Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 01:01
Behavioral task
behavioral1
Sample
4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
Resource
win7-20240221-en
General
-
Target
4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe
-
Size
203KB
-
MD5
07d9144c3b3cfe44c24f850a74faaacc
-
SHA1
1df82c6dbe192d9f78e137bb96c499fd5f0c93a5
-
SHA256
4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0
-
SHA512
39120f944f46dfa34f0d4a2e59a9bdb74a76d9f69b55c054969a96666b0366651bcc2a0ab4a48f3243a2046e961f43fba5e13d5b04248eeae0f86b7428133584
-
SSDEEP
6144:sLV6Bta6dtJmakIM51O3JM1fMKQqa7FPp0k4v:sLV6BtpmkBGpC78v
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files (x86)\\PCI Service\\pcisv.exe" 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe -
Processes:
4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs
Processes:
flow ioc 94 0.tcp.eu.ngrok.io 135 0.tcp.eu.ngrok.io 147 0.tcp.eu.ngrok.io 42 0.tcp.eu.ngrok.io 81 0.tcp.eu.ngrok.io 106 0.tcp.eu.ngrok.io 39 0.tcp.eu.ngrok.io 58 0.tcp.eu.ngrok.io 117 0.tcp.eu.ngrok.io 139 0.tcp.eu.ngrok.io 157 0.tcp.eu.ngrok.io 159 0.tcp.eu.ngrok.io 161 0.tcp.eu.ngrok.io 52 0.tcp.eu.ngrok.io 88 0.tcp.eu.ngrok.io 77 0.tcp.eu.ngrok.io 108 0.tcp.eu.ngrok.io 115 0.tcp.eu.ngrok.io 141 0.tcp.eu.ngrok.io 54 0.tcp.eu.ngrok.io 69 0.tcp.eu.ngrok.io 119 0.tcp.eu.ngrok.io 143 0.tcp.eu.ngrok.io 84 0.tcp.eu.ngrok.io 86 0.tcp.eu.ngrok.io 145 0.tcp.eu.ngrok.io 149 0.tcp.eu.ngrok.io 47 0.tcp.eu.ngrok.io 122 0.tcp.eu.ngrok.io 17 0.tcp.eu.ngrok.io 102 0.tcp.eu.ngrok.io 113 0.tcp.eu.ngrok.io 137 0.tcp.eu.ngrok.io 155 0.tcp.eu.ngrok.io 62 0.tcp.eu.ngrok.io 79 0.tcp.eu.ngrok.io -
Drops file in Program Files directory 2 IoCs
Processes:
4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exedescription ioc process File created C:\Program Files (x86)\PCI Service\pcisv.exe 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe File opened for modification C:\Program Files (x86)\PCI Service\pcisv.exe 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3020 schtasks.exe 320 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exepid process 4984 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe 4984 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe 4984 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exepid process 4984 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exedescription pid process Token: SeDebugPrivilege 4984 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exedescription pid process target process PID 4984 wrote to memory of 3020 4984 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe schtasks.exe PID 4984 wrote to memory of 3020 4984 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe schtasks.exe PID 4984 wrote to memory of 3020 4984 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe schtasks.exe PID 4984 wrote to memory of 320 4984 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe schtasks.exe PID 4984 wrote to memory of 320 4984 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe schtasks.exe PID 4984 wrote to memory of 320 4984 4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe"C:\Users\Admin\AppData\Local\Temp\4cef1677e5e896054778060ec165cb35bcc4c923a38ea7eea43609dea20492f0.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6FF0.tmp"2⤵
- Creates scheduled task(s)
PID:3020 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp704F.tmp"2⤵
- Creates scheduled task(s)
PID:320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59913e267519b245bd05576cd155e618b
SHA1f9988cc21222e156d8df51cc1c67ff394e0baa9a
SHA256db8d12fa91ed89d361af77401bd08785c5b7d538627fe2591c69ad675daee81d
SHA512fec48c5fec8a03bc55ff319580a512fcbe476d309cfb4dc8563f3cf5266a68418b8a200a2e6f0fb1131c936f6a9d79cdb0ba72e6f225c36921c6188021acd882
-
Filesize
1KB
MD5bbb0d424bb7cb3b0e6aeb68cf82b8f5f
SHA17e95dcd21a27ee53e5c23ed5a163df56a43d572a
SHA25608d6bee474edf0151a0d8ff942ba9e6a1efe069585c63477abd1c7bd8046e130
SHA5120dc790a415f9717f6e7633c1d5f2749a2eca5582c5bbe114119c3ddba6d4e4d0df48029622e2fe07f94d8ae97c334b88691b7721da50ada261449769ae31d466