fd32bb08f111458f0b03f95e2b1a1f386192c8ed22afd0ac7c97888c985e69e3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MaddStress.exe
Size

294KB
MD5

acd99287b8b4b7fffe593bb90a2496f5
SHA1

16c63c1f1cddec362355c7657aa3b7b8817f5972
SHA256

07d774984471629b80bd093794d3de79e0b26c2ac81765e56b8b9fc4ec76d532
SHA512

0c561d4f8d62c0502ea0177b9c621129a4fb056a14de0d9fca0526389ed46259dc5aa400fa9172f26df8428107005ee507dd0a683f60c0fddc87e1714826057f
SSDEEP

3072:ina50wvLAA2Hd2/U98uCarsim/ttmOq3UpKx7mdSSQJDd8ZmnmNQPrY/gAFB3cF1:PAiXQNd8cmbwpkni5Hq

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MaddStress.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MaddStress.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
3320	MaddStress.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3320	MaddStress.exe
Token: SeDebugPrivilege	4964	taskmgr.exe
Token: SeSystemProfilePrivilege	4964	taskmgr.exe
Token: SeCreateGlobalPrivilege	4964	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\MaddStress.exe
"C:\Users\Admin\AppData\Local\Temp\MaddStress.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1724

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DrWeabo_Inc\MaddStress.exe_Url_m54fpvtmfkxlt4ulvef2d5cxirc15btn\0.0.4.0\user.config

Filesize
1KB

MD5
c6dc00f74ab0acf4841a41e5696477d2

SHA1
cd2cee8c267f5d909d3e249301993b4286d1acfd

SHA256
bc8d2f6e92087bcf2008d2ba7f760e8cce1396b206cbca3022e495f976017dbd

SHA512
a27e08e7b7582724f4ee351441177f33dc7f84672fad788ce9f7e21ea784ecf48e8cc7e8e6a5bdf638b7bbc65b131968df347040463bd8776f1bbc4176e40fd5

Download Submit
C:\Users\Admin\AppData\Local\DrWeabo_Inc\MaddStress.exe_Url_m54fpvtmfkxlt4ulvef2d5cxirc15btn\0.0.4.0\user.config

Filesize
2KB

MD5
ddcc161f19fdb411fae1629fad08a2df

SHA1
eacbe2ff6c2848bea403ab45f0bf48548f84a25a

SHA256
cc4316ca6ac9532b68adde61ecc631691531e4216f9e4981dfdf47ad94d99d2e

SHA512
2325926b8d211127c034079bf93a503e447b185814186d0c9393d26a9d870062e628bb0740cea9c35ecbbf46acebb9e50c9ae8fe5cebb569be6286b613ef8988

Download Submit
memory/3320-7-0x0000000005310000-0x0000000005366000-memory.dmp

Filesize
344KB

Download
memory/3320-4-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/3320-1-0x0000000005020000-0x00000000050BC000-memory.dmp

Filesize
624KB

Download
memory/3320-38-0x0000000008DF0000-0x0000000008E56000-memory.dmp

Filesize
408KB

Download
memory/3320-6-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download
memory/3320-0-0x00000000005B0000-0x0000000000600000-memory.dmp

Filesize
320KB

Download
memory/3320-8-0x0000000005520000-0x000000000563A000-memory.dmp

Filesize
1.1MB

Download
memory/3320-9-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/3320-10-0x0000000006080000-0x0000000006202000-memory.dmp

Filesize
1.5MB

Download
memory/3320-11-0x0000000005640000-0x0000000005672000-memory.dmp

Filesize
200KB

Download
memory/3320-12-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/3320-13-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/3320-2-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/3320-3-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/3320-5-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/3320-40-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-41-0x0000018ABF3F0000-0x0000018ABF3F1000-memory.dmp

Filesize
4KB

Download
memory/4964-42-0x0000018ABF3F0000-0x0000018ABF3F1000-memory.dmp

Filesize
4KB

Download
memory/4964-43-0x0000018ABF3F0000-0x0000018ABF3F1000-memory.dmp

Filesize
4KB

Download
memory/4964-51-0x0000018ABF3F0000-0x0000018ABF3F1000-memory.dmp

Filesize
4KB

Download
memory/4964-50-0x0000018ABF3F0000-0x0000018ABF3F1000-memory.dmp

Filesize
4KB

Download
memory/4964-49-0x0000018ABF3F0000-0x0000018ABF3F1000-memory.dmp

Filesize
4KB

Download
memory/4964-48-0x0000018ABF3F0000-0x0000018ABF3F1000-memory.dmp

Filesize
4KB

Download
memory/4964-47-0x0000018ABF3F0000-0x0000018ABF3F1000-memory.dmp

Filesize
4KB

Download
memory/4964-52-0x0000018ABF3F0000-0x0000018ABF3F1000-memory.dmp

Filesize
4KB

Download
memory/4964-53-0x0000018ABF3F0000-0x0000018ABF3F1000-memory.dmp

Filesize
4KB

Download