Analysis
-
max time kernel
107s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 00:00
Behavioral task
behavioral1
Sample
ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe
Resource
win7-20240903-en
General
-
Target
ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe
-
Size
210KB
-
MD5
55f18ff212586f3a44b9e43e17b01180
-
SHA1
13ff9ce74942f561ae08055236d1e184fb20dd49
-
SHA256
ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268ad
-
SHA512
5dcbdc9d296d441614e18530b35b0cbd921eb155d2abee38ae67c6fbb0bc821cfe48f793ae9172e799d9f1382fd925b2ec5131799fda9d32608e7170c52f5ae7
-
SSDEEP
3072:yzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIkS2X6ecnziHRCWuzu/gBuFAU8:yLV6Bta6dtJmakIM5A2GnWaQgyhM3
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files\\SCSI Service\\scsisvc.exe" ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe -
Processes:
ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exedescription ioc Process File created C:\Program Files\SCSI Service\scsisvc.exe ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe File opened for modification C:\Program Files\SCSI Service\scsisvc.exe ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 3056 schtasks.exe 2988 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exepid Process 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exepid Process 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exedescription pid Process Token: SeDebugPrivilege 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe Token: SeDebugPrivilege 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exedescription pid Process procid_target PID 2112 wrote to memory of 3056 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe 30 PID 2112 wrote to memory of 3056 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe 30 PID 2112 wrote to memory of 3056 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe 30 PID 2112 wrote to memory of 2988 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe 32 PID 2112 wrote to memory of 2988 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe 32 PID 2112 wrote to memory of 2988 2112 ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe"C:\Users\Admin\AppData\Local\Temp\ea69951896685ab2f6a88969e5448d529783d9465457240ee1353b0c393268adN.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC552.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3056
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC69A.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2988
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51a1cbfe21aacb86f1d4976046c6640b6
SHA122e26ed1140a0d2a6118ad2fe635bfd04d6de57c
SHA25641b4f5c561210f887a5d7d88093a988a7a5961e8619817845f23c80e37566827
SHA5124a4fe0f16385758288f4b79947dafb3c50a1d05a68aaafc2d2bfbad9ba73ffa971debb34d0086598ce9d0a4bc93d2b0de9a38881b50fc1fe4da857b52f501297
-
Filesize
1KB
MD503b35b542b6a63355b2de249a1a53fa8
SHA17493a0d88637bc0efb1df431fcb0c4867216d018
SHA256abaa6188118cf01bce455185aa643a46b8f6a99cd9484bcd969116f7a3af4061
SHA51298926ef6945d0b61f5b76b33921f57daa0527526f6ae041cbdf21d887aa1f0342711b58bd7820048c9563ddf4fa6ce00fc5c2bc4f59cb06b42fbe4417e9f8230