Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 21:10
Behavioral task
behavioral1
Sample
Test2.exe
Resource
win7-20240221-en
General
-
Target
Test2.exe
-
Size
202KB
-
MD5
c780e7577e6393e3477d90e1fbaafee7
-
SHA1
060d311acc645042feee43d64f59ba4656a6ce04
-
SHA256
595ee121f09db84c800fea2180b08ff05908b3fd1eb80d55ef4c9110efe06c40
-
SHA512
76a623cd79b95093c61dd20f2af4eb5ff99ef17f2b9d9eca35673f687d0fff219fde3f88afff546c6a4059ab2c5b5c60b9d5d63bcd98f927a23209231b9e5782
-
SSDEEP
6144:gLV6Bta6dtJmakIM57lE4UXkD2rovrO6mlOR:gLV6BtpmkM24ttvr5R
Malware Config
Signatures
-
Processes:
Test2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Test2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
Processes:
flow ioc 48 0.tcp.in.ngrok.io 67 0.tcp.in.ngrok.io 89 0.tcp.in.ngrok.io 93 0.tcp.in.ngrok.io 107 0.tcp.in.ngrok.io 112 0.tcp.in.ngrok.io 9 0.tcp.in.ngrok.io -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Test2.exepid process 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe 228 Test2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Test2.exepid process 228 Test2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Test2.exedescription pid process Token: SeDebugPrivilege 228 Test2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Test2.exe"C:\Users\Admin\AppData\Local\Temp\Test2.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:228
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\Test2.exe"C:\Users\Admin\AppData\Local\Temp\Test2.exe"1⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\Test2.exe"C:\Users\Admin\AppData\Local\Temp\Test2.exe"1⤵PID:4676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD55b4789d01bb4d7483b71e1a35bce6a8b
SHA1de083f2131c9a763c0d1810c97a38732146cffbf
SHA256e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede