Analysis
-
max time kernel
11s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19/05/2024, 20:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
MasterofCats.exe
Resource
win10-20240404-en
windows10-1703-x64
6 signatures
150 seconds
General
-
Target
MasterofCats.exe
-
Size
5.2MB
-
MD5
b4e8c16e4cb212daddf22f0471cd4c07
-
SHA1
843de81bcbdc1f2eff7b13ee95e77e063f2d858d
-
SHA256
2d37c4e06bd4464166f65779ee78dc9d1ae3a31c03d5c10a0d5801eed2f44ed2
-
SHA512
a5083ae8fea420feb70411aec2a3d3511f5a7dc583d6e1a612570777c4b1449a9699396c1cf059fce4a4f633a77d5f7a3b1dbf6f8533d1868892b46124ae019f
-
SSDEEP
98304:8qgaG6E+UNEgtS1RgntRMukWcxf8/eSkZ8AVq4ycdg50Uhs/rpzM:8YdEqp1unzMuyfhSk8TeUhsjpz
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4016 taskmgr.exe Token: SeSystemProfilePrivilege 4016 taskmgr.exe Token: SeCreateGlobalPrivilege 4016 taskmgr.exe Token: 33 4016 taskmgr.exe Token: SeIncBasePriorityPrivilege 4016 taskmgr.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe 4016 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MasterofCats.exe"C:\Users\Admin\AppData\Local\Temp\MasterofCats.exe"1⤵PID:5116
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4016