Analysis
-
max time kernel
315s -
max time network
1610s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
12-12-2023 17:49
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20231020-en
windows7-x64
10 signatures
1800 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10-20231023-en
windows10-1703-x64
10 signatures
1800 seconds
Behavioral task
behavioral3
Sample
Server.exe
Resource
win10v2004-20231127-en
windows10-2004-x64
9 signatures
1800 seconds
General
-
Target
Server.exe
-
Size
93KB
-
MD5
6ecaeda97e71ca06c16f1de261bde554
-
SHA1
03900cc265f0341aa2c46814166f03c15ed7575d
-
SHA256
f00081238b88a0a933dacc79d5406097918cc91454a6045a3b77cd47f825eea8
-
SHA512
fe81c0ca76f61f6afae805ffcb3e3c2b4c5e9a3554a1918b607a48e3535adb5ff1cd9d864a7d5666023cbac0a30458a57f809295789d2c48817646bae3077b8a
-
SSDEEP
768:3Y3D2QtCTpPchQRza90g5rxPXijj2TAuC4qu2XxrjEtCdnl2pi1Rz4Rk3hsGdpk3:S2CC9dzaGwrVJOzjEwzGi1dDxDkgS
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 2884 netsh.exe 1744 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe Server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe Server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe Server.exe File opened for modification C:\Program Files (x86)\Explower.exe Server.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1032 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe 696 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 696 Server.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 696 Server.exe Token: 33 696 Server.exe Token: SeIncBasePriorityPrivilege 696 Server.exe Token: 33 696 Server.exe Token: SeIncBasePriorityPrivilege 696 Server.exe Token: 33 696 Server.exe Token: SeIncBasePriorityPrivilege 696 Server.exe Token: 33 696 Server.exe Token: SeIncBasePriorityPrivilege 696 Server.exe Token: 33 696 Server.exe Token: SeIncBasePriorityPrivilege 696 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 696 wrote to memory of 2884 696 Server.exe 72 PID 696 wrote to memory of 2884 696 Server.exe 72 PID 696 wrote to memory of 2884 696 Server.exe 72 PID 696 wrote to memory of 1744 696 Server.exe 74 PID 696 wrote to memory of 1744 696 Server.exe 74 PID 696 wrote to memory of 1744 696 Server.exe 74 PID 696 wrote to memory of 4220 696 Server.exe 75 PID 696 wrote to memory of 4220 696 Server.exe 75 PID 696 wrote to memory of 4220 696 Server.exe 75 PID 4220 wrote to memory of 1032 4220 cmd.exe 78 PID 4220 wrote to memory of 1032 4220 cmd.exe 78 PID 4220 wrote to memory of 1032 4220 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2884
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Modifies Windows Firewall
PID:1744
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\PING.EXEping 0 -n 23⤵
- Runs ping.exe
PID:1032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD56ecaeda97e71ca06c16f1de261bde554
SHA103900cc265f0341aa2c46814166f03c15ed7575d
SHA256f00081238b88a0a933dacc79d5406097918cc91454a6045a3b77cd47f825eea8
SHA512fe81c0ca76f61f6afae805ffcb3e3c2b4c5e9a3554a1918b607a48e3535adb5ff1cd9d864a7d5666023cbac0a30458a57f809295789d2c48817646bae3077b8a