Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
13-11-2021 19:03
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
Server.exe
-
Size
106KB
-
MD5
ca93954e9f0369fe2ca7c043d68fa408
-
SHA1
60e0267f20a1c4956d911c8a95d6c65efa7a0649
-
SHA256
8d15eaeaa5c40aca8b91859c86d958a61cfbd410e2cd29bac0a95eef3dc8e091
-
SHA512
94eaa776e800d5fd3d845b57db58c546ea175f949f736bfe6989ec7becc80838745236e521d2cbce1b2a6c9d6753aa2090f0af32246b04cafede28cb68357f2d
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 1540 Server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe Token: 33 1540 Server.exe Token: SeIncBasePriorityPrivilege 1540 Server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Server.exedescription pid process target process PID 1540 wrote to memory of 932 1540 Server.exe netsh.exe PID 1540 wrote to memory of 932 1540 Server.exe netsh.exe PID 1540 wrote to memory of 932 1540 Server.exe netsh.exe PID 1540 wrote to memory of 932 1540 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵