Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
loader.exe
Resource
win7-20240508-en
0 signatures
300 seconds
Behavioral task
behavioral2
Sample
loader.exe
Resource
win10v2004-20240426-en
5 signatures
300 seconds
General
-
Target
loader.exe
-
Size
34.2MB
-
MD5
48e6cb56036d902b44fccbaafc5298df
-
SHA1
0343c0886317395a502ccaf5b036e5659a0b4b19
-
SHA256
3a6233746617a17b6c0f039bde1863e08364dce539da71fcf0100176ec3fd007
-
SHA512
a359de5725d3f04e81a3e0a58950da7ee2d5ccc82c11f570711e8b87e602da1714d710a693f994ee727a31074b73661f6df1f9425064dcb1c3dc432ad163deed
-
SSDEEP
786432:zHpIrLvMphrdp+lqRmP3Y0wr+xtMVkJ5zBXCCp5o0khXZ:zIv6rG2m8Q8kJ5zBSCPo0
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3024 taskmgr.exe Token: SeSystemProfilePrivilege 3024 taskmgr.exe Token: SeCreateGlobalPrivilege 3024 taskmgr.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"1⤵PID:2064
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3024