Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 21:07
Behavioral task
behavioral1
Sample
Test.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
General
-
Target
Test.exe
-
Size
202KB
-
MD5
fefa64c75ac254a35e30ac86cc7642db
-
SHA1
8ea2327ce80327997523fb956b38cbf61554d675
-
SHA256
b29c1555150098ca7885ddd1f406b7cd6b8ee86c2574cb98de17210213d8ebbb
-
SHA512
7e4b7722af0dfdac6be6ccc9d451394c0fbb554e87ca87ea483868b2730a8781fe7bbfa791a0b614f0788248718fb7d049325e3ae5a837b4cac58262a48463f3
-
SSDEEP
6144:gLV6Bta6dtJmakIM5klE4UXkD2rovrO6mlOE:gLV6Btpmkb24ttvr5E
Malware Config
Signatures
-
Processes:
Test.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Test.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
Processes:
flow ioc 58 0.tcp.in.ngrok.io 72 0.tcp.in.ngrok.io 77 0.tcp.in.ngrok.io 87 0.tcp.in.ngrok.io 7 0.tcp.in.ngrok.io 53 0.tcp.in.ngrok.io 56 0.tcp.in.ngrok.io 89 0.tcp.in.ngrok.io 21 0.tcp.in.ngrok.io 23 0.tcp.in.ngrok.io 75 0.tcp.in.ngrok.io -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
Test.exepid process 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe 372 Test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Test.exepid process 372 Test.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Test.exedescription pid process Token: SeDebugPrivilege 372 Test.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Test.exe"C:\Users\Admin\AppData\Local\Temp\Test.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Test.exe"C:\Users\Admin\AppData\Local\Temp\Test.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/372-0-0x0000000074FC0000-0x0000000075571000-memory.dmpFilesize
5.7MB
-
memory/372-1-0x0000000074FC0000-0x0000000075571000-memory.dmpFilesize
5.7MB
-
memory/372-2-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/372-4-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/372-5-0x0000000074FC0000-0x0000000075571000-memory.dmpFilesize
5.7MB
-
memory/372-6-0x0000000074FC0000-0x0000000075571000-memory.dmpFilesize
5.7MB
-
memory/372-7-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/372-8-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/4328-9-0x0000000074FC0000-0x0000000075571000-memory.dmpFilesize
5.7MB
-
memory/4328-10-0x0000000001A00000-0x0000000001A10000-memory.dmpFilesize
64KB
-
memory/4328-11-0x0000000074FC0000-0x0000000075571000-memory.dmpFilesize
5.7MB
-
memory/4328-13-0x0000000074FC0000-0x0000000075571000-memory.dmpFilesize
5.7MB