Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/04/2024, 20:19
Behavioral task
behavioral1
Sample
New Client.exe
Resource
win11-20240419-en
General
-
Target
New Client.exe
-
Size
164KB
-
MD5
bb469e37072ae0d4450e826e0548489e
-
SHA1
3d692ff13fa4145a1b5935ff2cf234aab2e5b950
-
SHA256
f4331069d66380c5e6d33ced21ca3e76677d2e364e4021e1612cbc48cefc4398
-
SHA512
b16502767a8ac273d4f0dac743e5382b1bab328983904eab664ed1ac8bb8627251ffbb8603b1e1c8cdf208dbf39d6e3e9074b9e485a7d2af4d6ecde01d0da0d7
-
SSDEEP
3072:qP8VmK/efmHhHz7t9K9Ezghj0cQdd3pErDTyFrbNZe0fBnn/+K:qP8V/9sE8JQdt6fTyFbW0dm
Malware Config
Signatures
-
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini New Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe Client.exe -
Executes dropped EXE 1 IoCs
pid Process 4768 Client.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Windows\\Client.exe\" .." Client.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Windows\\Client.exe\" .." Client.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Client.exe New Client.exe File opened for modification C:\Windows\Client.exe Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2552 schtasks.exe 2136 schtasks.exe 4324 schtasks.exe 1144 schtasks.exe 1944 schtasks.exe 4880 schtasks.exe 4460 schtasks.exe 2784 schtasks.exe -
Kills process with taskkill 8 IoCs
pid Process 1224 TASKKILL.exe 2124 TASKKILL.exe 2324 TASKKILL.exe 2324 TASKKILL.exe 1928 TASKKILL.exe 3492 TASKKILL.exe 2476 TASKKILL.exe 936 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe 1940 New Client.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 1940 New Client.exe Token: SeDebugPrivilege 2324 TASKKILL.exe Token: SeDebugPrivilege 1928 TASKKILL.exe Token: SeDebugPrivilege 4768 Client.exe Token: SeDebugPrivilege 3492 TASKKILL.exe Token: SeDebugPrivilege 2476 TASKKILL.exe Token: SeDebugPrivilege 936 TASKKILL.exe Token: SeDebugPrivilege 1224 TASKKILL.exe Token: SeDebugPrivilege 3580 New Client.exe Token: 33 4768 Client.exe Token: SeIncBasePriorityPrivilege 4768 Client.exe Token: 33 4768 Client.exe Token: SeIncBasePriorityPrivilege 4768 Client.exe Token: 33 4768 Client.exe Token: SeIncBasePriorityPrivilege 4768 Client.exe Token: 33 4768 Client.exe Token: SeIncBasePriorityPrivilege 4768 Client.exe Token: 33 4768 Client.exe Token: SeIncBasePriorityPrivilege 4768 Client.exe Token: 33 4768 Client.exe Token: SeIncBasePriorityPrivilege 4768 Client.exe Token: SeDebugPrivilege 2124 TASKKILL.exe Token: SeDebugPrivilege 2324 TASKKILL.exe Token: SeDebugPrivilege 3372 New Client.exe Token: 33 4768 Client.exe Token: SeIncBasePriorityPrivilege 4768 Client.exe Token: 33 4768 Client.exe Token: SeIncBasePriorityPrivilege 4768 Client.exe Token: 33 4768 Client.exe Token: SeIncBasePriorityPrivilege 4768 Client.exe Token: 33 4768 Client.exe Token: SeIncBasePriorityPrivilege 4768 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 816 1940 New Client.exe 80 PID 1940 wrote to memory of 816 1940 New Client.exe 80 PID 1940 wrote to memory of 816 1940 New Client.exe 80 PID 1940 wrote to memory of 4460 1940 New Client.exe 82 PID 1940 wrote to memory of 4460 1940 New Client.exe 82 PID 1940 wrote to memory of 4460 1940 New Client.exe 82 PID 1940 wrote to memory of 2324 1940 New Client.exe 84 PID 1940 wrote to memory of 2324 1940 New Client.exe 84 PID 1940 wrote to memory of 2324 1940 New Client.exe 84 PID 1940 wrote to memory of 1928 1940 New Client.exe 85 PID 1940 wrote to memory of 1928 1940 New Client.exe 85 PID 1940 wrote to memory of 1928 1940 New Client.exe 85 PID 1940 wrote to memory of 1976 1940 New Client.exe 94 PID 1940 wrote to memory of 1976 1940 New Client.exe 94 PID 1940 wrote to memory of 1976 1940 New Client.exe 94 PID 1940 wrote to memory of 2784 1940 New Client.exe 96 PID 1940 wrote to memory of 2784 1940 New Client.exe 96 PID 1940 wrote to memory of 2784 1940 New Client.exe 96 PID 1940 wrote to memory of 4768 1940 New Client.exe 99 PID 1940 wrote to memory of 4768 1940 New Client.exe 99 PID 1940 wrote to memory of 4768 1940 New Client.exe 99 PID 4768 wrote to memory of 2532 4768 Client.exe 100 PID 4768 wrote to memory of 2532 4768 Client.exe 100 PID 4768 wrote to memory of 2532 4768 Client.exe 100 PID 4768 wrote to memory of 2552 4768 Client.exe 102 PID 4768 wrote to memory of 2552 4768 Client.exe 102 PID 4768 wrote to memory of 2552 4768 Client.exe 102 PID 4768 wrote to memory of 2476 4768 Client.exe 103 PID 4768 wrote to memory of 2476 4768 Client.exe 103 PID 4768 wrote to memory of 2476 4768 Client.exe 103 PID 4768 wrote to memory of 3492 4768 Client.exe 104 PID 4768 wrote to memory of 3492 4768 Client.exe 104 PID 4768 wrote to memory of 3492 4768 Client.exe 104 PID 3580 wrote to memory of 244 3580 New Client.exe 109 PID 3580 wrote to memory of 244 3580 New Client.exe 109 PID 3580 wrote to memory of 244 3580 New Client.exe 109 PID 3580 wrote to memory of 2136 3580 New Client.exe 111 PID 3580 wrote to memory of 2136 3580 New Client.exe 111 PID 3580 wrote to memory of 2136 3580 New Client.exe 111 PID 3580 wrote to memory of 936 3580 New Client.exe 112 PID 3580 wrote to memory of 936 3580 New Client.exe 112 PID 3580 wrote to memory of 936 3580 New Client.exe 112 PID 3580 wrote to memory of 1224 3580 New Client.exe 115 PID 3580 wrote to memory of 1224 3580 New Client.exe 115 PID 3580 wrote to memory of 1224 3580 New Client.exe 115 PID 4768 wrote to memory of 3792 4768 Client.exe 117 PID 4768 wrote to memory of 3792 4768 Client.exe 117 PID 4768 wrote to memory of 3792 4768 Client.exe 117 PID 4768 wrote to memory of 4324 4768 Client.exe 119 PID 4768 wrote to memory of 4324 4768 Client.exe 119 PID 4768 wrote to memory of 4324 4768 Client.exe 119 PID 3580 wrote to memory of 2500 3580 New Client.exe 121 PID 3580 wrote to memory of 2500 3580 New Client.exe 121 PID 3580 wrote to memory of 2500 3580 New Client.exe 121 PID 3580 wrote to memory of 1144 3580 New Client.exe 123 PID 3580 wrote to memory of 1144 3580 New Client.exe 123 PID 3580 wrote to memory of 1144 3580 New Client.exe 123 PID 3372 wrote to memory of 5064 3372 New Client.exe 126 PID 3372 wrote to memory of 5064 3372 New Client.exe 126 PID 3372 wrote to memory of 5064 3372 New Client.exe 126 PID 3372 wrote to memory of 1944 3372 New Client.exe 128 PID 3372 wrote to memory of 1944 3372 New Client.exe 128 PID 3372 wrote to memory of 1944 3372 New Client.exe 128 PID 3372 wrote to memory of 2124 3372 New Client.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Drops startup file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵PID:816
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 52⤵
- Creates scheduled task(s)
PID:4460
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵PID:1976
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 12⤵
- Creates scheduled task(s)
PID:2784
-
-
C:\Windows\Client.exe"C:\Windows\Client.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F3⤵PID:2532
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Windows\Client.exe" /sc minute /mo 53⤵
- Creates scheduled task(s)
PID:2552
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵PID:3792
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Windows\Client.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
PID:4324
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵PID:244
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 52⤵
- Creates scheduled task(s)
PID:2136
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵PID:2500
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 12⤵
- Creates scheduled task(s)
PID:1144
-
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵PID:5064
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 52⤵
- Creates scheduled task(s)
PID:1944
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵PID:2796
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 12⤵
- Creates scheduled task(s)
PID:4880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588B
MD5b4d14ec3884c4815553e89737aa0f1ff
SHA1c3b3039da0e6d6588d5695880d84111d7973e141
SHA256d06b129aac3de36095a00beb80a5eb349cb554fd2cfaf49083a30ec174b16a7d
SHA5123a91a512a25dce176a3b8565a901a82c5ab25931c176406cf295dc48da30934c553104edd3b856bcf1ef4249152ff1b5860b93e462dcf7608aa793af316e130f
-
Filesize
164KB
MD5bb469e37072ae0d4450e826e0548489e
SHA13d692ff13fa4145a1b5935ff2cf234aab2e5b950
SHA256f4331069d66380c5e6d33ced21ca3e76677d2e364e4021e1612cbc48cefc4398
SHA512b16502767a8ac273d4f0dac743e5382b1bab328983904eab664ed1ac8bb8627251ffbb8603b1e1c8cdf208dbf39d6e3e9074b9e485a7d2af4d6ecde01d0da0d7