Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 15:57
Behavioral task
behavioral1
Sample
HOW TO BACK FILES.txt
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
HOW TO BACK FILES.txt
Resource
win10v2004-20240704-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
HOW TO BACK FILES.txt
-
Size
1KB
-
MD5
712690588810b1d262731f487d222f26
-
SHA1
7fa442dacf75173cb75ae1d57032df5aa3f7cba1
-
SHA256
185152bd1df7ef8b0ae6c044c5081a2552fb5f30995d903bcab1061cd0e79151
-
SHA512
7e8560376696dedf2c72e5a64092c11b97b2c746e4e75a9ee9008004bd8baf7c6d27bc3c73bfda238238ad519ac22337d00231ba26fc66a72c64ea1f9fb168e4
Score
1/10
Malware Config
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2440 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2540 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2540 taskmgr.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe 2540 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2560 wrote to memory of 2440 2560 cmd.exe 33 PID 2560 wrote to memory of 2440 2560 cmd.exe 33 PID 2560 wrote to memory of 2440 2560 cmd.exe 33
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\HOW TO BACK FILES.txt"1⤵PID:2016
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2540
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:2440
-