Analysis
-
max time kernel
108s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-07-2024 20:42
Behavioral task
behavioral1
Sample
playit.exe
Resource
win7-20240704-en
General
-
Target
playit.exe
-
Size
202KB
-
MD5
96922ff790264130780d92489a232eb0
-
SHA1
c75d43dbb381650ec0a9684867b968bf658a0304
-
SHA256
a4aa9acf04e3377f7d0fd23f0677e29cf885436ee18af02de049899a9ab62d61
-
SHA512
0e50f48171d151aca6006f158be6d08985c62e915a5ec46fa9e9e1dc18c38112b4261209158826b15a0c48e05ac26a5af87628e6b57212c0590f962a7a06809d
-
SSDEEP
3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIRpPl1W4F0MpeCWBxwEJcA:QLV6Bta6dtJmakIM56lY4yMpeCoxwEx
Malware Config
Signatures
-
Processes:
playit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA playit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
playit.exepid process 2488 playit.exe 2488 playit.exe 2488 playit.exe 2488 playit.exe 2488 playit.exe 2488 playit.exe 2488 playit.exe 2488 playit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
playit.exepid process 2488 playit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
playit.exedescription pid process Token: SeDebugPrivilege 2488 playit.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
playit.execmd.exedescription pid process target process PID 2488 wrote to memory of 2996 2488 playit.exe cmd.exe PID 2488 wrote to memory of 2996 2488 playit.exe cmd.exe PID 2488 wrote to memory of 2996 2488 playit.exe cmd.exe PID 2488 wrote to memory of 2996 2488 playit.exe cmd.exe PID 2996 wrote to memory of 780 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 780 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 780 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 780 2996 cmd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\playit.exe"C:\Users\Admin\AppData\Local\Temp\playit.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ed728e44.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ed728e44.batFilesize
7B
MD545e0edaca8702e6e90d1d98cf3647d5f
SHA1ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228
SHA2567371f071a9a4e653a5afd134bce9c735ef74b0421d6988958e5c6d8a34feaa3b
SHA5125b92708f1d10777a3219892c9f5e5a2bb0af259004fb1f44aa3b0832859c31d07de3c8960f3f55bc56f206c2008f4d733380d3bb1d947e316123f5a5f8e92fa8
-
memory/2488-0-0x0000000073E71000-0x0000000073E72000-memory.dmpFilesize
4KB
-
memory/2488-1-0x0000000073E70000-0x000000007441B000-memory.dmpFilesize
5.7MB
-
memory/2488-2-0x0000000073E70000-0x000000007441B000-memory.dmpFilesize
5.7MB
-
memory/2488-7-0x0000000073E70000-0x000000007441B000-memory.dmpFilesize
5.7MB
-
memory/2488-8-0x0000000073E70000-0x000000007441B000-memory.dmpFilesize
5.7MB