Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
13-11-2021 19:00
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
Server.exe
-
Size
106KB
-
MD5
d1670745ce45373164c84b0640a71308
-
SHA1
7b8806732eb7f50a5130f5118af76a5941a567ee
-
SHA256
52cc89dc0256a010e79f40a788658705fd7f98a76055fc6a443870523c89464b
-
SHA512
dc3c08c62f088a249014f9250c03258f6e807c63b4e4945d2a308c64ef87c5fb1cc203c52276fe5ee6837ae8a734e245c65721e6b616586d4d507031e0d03849
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 1664 Server.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe Token: 33 1664 Server.exe Token: SeIncBasePriorityPrivilege 1664 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Server.exedescription pid process target process PID 1664 wrote to memory of 1364 1664 Server.exe netsh.exe PID 1664 wrote to memory of 1364 1664 Server.exe netsh.exe PID 1664 wrote to memory of 1364 1664 Server.exe netsh.exe PID 1664 wrote to memory of 1364 1664 Server.exe netsh.exe PID 1664 wrote to memory of 1608 1664 Server.exe netsh.exe PID 1664 wrote to memory of 1608 1664 Server.exe netsh.exe PID 1664 wrote to memory of 1608 1664 Server.exe netsh.exe PID 1664 wrote to memory of 1608 1664 Server.exe netsh.exe PID 1664 wrote to memory of 1956 1664 Server.exe netsh.exe PID 1664 wrote to memory of 1956 1664 Server.exe netsh.exe PID 1664 wrote to memory of 1956 1664 Server.exe netsh.exe PID 1664 wrote to memory of 1956 1664 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1364-57-0x0000000000000000-mapping.dmp
-
memory/1608-59-0x0000000000000000-mapping.dmp
-
memory/1664-55-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/1664-56-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/1956-60-0x0000000000000000-mapping.dmp