Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-10-2024 15:40
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
553KB
-
MD5
b6a413057aff513253600024455b806d
-
SHA1
6db45c473adbdf60f4a57e46468f4d15e0547213
-
SHA256
1e4d548172c9ed335ba2d27c2476d9bd8751b1a50361fa27b5ebc87b5a21d9fe
-
SHA512
bf9d9c068a6ad30aac6d13defd0324d27fc6d24ffdde301bb6b987e41a48a81ec0e6d517ab0d0c9c4fb25688a15527bde1ef4f09ca6f7805a356bbd2c7c4d8c2
-
SSDEEP
12288:CLV6Btpmk1snK2GEAx+uQQypWTKKoIXpV8mwetC370wA4A50hCEk:gApf1sKPYuQPpjKoIkNIwyAi
Malware Config
Signatures
-
Processes:
file.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
file.exeschtasks.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
file.exepid Process 3540 file.exe 3540 file.exe 3540 file.exe 3540 file.exe 3540 file.exe 3540 file.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
file.exepid Process 3540 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid Process Token: SeDebugPrivilege 3540 file.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
file.exedescription pid Process procid_target PID 3540 wrote to memory of 3388 3540 file.exe 89 PID 3540 wrote to memory of 3388 3540 file.exe 89 PID 3540 wrote to memory of 3388 3540 file.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp81E2.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55719058dd234db87508ef2540e5d8ff0
SHA1669c8d71202ab3321e6619871705c06864b9c2bd
SHA25674d2ad38b4aa2c15240fd3dcbf8b348c068f94e4ee6b2a9a77672912abe1cb2e
SHA5126cc9107fcf2d73543f3ae2a76b4bcd63b24b8a5156abe247f26a396d00f8afa1d8a3aeb6ec5cc56e62391fff44fef9c0716e8cb47b10a9f1feb4b03f40662790