ea221306b960eaf4a6fddfd974eb3ebc816835293cb5fde9df35726f205fab41

Analysis

max time kernel
1000s
max time network
870s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
15/07/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meinkraft.Server.DDoS.er.exe
Size

36.9MB
MD5

ed6657ce9577084b6200a5eda6acdc30
SHA1

f66db324a8fe1288ddeac1ff28eee309a7ee0b94
SHA256

ea221306b960eaf4a6fddfd974eb3ebc816835293cb5fde9df35726f205fab41
SHA512

a9c5773c570745481252df1e6db3fa228aa0fe8ff4da4fbc3ece75d93fd86e275b8b8146cfa663bf1d231774181f8be661f720947091e0c60f7b65882df1a56b
SSDEEP

786432:X00iE/44PHkNMaz/kWNCqhFLFLFLFLFLF6JaiRRbHXL:XfiTAHkNMaz/kWNjFLFLFLFLFLF6I0T7

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Meinkraft.Server.DDoS.er.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Meinkraft.Server.DDoS.er.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4448	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	2668	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2668	AUDIODG.EXE
Token: SeDebugPrivilege	4448	taskmgr.exe
Token: SeSystemProfilePrivilege	4448	taskmgr.exe
Token: SeCreateGlobalPrivilege	4448	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe
4448	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2004	Meinkraft.Server.DDoS.er.exe
2004	Meinkraft.Server.DDoS.er.exe

C:\Users\Admin\AppData\Local\Temp\Meinkraft.Server.DDoS.er.exe
"C:\Users\Admin\AppData\Local\Temp\Meinkraft.Server.DDoS.er.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x200
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx

Filesize
397B

MD5
18f13d5d50365841e15f38ff3b576470

SHA1
925af99273268c571faa7d8aec4ae16b3710fd28

SHA256
f5a513d977e777f36d61dbd5e2be3c737ade51f304a712f7955244264303adb4

SHA512
61f12376bcb1b41bd791f4b757a28241472e0857d6e25b2456d98b5d8511af1ee69a94a1d288799eb459aa6172ac63988af26694a1df4813e01b4ffa8ac1a326

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx

Filesize
805B

MD5
60696dd79cd5633c5a7cec4d78cd1fff

SHA1
560ce285f48ed03a97680ae185904ecbda1be917

SHA256
db3409bfa1e5e40de98aabe33ce053931f6a4d964b6d0216cfec37311c3e11db

SHA512
67af0d0eac7e63c11ef8d15f83534a8195f84545bf2758679444d5ad947efa12452f029a78b83493e4e0cc64704ea64fc06cc6e9bf6d1f7131ade331315be16e

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx

Filesize
953B

MD5
a319da69df5043a3b779704c5fe1a4c5

SHA1
336e42e95ba2b55e3da62494ddecf9e56e517098

SHA256
1a8f15b04112e12a9e08656c4e807d5a1c3ccbb198663194ae0521d85aa20221

SHA512
4f789a9d8406bdc32089ce67e7889019a24e8b5322e5822b156b1f50c35cf6c23efa3ad9157da219714483c8b0898ca6a83072e4eaf9f32a65f8f1aa2edc3f88

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\openssl\cache\RevocationCacheFile.dat

Filesize
1024B

MD5
0f343b0931126a20f133d67c2b018a3b

SHA1
60cacbf3d72e1e7834203da608037b1bf83b40e8

SHA256
5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA512
8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461

Download Submit