Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
13-11-2021 19:00
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
Server.exe
-
Size
106KB
-
MD5
d1670745ce45373164c84b0640a71308
-
SHA1
7b8806732eb7f50a5130f5118af76a5941a567ee
-
SHA256
52cc89dc0256a010e79f40a788658705fd7f98a76055fc6a443870523c89464b
-
SHA512
dc3c08c62f088a249014f9250c03258f6e807c63b4e4945d2a308c64ef87c5fb1cc203c52276fe5ee6837ae8a734e245c65721e6b616586d4d507031e0d03849
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 2676 Server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe Token: 33 2676 Server.exe Token: SeIncBasePriorityPrivilege 2676 Server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Server.exedescription pid process target process PID 2676 wrote to memory of 3800 2676 Server.exe netsh.exe PID 2676 wrote to memory of 3800 2676 Server.exe netsh.exe PID 2676 wrote to memory of 3800 2676 Server.exe netsh.exe PID 2676 wrote to memory of 3668 2676 Server.exe netsh.exe PID 2676 wrote to memory of 3668 2676 Server.exe netsh.exe PID 2676 wrote to memory of 3668 2676 Server.exe netsh.exe PID 2676 wrote to memory of 3084 2676 Server.exe netsh.exe PID 2676 wrote to memory of 3084 2676 Server.exe netsh.exe PID 2676 wrote to memory of 3084 2676 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵