Analysis
-
max time kernel
91s -
max time network
79s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20-07-2024 15:16
Behavioral task
behavioral1
Sample
FunChecker.zip
Resource
win10-20240404-en
windows10-1703-x64
6 signatures
150 seconds
General
-
Target
FunChecker.zip
-
Size
13.6MB
-
MD5
669dea55a11d260b90159e727d0fb6e2
-
SHA1
632d22f8eaacfbe16c12001e8df11c724d75d335
-
SHA256
35a2a6f94f05c505f822208734c2d31fb69aede9f963103855b4721585290605
-
SHA512
766d43c423df779cf9abc6819dd00342f2c8dfca054fbda466b256b5ff495cf58665d95dfe7e51af21f45c96b48ab94e155ef787feb072c3714df9c46e377b76
-
SSDEEP
393216:8+/9XsBVCRuMjbDgzBufO1GjXo1kUyVl/+Y:b94ongz2XekfVll
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1300 taskmgr.exe Token: SeSystemProfilePrivilege 1300 taskmgr.exe Token: SeCreateGlobalPrivilege 1300 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe 1300 taskmgr.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\FunChecker.zip1⤵PID:3096
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1300