Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27/04/2024, 20:19

General

  • Target

    New Client.exe

  • Size

    164KB

  • MD5

    bb469e37072ae0d4450e826e0548489e

  • SHA1

    3d692ff13fa4145a1b5935ff2cf234aab2e5b950

  • SHA256

    f4331069d66380c5e6d33ced21ca3e76677d2e364e4021e1612cbc48cefc4398

  • SHA512

    b16502767a8ac273d4f0dac743e5382b1bab328983904eab664ed1ac8bb8627251ffbb8603b1e1c8cdf208dbf39d6e3e9074b9e485a7d2af4d6ecde01d0da0d7

  • SSDEEP

    3072:qP8VmK/efmHhHz7t9K9Ezghj0cQdd3pErDTyFrbNZe0fBnn/+K:qP8V/9sE8JQdt6fTyFbW0dm

Score
7/10

Malware Config

Signatures

  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Client.exe
    "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
    1⤵
    • Drops startup file
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /tn NYANP /F
      2⤵
        PID:816
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 5
        2⤵
        • Creates scheduled task(s)
        PID:4460
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM wscript.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM cmd.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Delete /tn NYAN /F
        2⤵
          PID:1976
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 1
          2⤵
          • Creates scheduled task(s)
          PID:2784
        • C:\Windows\Client.exe
          "C:\Windows\Client.exe"
          2⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4768
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /tn NYANP /F
            3⤵
              PID:2532
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn NYANP /tr "C:\Windows\Client.exe" /sc minute /mo 5
              3⤵
              • Creates scheduled task(s)
              PID:2552
            • C:\Windows\SysWOW64\TASKKILL.exe
              TASKKILL /F /IM wscript.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2476
            • C:\Windows\SysWOW64\TASKKILL.exe
              TASKKILL /F /IM cmd.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3492
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Delete /tn NYAN /F
              3⤵
                PID:3792
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn NYAN /tr "C:\Windows\Client.exe" /sc minute /mo 1
                3⤵
                • Creates scheduled task(s)
                PID:4324
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
            1⤵
              PID:2960
            • C:\Users\Admin\AppData\Local\Temp\New Client.exe
              "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3580
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /Delete /tn NYANP /F
                2⤵
                  PID:244
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 5
                  2⤵
                  • Creates scheduled task(s)
                  PID:2136
                • C:\Windows\SysWOW64\TASKKILL.exe
                  TASKKILL /F /IM wscript.exe
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:936
                • C:\Windows\SysWOW64\TASKKILL.exe
                  TASKKILL /F /IM cmd.exe
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1224
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Delete /tn NYAN /F
                  2⤵
                    PID:2500
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 1
                    2⤵
                    • Creates scheduled task(s)
                    PID:1144
                • C:\Users\Admin\AppData\Local\Temp\New Client.exe
                  "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3372
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Delete /tn NYANP /F
                    2⤵
                      PID:5064
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 5
                      2⤵
                      • Creates scheduled task(s)
                      PID:1944
                    • C:\Windows\SysWOW64\TASKKILL.exe
                      TASKKILL /F /IM wscript.exe
                      2⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2124
                    • C:\Windows\SysWOW64\TASKKILL.exe
                      TASKKILL /F /IM cmd.exe
                      2⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2324
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /Delete /tn NYAN /F
                      2⤵
                        PID:2796
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 1
                        2⤵
                        • Creates scheduled task(s)
                        PID:4880

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\New Client.exe.log

                      Filesize

                      588B

                      MD5

                      b4d14ec3884c4815553e89737aa0f1ff

                      SHA1

                      c3b3039da0e6d6588d5695880d84111d7973e141

                      SHA256

                      d06b129aac3de36095a00beb80a5eb349cb554fd2cfaf49083a30ec174b16a7d

                      SHA512

                      3a91a512a25dce176a3b8565a901a82c5ab25931c176406cf295dc48da30934c553104edd3b856bcf1ef4249152ff1b5860b93e462dcf7608aa793af316e130f

                    • C:\Windows\Client.exe

                      Filesize

                      164KB

                      MD5

                      bb469e37072ae0d4450e826e0548489e

                      SHA1

                      3d692ff13fa4145a1b5935ff2cf234aab2e5b950

                      SHA256

                      f4331069d66380c5e6d33ced21ca3e76677d2e364e4021e1612cbc48cefc4398

                      SHA512

                      b16502767a8ac273d4f0dac743e5382b1bab328983904eab664ed1ac8bb8627251ffbb8603b1e1c8cdf208dbf39d6e3e9074b9e485a7d2af4d6ecde01d0da0d7

                    • memory/1940-8-0x0000000074940000-0x0000000074EF1000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/1940-9-0x0000000001A70000-0x0000000001A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1940-5-0x0000000001A70000-0x0000000001A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1940-4-0x0000000001A70000-0x0000000001A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1940-3-0x0000000001A70000-0x0000000001A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1940-7-0x0000000074940000-0x0000000074EF1000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/1940-0-0x0000000074940000-0x0000000074EF1000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/1940-6-0x0000000001A70000-0x0000000001A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1940-10-0x0000000001A70000-0x0000000001A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1940-13-0x0000000001A70000-0x0000000001A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1940-12-0x0000000001A70000-0x0000000001A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1940-11-0x0000000001A70000-0x0000000001A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1940-2-0x0000000001A70000-0x0000000001A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1940-23-0x0000000074940000-0x0000000074EF1000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/1940-1-0x0000000074940000-0x0000000074EF1000-memory.dmp

                      Filesize

                      5.7MB