Analysis
-
max time kernel
132s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 11:05
Behavioral task
behavioral1
Sample
Versatools.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Versatools.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
main.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
main.pyc
Resource
win10v2004-20240508-en
General
-
Target
main.pyc
-
Size
10KB
-
MD5
d0c341eb7e5bd3dc2b4530da7afcfd9d
-
SHA1
a464e88e39c1f2cded42f933a205b8786085c36f
-
SHA256
56b3e117751a7fd7b0bef0f90efa5f6b95af43ca0f03ea9bd1a7e1eac7b17cbb
-
SHA512
4d85b01fcfcc3f6a56758410b69b7117c2fc1beb8bfff5077a0f1b0170f9ed070ba05657384a254767b8044c73b1f94484f77a89125f331fa65536d88fade0f5
-
SSDEEP
192:IM5+HH/5vvWhOLmSe59njo0P0h5IYh+IhZjhcI4dRjjtu:IMmYHYvcYPmRRjjtu
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
taskmgr.exepid Process 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid Process Token: SeDebugPrivilege 1172 taskmgr.exe Token: SeSystemProfilePrivilege 1172 taskmgr.exe Token: SeCreateGlobalPrivilege 1172 taskmgr.exe Token: 33 1172 taskmgr.exe Token: SeIncBasePriorityPrivilege 1172 taskmgr.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
Processes:
taskmgr.exepid Process 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe -
Suspicious use of SendNotifyMessage 50 IoCs
Processes:
taskmgr.exepid Process 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid Process 5100 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc1⤵
- Modifies registry class
PID:3240
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5100
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1172