Analysis
-
max time kernel
1151s -
max time network
1139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2024 23:52
Behavioral task
behavioral1
Sample
New Client.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
1800 seconds
General
-
Target
New Client.exe
-
Size
65KB
-
MD5
ed689865c39b6ef12d27909bad36afe0
-
SHA1
f6e672c9a38ff700a8eda0ec996db345a1b2cb69
-
SHA256
93f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791
-
SHA512
c1438eef5909e753f332129ca5ca66f12f91e14e82ae41482b987e6cfc3355861815fb59571afb629293b1c7327c44ca8034716bd74c4db0251f933dc6c287d8
-
SSDEEP
1536:zWnyCIUoN36tXQviFw1IssUBnvAQIfLteF3nLrB9z3nQaF9bES9vM:zWnyCIUoN36tXQviFCbRBnNIfWl9zAa0
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation New Client.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\discord.url taskmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe discord.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe discord.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.url discord.exe -
Executes dropped EXE 1 IoCs
pid Process 1844 discord.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\discord.exe\" .." discord.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\discord.exe\" .." discord.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 20 pastebin.com 21 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language discord.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: SeDebugPrivilege 3548 taskmgr.exe Token: SeSystemProfilePrivilege 3548 taskmgr.exe Token: SeCreateGlobalPrivilege 3548 taskmgr.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 3548 taskmgr.exe Token: SeIncBasePriorityPrivilege 3548 taskmgr.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe Token: 33 1844 discord.exe Token: SeIncBasePriorityPrivilege 1844 discord.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe 3548 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4060 wrote to memory of 1844 4060 New Client.exe 84 PID 4060 wrote to memory of 1844 4060 New Client.exe 84 PID 4060 wrote to memory of 1844 4060 New Client.exe 84 PID 4060 wrote to memory of 3140 4060 New Client.exe 85 PID 4060 wrote to memory of 3140 4060 New Client.exe 85 PID 4060 wrote to memory of 3140 4060 New Client.exe 85 PID 3140 wrote to memory of 3868 3140 cmd.exe 89 PID 3140 wrote to memory of 3868 3140 cmd.exe 89 PID 3140 wrote to memory of 3868 3140 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\discord.exe"C:\Users\Admin\AppData\Local\Temp\discord.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\New Client.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 53⤵
- System Location Discovery: System Language Discovery
PID:3868
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ed689865c39b6ef12d27909bad36afe0
SHA1f6e672c9a38ff700a8eda0ec996db345a1b2cb69
SHA25693f13afc6fb08fbc77cf965e24af63a3d62826946df4e7c89d1a159c7f6a2791
SHA512c1438eef5909e753f332129ca5ca66f12f91e14e82ae41482b987e6cfc3355861815fb59571afb629293b1c7327c44ca8034716bd74c4db0251f933dc6c287d8
-
Filesize
178B
MD53b35148d7661e41a89ded2a167b81bd2
SHA13341e6e2522b5f2c39aefe0f752550acbd143ad7
SHA2568375823df91f6dc9d9fc09a83303bdea778eef761f577bbedeccf00eeda7129c
SHA5128cc6e258f8c531230bc6ef4ac778c8f10cf971ba992f63b2847bd3c93c76c884428cee8d337274ef58a782c89a82817cd288e897bed2557da330397b00be8683