Analysis
-
max time kernel
168s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 15:50
Static task
static1
Behavioral task
behavioral1
Sample
ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe
Resource
win7-20220812-en
General
-
Target
ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe
-
Size
426KB
-
MD5
438667f73e7f085f52180a45edaaf3ba
-
SHA1
94b2c6f21f7623f78f05ca66d75a9219622c1e49
-
SHA256
ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6
-
SHA512
bcd7efba57ac29fd006316dfcf446e656bb898727f004c975fbd3e89e8cfd50681a42d3dddebf85fd69beeb5e326b1d96ac4e3dd5bd54ca24bd60c6d7ef02522
-
SSDEEP
6144:R/0uoEpLqaaYOfRB1I1EgXjR5P65E4ih6vWRdb0ILthhKAyeev7ydDINvLNCtKGR:RJlQfoz9kEPgO3/evOCNAJ55O7lcfkj+
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Extracted
cybergate
2.6
vítima
127.0.0.1:81
chabchoub.no-ip.info:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
Signatures
-
Modifies firewall policy service 2 TTPs 9 IoCs
Processes:
server.exeserver.exeserver.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe -
Processes:
server.exeserver.exeserver.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe -
Processes:
server.exeserver.exeserver.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
server.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" server.exe -
Executes dropped EXE 3 IoCs
Processes:
server.exeserver.exeserver.exepid process 1992 server.exe 648 server.exe 1112 server.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{S7J54P5A-N7HR-W041-R4Y1-720VMVOBTP21} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{S7J54P5A-N7HR-W041-R4Y1-720VMVOBTP21}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" server.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe upx \Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe upx C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe upx \Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe upx C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe upx behavioral1/memory/1992-62-0x0000000002000000-0x00000000030BA000-memory.dmp upx behavioral1/memory/1992-65-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1992-66-0x0000000002000000-0x00000000030BA000-memory.dmp upx \Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe upx behavioral1/memory/1992-69-0x0000000024010000-0x0000000024072000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe upx \Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe upx behavioral1/memory/1992-78-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/648-83-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1992-84-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1992-85-0x0000000002000000-0x00000000030BA000-memory.dmp upx behavioral1/memory/648-87-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/648-88-0x0000000024080000-0x00000000240E2000-memory.dmp upx C:\Windows\SysWOW64\install\server.exe upx \Windows\SysWOW64\install\server.exe upx \Windows\SysWOW64\install\server.exe upx C:\Windows\SysWOW64\install\server.exe upx \Windows\SysWOW64\install\server.exe upx behavioral1/memory/1112-97-0x0000000002260000-0x000000000331A000-memory.dmp upx behavioral1/memory/1112-100-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1112-101-0x0000000002260000-0x000000000331A000-memory.dmp upx behavioral1/memory/1112-104-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1112-105-0x0000000002260000-0x000000000331A000-memory.dmp upx behavioral1/memory/648-106-0x0000000005640000-0x00000000066FA000-memory.dmp upx behavioral1/memory/648-107-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/648-110-0x0000000005640000-0x00000000066FA000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
server.exepid process 648 server.exe -
Loads dropped DLL 8 IoCs
Processes:
ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exeserver.exeserver.exeserver.exepid process 1708 ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe 1708 ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe 1992 server.exe 1992 server.exe 648 server.exe 648 server.exe 648 server.exe 1112 server.exe -
Processes:
server.exeserver.exeserver.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe -
Processes:
server.exeserver.exeserver.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
server.exedescription ioc process File opened (read-only) \??\N: server.exe File opened (read-only) \??\R: server.exe File opened (read-only) \??\S: server.exe File opened (read-only) \??\T: server.exe File opened (read-only) \??\V: server.exe File opened (read-only) \??\X: server.exe File opened (read-only) \??\F: server.exe File opened (read-only) \??\W: server.exe File opened (read-only) \??\U: server.exe File opened (read-only) \??\Z: server.exe File opened (read-only) \??\E: server.exe File opened (read-only) \??\G: server.exe File opened (read-only) \??\H: server.exe File opened (read-only) \??\I: server.exe File opened (read-only) \??\L: server.exe File opened (read-only) \??\O: server.exe File opened (read-only) \??\J: server.exe File opened (read-only) \??\K: server.exe File opened (read-only) \??\M: server.exe File opened (read-only) \??\P: server.exe File opened (read-only) \??\Q: server.exe File opened (read-only) \??\Y: server.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
server.exedescription ioc process File opened for modification C:\autorun.inf server.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Windows\SysWOW64\install\server.exe server.exe File created C:\Windows\SysWOW64\install\server.exe server.exe -
Drops file in Program Files directory 4 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe server.exe File opened for modification C:\Program Files\7-Zip\7z.exe server.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe server.exe File opened for modification C:\Program Files\7-Zip\7zG.exe server.exe -
Drops file in Windows directory 4 IoCs
Processes:
server.exeserver.exeserver.exedescription ioc process File created C:\Windows\6c90fa server.exe File created C:\Windows\6c583f server.exe File opened for modification C:\Windows\SYSTEM.INI server.exe File created C:\Windows\6c66b0 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
server.exeserver.exeserver.exepid process 1992 server.exe 1992 server.exe 1112 server.exe 648 server.exe 648 server.exe 648 server.exe 648 server.exe 648 server.exe 648 server.exe 648 server.exe 648 server.exe 648 server.exe 648 server.exe 648 server.exe 648 server.exe 648 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 648 server.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
server.exeserver.exedescription pid process Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 1992 server.exe Token: SeDebugPrivilege 648 server.exe Token: SeDebugPrivilege 648 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exeserver.exedescription pid process target process PID 1708 wrote to memory of 1992 1708 ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe server.exe PID 1708 wrote to memory of 1992 1708 ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe server.exe PID 1708 wrote to memory of 1992 1708 ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe server.exe PID 1708 wrote to memory of 1992 1708 ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe server.exe PID 1708 wrote to memory of 1992 1708 ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe server.exe PID 1708 wrote to memory of 1992 1708 ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe server.exe PID 1708 wrote to memory of 1992 1708 ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe server.exe PID 1992 wrote to memory of 1260 1992 server.exe taskhost.exe PID 1992 wrote to memory of 1364 1992 server.exe Dwm.exe PID 1992 wrote to memory of 1420 1992 server.exe Explorer.EXE PID 1992 wrote to memory of 1708 1992 server.exe ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe PID 1992 wrote to memory of 1708 1992 server.exe ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe PID 1992 wrote to memory of 1632 1992 server.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
server.exeserver.exeserver.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1260
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe"C:\Users\Admin\AppData\Local\Temp\ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1992 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:648 -
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD5dd727b5df4fce4a9c469beea11596f0c
SHA1e99bf001feb053cd76134bd7269aab79c6e86de8
SHA2565f43500216544a82508409aa50af5e6ac00e31fb59277c5b7b1706dd37c0179e
SHA51218e10d8a86135db3f556cb39461be65e8ade876098ae754532ed273ba6c011939fb9d8fef1b618db1ec4e390be9386f84a6b5c6deed60dc6fb138bb5e2ac657a
-
C:\Windows\SYSTEM.INIFilesize
255B
MD50f9b0e618e8557180c1a6f5b368f1ae7
SHA1658b23d296475364ce0f892d4bb024db8983ea49
SHA2567f8c932fec2680e0369ee51b51dc65135fb83ed83f83a3f27dd67d5828f5ec89
SHA51224da857db511bb0ad9cf6dbcd539eac77a657a2b7229265805d8467ec4955420f5fcdd12f802d6c2564ef05154088ae1e868ee9ccc3a66d7c0c908eb2634df0a
-
C:\Windows\SysWOW64\install\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
C:\Windows\SysWOW64\install\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
\Windows\SysWOW64\install\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
\Windows\SysWOW64\install\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
\Windows\SysWOW64\install\server.exeFilesize
348KB
MD5d0cecee8329227e6ffd2a687c7d8c477
SHA15dda19f636506a724a88e9bf02def9ddb3c49d21
SHA25648c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2
SHA51224919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167
-
memory/648-107-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/648-74-0x0000000000000000-mapping.dmp
-
memory/648-106-0x0000000005640000-0x00000000066FA000-memory.dmpFilesize
16.7MB
-
memory/648-110-0x0000000005640000-0x00000000066FA000-memory.dmpFilesize
16.7MB
-
memory/648-81-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/648-83-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/648-109-0x0000000004110000-0x0000000004112000-memory.dmpFilesize
8KB
-
memory/648-103-0x0000000004110000-0x0000000004112000-memory.dmpFilesize
8KB
-
memory/648-108-0x0000000004D00000-0x0000000004D69000-memory.dmpFilesize
420KB
-
memory/648-87-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/648-88-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/648-99-0x0000000004D00000-0x0000000004D69000-memory.dmpFilesize
420KB
-
memory/1112-105-0x0000000002260000-0x000000000331A000-memory.dmpFilesize
16.7MB
-
memory/1112-104-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1112-93-0x0000000000000000-mapping.dmp
-
memory/1112-102-0x0000000000570000-0x0000000000572000-memory.dmpFilesize
8KB
-
memory/1112-97-0x0000000002260000-0x000000000331A000-memory.dmpFilesize
16.7MB
-
memory/1112-100-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1112-101-0x0000000002260000-0x000000000331A000-memory.dmpFilesize
16.7MB
-
memory/1708-86-0x00000000001F0000-0x00000000001FD000-memory.dmpFilesize
52KB
-
memory/1708-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1708-64-0x00000000009E0000-0x0000000000A49000-memory.dmpFilesize
420KB
-
memory/1708-63-0x00000000009E0000-0x0000000000A49000-memory.dmpFilesize
420KB
-
memory/1992-66-0x0000000002000000-0x00000000030BA000-memory.dmpFilesize
16.7MB
-
memory/1992-85-0x0000000002000000-0x00000000030BA000-memory.dmpFilesize
16.7MB
-
memory/1992-84-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1992-78-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/1992-69-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/1992-67-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/1992-65-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1992-62-0x0000000002000000-0x00000000030BA000-memory.dmpFilesize
16.7MB
-
memory/1992-57-0x0000000000000000-mapping.dmp