Overview

overview

10

Static

static

10

Server.exe

windows7_x64

8

Server.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    13-11-2021 19:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Server.exe

  • Size

    106KB

  • MD5

    d1670745ce45373164c84b0640a71308

  • SHA1

    7b8806732eb7f50a5130f5118af76a5941a567ee

  • SHA256

    52cc89dc0256a010e79f40a788658705fd7f98a76055fc6a443870523c89464b

  • SHA512

    dc3c08c62f088a249014f9250c03258f6e807c63b4e4945d2a308c64ef87c5fb1cc203c52276fe5ee6837ae8a734e245c65721e6b616586d4d507031e0d03849

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs
    evasion
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
      2⤵
        PID:1364
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        2⤵
          PID:1608
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
          2⤵
            PID:1956

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1364-57-0x0000000000000000-mapping.dmp
          Download
        • memory/1608-59-0x0000000000000000-mapping.dmp
          Download
        • memory/1664-55-0x00000000762D1000-0x00000000762D3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1664-56-0x0000000002100000-0x0000000002101000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1956-60-0x0000000000000000-mapping.dmp
          Download