Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2024 11:21
Behavioral task
behavioral1
Sample
Sleezy Perm.exe
Resource
win7-20240729-en
General
-
Target
Sleezy Perm.exe
-
Size
203KB
-
MD5
de919cd81dbc73009cf1f2c7afa0261f
-
SHA1
1035e1d6d8c6eeda52ecd7eedc50e3a0fc56fa4e
-
SHA256
e5adaf3c85de58d621239a61f334c27184d358190486f6d1b636091d4f28e267
-
SHA512
4471e19a54ada2cff178bb4d37ad3a0aae447b41738e1733cf3d49dce88218114ea195cf51c6d94ee2d40daf3c3f407cee4966b70fe47f12cae85dfaa8c3a7ca
-
SSDEEP
6144:MLV6Bta6dtJmakIM5pDr7rb2Wdkytz9s8:MLV6BtpmkYmWltJ
Malware Config
Signatures
-
Processes:
Sleezy Perm.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Sleezy Perm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs
Processes:
flow ioc 67 2.tcp.eu.ngrok.io 71 2.tcp.eu.ngrok.io 113 2.tcp.eu.ngrok.io 27 2.tcp.eu.ngrok.io 94 2.tcp.eu.ngrok.io 123 2.tcp.eu.ngrok.io 129 2.tcp.eu.ngrok.io 42 2.tcp.eu.ngrok.io 99 2.tcp.eu.ngrok.io 110 2.tcp.eu.ngrok.io 135 2.tcp.eu.ngrok.io 137 2.tcp.eu.ngrok.io 140 2.tcp.eu.ngrok.io 80 2.tcp.eu.ngrok.io 97 2.tcp.eu.ngrok.io 121 2.tcp.eu.ngrok.io 131 2.tcp.eu.ngrok.io 6 2.tcp.eu.ngrok.io 59 2.tcp.eu.ngrok.io 105 2.tcp.eu.ngrok.io 119 2.tcp.eu.ngrok.io 20 2.tcp.eu.ngrok.io 47 2.tcp.eu.ngrok.io 69 2.tcp.eu.ngrok.io 92 2.tcp.eu.ngrok.io 29 2.tcp.eu.ngrok.io 40 2.tcp.eu.ngrok.io 62 2.tcp.eu.ngrok.io 103 2.tcp.eu.ngrok.io 115 2.tcp.eu.ngrok.io 133 2.tcp.eu.ngrok.io 38 2.tcp.eu.ngrok.io 65 2.tcp.eu.ngrok.io 101 2.tcp.eu.ngrok.io 117 2.tcp.eu.ngrok.io 142 2.tcp.eu.ngrok.io -
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Sleezy Perm.exeSleezy Perm.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sleezy Perm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sleezy Perm.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 2 IoCs
Processes:
mspaint.exetaskmgr.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Sleezy Perm.exetaskmgr.exemspaint.exepid Process 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 804 taskmgr.exe 804 taskmgr.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 804 taskmgr.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 5092 mspaint.exe 5092 mspaint.exe 804 taskmgr.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 3184 Sleezy Perm.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Sleezy Perm.exepid Process 3184 Sleezy Perm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Sleezy Perm.exetaskmgr.exedescription pid Process Token: SeDebugPrivilege 3184 Sleezy Perm.exe Token: SeDebugPrivilege 804 taskmgr.exe Token: SeSystemProfilePrivilege 804 taskmgr.exe Token: SeCreateGlobalPrivilege 804 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid Process 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid Process 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe 804 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mspaint.exeOpenWith.exepid Process 5092 mspaint.exe 432 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sleezy Perm.exe"C:\Users\Admin\AppData\Local\Temp\Sleezy Perm.exe"1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:804
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\FormatInitialize.jfif" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5092
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:2968
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:432
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\Sleezy Perm.exe"C:\Users\Admin\AppData\Local\Temp\Sleezy Perm.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3396