Overview

overview

10

Static

static

10

Perm.exe

windows7-x64

3

Perm.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    146s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30/03/2025, 04:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Perm.exe

  • Size

    164KB

  • MD5

    08cc4c87314d8c879928c346ecb0e598

  • SHA1

    75b97801226c54fdd1d47b9590d64e0f48b9e35c

  • SHA256

    08a7b6d933538350b7634e495a43a3bbc758e824cc4dbf75a2bce1d32c82d252

  • SHA512

    acd5202dd036b2f78945efd200b3feb428e382db2fbc7a17ef66fdc77811813b91a7cd4145922a1156a730740510e05b03d5c975f76c04135cdef780084750e5

  • SSDEEP

    3072:Cb56/a6rnl+OZYET34CNUfETJRg3IbgNeNYcGzl:CbAej5fEDgYbgzcGz

Score
3/10
discovery

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 8 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Perm.exe
    "C:\Users\Admin\AppData\Local\Temp\Perm.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM wscript.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM cmd.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1016
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /tn NYAN /F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2856
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Perm.exe" /sc minute /mo 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2600
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1016
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2224
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0E1B5A7D-CCD7-43F5-9874-913229722075} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\Perm.exe
      C:\Users\Admin\AppData\Local\Temp\Perm.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM wscript.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2620
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM cmd.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1444
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Delete /tn NYAN /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1608
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Perm.exe" /sc minute /mo 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2588
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 628
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2664
    • C:\Users\Admin\AppData\Local\Temp\Perm.exe
      C:\Users\Admin\AppData\Local\Temp\Perm.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM wscript.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1516
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM cmd.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1612
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Delete /tn NYAN /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2040
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Perm.exe" /sc minute /mo 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2172
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 624
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2164
    • C:\Users\Admin\AppData\Local\Temp\Perm.exe
      C:\Users\Admin\AppData\Local\Temp\Perm.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2208
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM wscript.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM cmd.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Delete /tn NYAN /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2564
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Perm.exe" /sc minute /mo 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1868
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 624
        3⤵
        • System Location Discovery: System Language Discovery
        PID:488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1488-0-0x0000000073D81000-0x0000000073D82000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-2-0x0000000073D80000-0x000000007432B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1488-1-0x0000000073D80000-0x000000007432B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1488-12-0x0000000073D80000-0x000000007432B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1488-13-0x0000000073D80000-0x000000007432B000-memory.dmp

    Filesize

    5.7MB

    Download