Analysis
-
max time kernel
32s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:03
Static task
static1
1 signatures
6 signatures
150 seconds
8 signatures
150 seconds
General
-
Target
-
Size
20.2MB
-
MD5
646eb320deeedf6981ed4402519078d9
-
SHA1
915465a9253180f67c9495c9e071514e923b2d15
-
SHA256
089ac110c34931eb457e76693b93c8b0ae4e2bdae8f5c6078faded756b87d38d
-
SHA512
63841a0748c041fcf8d52385d205a4ae08e9e46498ad896067ddd258a0e2c3f452102fd810ad4e79c4d95769b02c30c069ead8b5267f6566fb935d4c09036486
-
SSDEEP
196608:9LXQpHujTDH3zFE+VUqwcSN67m5izwLg:9LXQpOjTz3900wizwL
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
Processes:
mmc.exemmc.exedescription ioc Process File opened for modification C:\Windows\system32\taskschd.msc mmc.exe File opened for modification C:\Windows\system32\taskschd.msc mmc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid Process 2972 mmc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mmc.exemmc.exedescription pid Process Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2532 mmc.exe Token: SeIncBasePriorityPrivilege 2532 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe Token: 33 2972 mmc.exe Token: SeIncBasePriorityPrivilege 2972 mmc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mmc.exemmc.exepid Process 2532 mmc.exe 2532 mmc.exe 2972 mmc.exe 2972 mmc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
mmc.exedescription pid Process procid_target PID 2532 wrote to memory of 2920 2532 mmc.exe 32 PID 2532 wrote to memory of 2920 2532 mmc.exe 32 PID 2532 wrote to memory of 2920 2532 mmc.exe 32 PID 2532 wrote to memory of 2904 2532 mmc.exe 33 PID 2532 wrote to memory of 2904 2532 mmc.exe 33 PID 2532 wrote to memory of 2904 2532 mmc.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:2388
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 11402⤵PID:2920
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2532 -s 11442⤵PID:2904
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2972