Analysis
-
max time kernel
36s -
max time network
39s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-12-2024 04:46
Behavioral task
behavioral1
Sample
New Client.exe
Resource
win11-20241023-en
windows11-21h2-x64
6 signatures
150 seconds
General
-
Target
New Client.exe
-
Size
164KB
-
MD5
c0176890b7a76bc4b4361994288794ec
-
SHA1
fad41ab4f12c10d01609f3d9c821baeab407304f
-
SHA256
62cdff077aa0bd67d1b52e1d5e5b5aa34ec9e74dd2d2440f6b02d2f73a249b6e
-
SHA512
82509544d7637b7d87ca04e3335bd36816683e17f34787523556b2c35816770f36f5166fa022565f37b1b0c1898031266bf618f0fdec92fabbe5efa240e919e3
-
SSDEEP
3072:j6GN/4ZmTcci+ui9vhggOYyKqvO5ctEs+SNwCUbEM09a8U:j6f+ui9vq4qvAsNNObTO
Score
6/10
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 1 6.tcp.eu.ngrok.io -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 400 cmd.exe 5044 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5044 PING.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3044 New Client.exe Token: 33 3044 New Client.exe Token: SeIncBasePriorityPrivilege 3044 New Client.exe Token: 33 3044 New Client.exe Token: SeIncBasePriorityPrivilege 3044 New Client.exe Token: 33 3044 New Client.exe Token: SeIncBasePriorityPrivilege 3044 New Client.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3044 wrote to memory of 3324 3044 New Client.exe 79 PID 3044 wrote to memory of 3324 3044 New Client.exe 79 PID 3044 wrote to memory of 3324 3044 New Client.exe 79 PID 3044 wrote to memory of 2864 3044 New Client.exe 81 PID 3044 wrote to memory of 2864 3044 New Client.exe 81 PID 3044 wrote to memory of 2864 3044 New Client.exe 81 PID 3044 wrote to memory of 400 3044 New Client.exe 83 PID 3044 wrote to memory of 400 3044 New Client.exe 83 PID 3044 wrote to memory of 400 3044 New Client.exe 83 PID 400 wrote to memory of 5044 400 cmd.exe 85 PID 400 wrote to memory of 5044 400 cmd.exe 85 PID 400 wrote to memory of 5044 400 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
- System Location Discovery: System Language Discovery
PID:3324
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F2⤵
- System Location Discovery: System Language Discovery
PID:2864
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\New Client.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\PING.EXEping 0 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5044
-
-