cc6a03347367d222a71c8492a66e586d48ad48095f75260bc3182ba72097781da
-
SSDEEP
1536:P8qpnO/qRUNReI3fu6Uw2mTARdw2nm2/Rcln5IUmDjoX:o/YUNRBfukTpZsRcln5I
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5056 taskmgr.exe Token: SeSystemProfilePrivilege 5056 taskmgr.exe Token: SeCreateGlobalPrivilege 5056 taskmgr.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe -
Suspicious use of SendNotifyMessage 29 IoCs
pid Process 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\rundll32.exe"1⤵PID:4020
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5056