Overview
overview
10Static
static
71.exe
windows7-x64
11.exe
windows10-2004-x64
7Fallen.exe
windows7-x64
7Fallen.exe
windows10-2004-x64
7Inte.exe
windows7-x64
7Inte.exe
windows10-2004-x64
7LX64
ubuntu-18.04-amd64
1Server.exe
windows7-x64
7Server.exe
windows10-2004-x64
7hfs.exe
windows7-x64
10hfs.exe
windows10-2004-x64
10hfs_1.exe
windows7-x64
10hfs_1.exe
windows10-2004-x64
10hg
ubuntu-18.04-amd64
1java
ubuntu-18.04-amd64
1moren.exe
windows7-x64
10moren.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2023 09:25
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Fallen.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Fallen.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Inte.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Inte.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
LX64
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral8
Sample
Server.exe
Resource
win7-20230220-en
Behavioral task
behavioral9
Sample
Server.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral10
Sample
hfs.exe
Resource
win7-20230220-en
Behavioral task
behavioral11
Sample
hfs.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
hfs_1.exe
Resource
win7-20230220-en
Behavioral task
behavioral13
Sample
hfs_1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
hg
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral15
Sample
java
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral16
Sample
moren.exe
Resource
win7-20230220-en
Behavioral task
behavioral17
Sample
moren.exe
Resource
win10v2004-20230220-en
General
-
Target
Server.exe
-
Size
96KB
-
MD5
bfd0dcf57209068cc25907ff8ddc17e1
-
SHA1
8b913990c8691231e1d8e249d6d7f9a59b85dc1e
-
SHA256
8a16390f705599cacaba51ccf440f7f0a8320e614f71710a594312756788b28d
-
SHA512
8a2838fd69419a249a37b7569a7c0333e8c36a71df0dc7b8ea414f87392b42e885bcd3fc41b6bda181c6f69d98a5a5367d06b8ff6c7d3e577ea4d2581c2bfe09
-
SSDEEP
1536:GRtxXnig5/VUJyWryEXe8T1g6hypxc/lkJ5jj1fV8cGDmtB:GhN5/VmbTC6hyQ/OJRj1V8cGCtB
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1044 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1140 svchost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
Server.exedescription ioc process File opened for modification C:\Program Files\vcflye Server.exe File created C:\Program Files\vcflye\svchost.exe Server.exe File opened for modification C:\Program Files\vcflye\svchost.exe Server.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Server.exedescription pid process Token: SeIncBasePriorityPrivilege 884 Server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Server.exedescription pid process target process PID 884 wrote to memory of 1044 884 Server.exe cmd.exe PID 884 wrote to memory of 1044 884 Server.exe cmd.exe PID 884 wrote to memory of 1044 884 Server.exe cmd.exe PID 884 wrote to memory of 1044 884 Server.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\Server.exe > nul2⤵
- Deletes itself
-
C:\Program Files\vcflye\svchost.exe"C:\Program Files\vcflye\svchost.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\vcflye\svchost.exeFilesize
96KB
MD5bfd0dcf57209068cc25907ff8ddc17e1
SHA18b913990c8691231e1d8e249d6d7f9a59b85dc1e
SHA2568a16390f705599cacaba51ccf440f7f0a8320e614f71710a594312756788b28d
SHA5128a2838fd69419a249a37b7569a7c0333e8c36a71df0dc7b8ea414f87392b42e885bcd3fc41b6bda181c6f69d98a5a5367d06b8ff6c7d3e577ea4d2581c2bfe09