Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
29-09-2024 11:21
Behavioral task
behavioral1
Sample
Sleezy Perm.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
General
-
Target
Sleezy Perm.exe
-
Size
203KB
-
MD5
de919cd81dbc73009cf1f2c7afa0261f
-
SHA1
1035e1d6d8c6eeda52ecd7eedc50e3a0fc56fa4e
-
SHA256
e5adaf3c85de58d621239a61f334c27184d358190486f6d1b636091d4f28e267
-
SHA512
4471e19a54ada2cff178bb4d37ad3a0aae447b41738e1733cf3d49dce88218114ea195cf51c6d94ee2d40daf3c3f407cee4966b70fe47f12cae85dfaa8c3a7ca
-
SSDEEP
6144:MLV6Bta6dtJmakIM5pDr7rb2Wdkytz9s8:MLV6BtpmkYmWltJ
Malware Config
Signatures
-
Processes:
Sleezy Perm.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Sleezy Perm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 37 IoCs
Processes:
flow ioc 35 2.tcp.eu.ngrok.io 31 2.tcp.eu.ngrok.io 43 2.tcp.eu.ngrok.io 57 2.tcp.eu.ngrok.io 61 2.tcp.eu.ngrok.io 4 2.tcp.eu.ngrok.io 10 2.tcp.eu.ngrok.io 47 2.tcp.eu.ngrok.io 53 2.tcp.eu.ngrok.io 2 2.tcp.eu.ngrok.io 33 2.tcp.eu.ngrok.io 45 2.tcp.eu.ngrok.io 55 2.tcp.eu.ngrok.io 63 2.tcp.eu.ngrok.io 69 2.tcp.eu.ngrok.io 29 2.tcp.eu.ngrok.io 19 2.tcp.eu.ngrok.io 21 2.tcp.eu.ngrok.io 37 2.tcp.eu.ngrok.io 71 2.tcp.eu.ngrok.io 12 2.tcp.eu.ngrok.io 41 2.tcp.eu.ngrok.io 67 2.tcp.eu.ngrok.io 75 2.tcp.eu.ngrok.io 6 2.tcp.eu.ngrok.io 17 2.tcp.eu.ngrok.io 23 2.tcp.eu.ngrok.io 25 2.tcp.eu.ngrok.io 39 2.tcp.eu.ngrok.io 49 2.tcp.eu.ngrok.io 59 2.tcp.eu.ngrok.io 73 2.tcp.eu.ngrok.io 14 2.tcp.eu.ngrok.io 27 2.tcp.eu.ngrok.io 51 2.tcp.eu.ngrok.io 65 2.tcp.eu.ngrok.io 8 2.tcp.eu.ngrok.io -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Sleezy Perm.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sleezy Perm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Sleezy Perm.exetaskmgr.exepid Process 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2116 Sleezy Perm.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Sleezy Perm.exetaskmgr.exepid Process 2116 Sleezy Perm.exe 2864 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Sleezy Perm.exetaskmgr.exedescription pid Process Token: SeDebugPrivilege 2116 Sleezy Perm.exe Token: SeDebugPrivilege 2864 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid Process 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid Process 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe 2864 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sleezy Perm.exe"C:\Users\Admin\AppData\Local\Temp\Sleezy Perm.exe"1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2864