Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2024 23:23
Behavioral task
behavioral1
Sample
Test.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
General
-
Target
Test.exe
-
Size
202KB
-
MD5
c3e71798c4a13b13b7687a581403f3a6
-
SHA1
5a2fe4c25e3c809ca80d5ac72a001228a69300be
-
SHA256
3981c3975a42b4a3a7bc68831787315ab5cde0348332f81c89d1809f28ad6011
-
SHA512
fbcdfa290ef0b6dd1f8664ae7286eaec7268f1dc0a499439a5c7c37dddc0cd20222282d4b601d02fed706233cd4859f9878e83fe7db78fbde940757fd5e8f1d5
-
SSDEEP
3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIyUmgcZH9Kz2fCdfeCpIT6/Jc8:gLV6Bta6dtJmakIM5qYHk6adGl2w0ssL
Malware Config
Signatures
-
Processes:
Test.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Test.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 34 IoCs
Processes:
flow ioc 58 0.tcp.in.ngrok.io 71 0.tcp.in.ngrok.io 85 0.tcp.in.ngrok.io 90 0.tcp.in.ngrok.io 28 0.tcp.in.ngrok.io 30 0.tcp.in.ngrok.io 60 0.tcp.in.ngrok.io 56 0.tcp.in.ngrok.io 77 0.tcp.in.ngrok.io 88 0.tcp.in.ngrok.io 92 0.tcp.in.ngrok.io 106 0.tcp.in.ngrok.io 75 0.tcp.in.ngrok.io 94 0.tcp.in.ngrok.io 18 0.tcp.in.ngrok.io 32 0.tcp.in.ngrok.io 52 0.tcp.in.ngrok.io 54 0.tcp.in.ngrok.io 69 0.tcp.in.ngrok.io 102 0.tcp.in.ngrok.io 108 0.tcp.in.ngrok.io 7 0.tcp.in.ngrok.io 21 0.tcp.in.ngrok.io 35 0.tcp.in.ngrok.io 73 0.tcp.in.ngrok.io 96 0.tcp.in.ngrok.io 67 0.tcp.in.ngrok.io 100 0.tcp.in.ngrok.io 46 0.tcp.in.ngrok.io 50 0.tcp.in.ngrok.io 64 0.tcp.in.ngrok.io 83 0.tcp.in.ngrok.io 98 0.tcp.in.ngrok.io 104 0.tcp.in.ngrok.io -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Test.exepid process 2812 Test.exe 2812 Test.exe 2812 Test.exe 2812 Test.exe 2812 Test.exe 2812 Test.exe 2812 Test.exe 2812 Test.exe 2812 Test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Test.exepid process 2812 Test.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Test.exedescription pid process Token: SeDebugPrivilege 2812 Test.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2812-0-0x00000000752E2000-0x00000000752E3000-memory.dmpFilesize
4KB
-
memory/2812-1-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/2812-2-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/2812-4-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/2812-5-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/2812-6-0x00000000752E2000-0x00000000752E3000-memory.dmpFilesize
4KB
-
memory/2812-7-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/2812-8-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB