Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 09:17
General
-
Target
randomfile.exe
-
Size
210KB
-
MD5
004d0d489f1547b76aa91465a2dbc99f
-
SHA1
c767780d3a0bf1edeead92605ce849a78f3041b6
-
SHA256
d09b1d9588c03e806ed27e7fe6bee63af7da8d332e719e5dc4579278722e6e99
-
SHA512
07a90505965d89f9af718d7b15741b5064766dbf599219528ff1c59e70f99338904273f931b25728ead3dc65de41c8ed9cf43b18cca58d62bfc7b856d6cf9ccc
-
SSDEEP
6144:wLV6Bta6dtJmakIM5j100ody3ydprVaaQE:wLV6Btpmk+G0l3faQE
Malware Config
Signatures
-
Processes:
randomfile.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA randomfile.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
randomfile.exepid process 2104 randomfile.exe 2104 randomfile.exe 2104 randomfile.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
randomfile.exepid process 2104 randomfile.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
randomfile.exedescription pid process Token: SeDebugPrivilege 2104 randomfile.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
randomfile.exedescription pid process target process PID 2104 wrote to memory of 2948 2104 randomfile.exe schtasks.exe PID 2104 wrote to memory of 2948 2104 randomfile.exe schtasks.exe PID 2104 wrote to memory of 2948 2104 randomfile.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\randomfile.exe"C:\Users\Admin\AppData\Local\Temp\randomfile.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD3DA.tmp"2⤵
- Creates scheduled task(s)
PID:2948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3044,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:81⤵PID:3548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD3DA.tmpFilesize
1KB
MD55988267d30e4536e048a71ebf6ce2287
SHA1908ffb7e1ede3b4861251acc3111b13d7673cc03
SHA25620a81a8b3d82762db94c240a16c3a0728370dae1bbee6ab98339aac706002ed1
SHA512dea6b7c07570437197758a1b37710689d77a4b358f5bc39515cb7ace44590c2a58767708f8cac1570e1d0c808dcc48ecdd905809772b891ee9ce27ceba866748
-
memory/2104-0-0x0000000074EF2000-0x0000000074EF3000-memory.dmpFilesize
4KB
-
memory/2104-1-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/2104-2-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/2104-7-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/2104-8-0x0000000074EF2000-0x0000000074EF3000-memory.dmpFilesize
4KB
-
memory/2104-9-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/2104-10-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB