Overview

overview

10

Static

static

10

Server2.exe

windows7-x64

8

Server2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    15-07-2023 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Server2.exe

  • Size

    93KB

  • MD5

    99e853cafc9f7388bfb2c589befa031c

  • SHA1

    dafdcf6b18fc510749bc8954f061f3746c1213b2

  • SHA256

    32064b227c71528839b8e12b5b146ca30c7c8b14dd2de844a7f9ac33447d9e1b

  • SHA512

    6885636a339fd11c16b8d54ee4a3579d8abbd101d24802d944bf6b05d57c846061c4c20b322cede761b5349d0710855a7cab3f6db14c510a4aa322f161143894

  • SSDEEP

    1536:i55edxQJ9waK7jh7CQjEwzGi1dDJDrgS:i50QJ9waK7jtCBi1d1k

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops startup file 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server2.exe
    "C:\Users\Admin\AppData\Local\Temp\Server2.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server2.exe" "Server2.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:2204
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs"
      2⤵
        PID:2444
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.html
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2744

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3da75b50170a39086a89c09dd358a506

      SHA1

      60afe13d3de1d8df9214196d50b0902fbbb1bf47

      SHA256

      6582b9ad61f903c96144b0232177cd1e071cf40a7f190e8523b729b6ca569a6f

      SHA512

      2e16cb95b4214ad94a2bdbb8bdefb2343dd981f8c4831d5a513100fb50bbbddc019b7cf87b42bfc58bb46239eed9544ae49ce2b143cf5b54930bae85cc172781

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      e2ba6a1442fc683f02d6e69673d08193

      SHA1

      a9b03d3f8d75bb9163b3becaecc805c4879fb7fe

      SHA256

      dcd72d5374883dff1beec6eb8aeddbb1c51c0ead7017cfdaecb9f780fa0fdc45

      SHA512

      0b9bf2e3bb7cd61bbec7d4f764e48efab1e6fa31d03000b496fc309a9030b1b207aaa0d209522759626fa988a838868531ed54d2e9768e0bece4519870f59aa8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      db9dd60e88ae21272a977bd9e4108eb9

      SHA1

      8abaf822e1580015dc71460db1bde0f0c2b3cb13

      SHA256

      e9f1f4205c47afa660ea1bdc73904e7ab6cf74a95c266dee4a8187eae7958310

      SHA512

      cce85c695b72ff48006fce7834d3b2576f2eadfbdea818a0648604c698759256a9b1637eb632d856762875194d742f90669480a140b894fe95d974526ed978e8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      aafeca21dcb94e36108cd30da846c5e6

      SHA1

      e7ab7a39db727e1475177b65e28c9e6780cabfb8

      SHA256

      4787f268b6e09a302c28e562d5dff48322ac2263a0eb40afa0167b0b24fe9c5f

      SHA512

      049cf61697826cb3299351969ae67be30c62f617a77fbd4d75c4faf624a3da46d7a1f3f304af8607ef308a559710e26256fbf4a8bee4fdb774d6b41920e753c6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      1b85771a90e6e66743580202743e22ea

      SHA1

      bb2b039a7909c62332db6a16f0d423af7c3c67b3

      SHA256

      c65b9fc01b7804d95d6eb05f73d38c92608a63f46d1b1bda5a5359809e7a3252

      SHA512

      4932a312b00cd569adf71eb71048c65821fce9e5f02cbcf339758481bbc0af10c50d4030fbc84878800b5b2e88d13677a37580a3c08e21b1da80df2d8d33c7f5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      a5e0811145e4baa2ade4df509119bc38

      SHA1

      1089b056549568544ec2d551e71e56cda6a468c1

      SHA256

      476b7106037bbabda738cb66e28d8a57b453e3109ab4d65ce0c5b9d4eece1729

      SHA512

      ca8fd24609f168ef03ab02765d4248827f334894bd5037a5242d57a2ebe5281c71b1087c43ecd61544de4075bdff01ca5077ec062374450cab98bd266c5970fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9M1KBX1\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab4BF0.tmp
      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar4CFE.tmp
      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QU1IMKIM.txt
      Filesize

      606B

      MD5

      442f3fb4efcdb1f5285c3da24696ed64

      SHA1

      8bc96de677e6f9ca8abd500831199502430ccd01

      SHA256

      06f83432d56e6ba1102e6b0e490d0a39ccf3e6c43e6a4a9d5a612c35e645e38c

      SHA512

      02f519f6615cff4926194930b77deedad26943f75eaeb25741fdc72166fe548d41af35d2352386bba50346111abaf0e49720a239785e6831d3d041e58aab9cb0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
      Filesize

      93KB

      MD5

      99e853cafc9f7388bfb2c589befa031c

      SHA1

      dafdcf6b18fc510749bc8954f061f3746c1213b2

      SHA256

      32064b227c71528839b8e12b5b146ca30c7c8b14dd2de844a7f9ac33447d9e1b

      SHA512

      6885636a339fd11c16b8d54ee4a3579d8abbd101d24802d944bf6b05d57c846061c4c20b322cede761b5349d0710855a7cab3f6db14c510a4aa322f161143894

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.html
      Filesize

      19B

      MD5

      53b9f8d6b89885849f2082ed155df5b0

      SHA1

      9698bf6232b9b0e9e9bd1a5c22a2e31cf1a7641e

      SHA256

      c8852b43797378fb4f911c2e010882f1665bbcaf037ba800d1d6de3329937488

      SHA512

      dd25d925585da29304f3b0ba6eb92463b9f25507ea3b0e306c891e441805210d9f02b451835f46d4d01ee0803f489bfbf5f0056fb47830f839d123be3cbf252f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.html
      Filesize

      19B

      MD5

      53b9f8d6b89885849f2082ed155df5b0

      SHA1

      9698bf6232b9b0e9e9bd1a5c22a2e31cf1a7641e

      SHA256

      c8852b43797378fb4f911c2e010882f1665bbcaf037ba800d1d6de3329937488

      SHA512

      dd25d925585da29304f3b0ba6eb92463b9f25507ea3b0e306c891e441805210d9f02b451835f46d4d01ee0803f489bfbf5f0056fb47830f839d123be3cbf252f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs
      Filesize

      19B

      MD5

      53b9f8d6b89885849f2082ed155df5b0

      SHA1

      9698bf6232b9b0e9e9bd1a5c22a2e31cf1a7641e

      SHA256

      c8852b43797378fb4f911c2e010882f1665bbcaf037ba800d1d6de3329937488

      SHA512

      dd25d925585da29304f3b0ba6eb92463b9f25507ea3b0e306c891e441805210d9f02b451835f46d4d01ee0803f489bfbf5f0056fb47830f839d123be3cbf252f

      Download Submit

    • memory/1972-54-0x0000000073F80000-0x000000007452B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1972-66-0x0000000000300000-0x0000000000340000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1972-65-0x0000000000300000-0x0000000000340000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1972-64-0x0000000073F80000-0x000000007452B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1972-63-0x0000000073F80000-0x000000007452B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1972-56-0x0000000000300000-0x0000000000340000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1972-55-0x0000000073F80000-0x000000007452B000-memory.dmp

      Filesize

      5.7MB

      Download