Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:53
Static task
static1
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
test.exe
Resource
win10v2004-20240508-en
General
-
Target
test.exe
-
Size
75KB
-
MD5
07202b2ac038a5853ee4fb88dcb9a899
-
SHA1
1cbe3734d3594cd2430e699e63972da458562dd3
-
SHA256
90cee64c0da47de7b66c5f50120051e3797f14c5609aea1c5e1aaf10e10537a8
-
SHA512
75c79157f14bb226ea3fedc011e79bfd57aed6a94f1a97c518755289da6bbcb9eeeeb327d45e70ed1e7d69e24a863f76ad0fc78dda593817b513c678de10c0c5
-
SSDEEP
1536:GOXQrSji6XN9+GVqQ7zgN9ebqvjoJExemwHX9TM:GOXQA+QqQfgNY0emcQ
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\Win32.exe" reg.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Win32.exe cmd.exe File opened for modification C:\Windows\Win32.exe cmd.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2936 taskkill.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2936 taskkill.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
test.execmd.exedescription pid process target process PID 2592 wrote to memory of 2192 2592 test.exe cmd.exe PID 2592 wrote to memory of 2192 2592 test.exe cmd.exe PID 2592 wrote to memory of 2192 2592 test.exe cmd.exe PID 2192 wrote to memory of 2936 2192 cmd.exe taskkill.exe PID 2192 wrote to memory of 2936 2192 cmd.exe taskkill.exe PID 2192 wrote to memory of 2936 2192 cmd.exe taskkill.exe PID 2192 wrote to memory of 2548 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2548 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2548 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2412 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2412 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2412 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2948 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2948 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2948 2192 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A7C.tmp\test.bat" "C:\Users\Admin\AppData\Local\Temp\test.exe""2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\taskkill.exetaskkill /im explorer.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\system32\reg.exeReg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2548 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Win32 /t REG_SZ /d C:\Windows\Win32.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:2412 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53423bfcd5d796f351d6877277656dce0
SHA1fd97b809225bd6410667ef6186b9b65632566a99
SHA25683a6299c3d4dcb0a864de86be96059106125204e949098d4c718f5312496b47c
SHA5128af1c2c263d6385beda9e213988447dd1b79223ee286fec849d067fa0d4950af8cfafdf47812c59723558f1f28b693e077edc61308c9859d33f9e2838c4ddde6