Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
Client4.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Client4.exe
Resource
win10v2004-20241007-en
General
-
Target
Client4.exe
-
Size
532KB
-
MD5
6d2e4a0fa025c3f4f73ec8d739112492
-
SHA1
211336573950a59f7e71d25ddef3be6ea74e009a
-
SHA256
7d2e8f5dab4586a438b2360ff399b86ed9d0c72f0324fe21d83dedc0e863304f
-
SHA512
894a4f0fdbad0172b64ccbeea91ae544678dd1fa924577b20fe1a7c3d21f53917618fb01464b8c8771343eb73bce49bd7a61bfc1a91ea4931bb9c1754f6d1aff
-
SSDEEP
6144:k2sShSigjcPMN6H0PbPTOhsfebU8tSOtVmbNMczZWBbw6dJq16HsD:7L5PMN6Hu7OqcntVmbu3JpM
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Client4.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\WindowsDefender" Client4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Client4.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\Windows Defender" Client4.exe -
Drops file in Windows directory 4 IoCs
Processes:
Client4.exedescription ioc Process File created C:\Windows\WindowsDefender Client4.exe File opened for modification C:\Windows\WindowsDefender Client4.exe File created C:\Windows\Windows Defender Client4.exe File opened for modification C:\Windows\Windows Defender Client4.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Client4.exepid Process 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe 2248 Client4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client4.exedescription pid Process Token: SeDebugPrivilege 2248 Client4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client4.exeCMD.exedescription pid Process procid_target PID 2248 wrote to memory of 2712 2248 Client4.exe 31 PID 2248 wrote to memory of 2712 2248 Client4.exe 31 PID 2248 wrote to memory of 2712 2248 Client4.exe 31 PID 2712 wrote to memory of 2740 2712 CMD.exe 33 PID 2712 wrote to memory of 2740 2712 CMD.exe 33 PID 2712 wrote to memory of 2740 2712 CMD.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client4.exe"C:\Users\Admin\AppData\Local\Temp\Client4.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "System" /tr "C:\Windows\WindowsDefender" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "System" /tr "C:\Windows\WindowsDefender"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2740
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1