Overview

overview

10

Static

static

10

Server.exe

windows7-x64

8

Server.exe

windows10-1703-x64

8

Server.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    1801s
  • max time network
    1805s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2023 17:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Server.exe

  • Size

    93KB

  • MD5

    6ecaeda97e71ca06c16f1de261bde554

  • SHA1

    03900cc265f0341aa2c46814166f03c15ed7575d

  • SHA256

    f00081238b88a0a933dacc79d5406097918cc91454a6045a3b77cd47f825eea8

  • SHA512

    fe81c0ca76f61f6afae805ffcb3e3c2b4c5e9a3554a1918b607a48e3535adb5ff1cd9d864a7d5666023cbac0a30458a57f809295789d2c48817646bae3077b8a

  • SSDEEP

    768:3Y3D2QtCTpPchQRza90g5rxPXijj2TAuC4qu2XxrjEtCdnl2pi1Rz4Rk3hsGdpk3:S2CC9dzaGwrVJOzjEwzGi1dDxDkgS

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:3612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe
    Filesize

    93KB

    MD5

    6ecaeda97e71ca06c16f1de261bde554

    SHA1

    03900cc265f0341aa2c46814166f03c15ed7575d

    SHA256

    f00081238b88a0a933dacc79d5406097918cc91454a6045a3b77cd47f825eea8

    SHA512

    fe81c0ca76f61f6afae805ffcb3e3c2b4c5e9a3554a1918b607a48e3535adb5ff1cd9d864a7d5666023cbac0a30458a57f809295789d2c48817646bae3077b8a

    Download Submit

  • memory/3496-0-0x0000000074D70000-0x0000000075321000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3496-1-0x0000000074D70000-0x0000000075321000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3496-2-0x0000000001A70000-0x0000000001A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3496-13-0x0000000001A70000-0x0000000001A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3496-22-0x0000000074D70000-0x0000000075321000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3496-23-0x0000000074D70000-0x0000000075321000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3496-24-0x0000000001A70000-0x0000000001A80000-memory.dmp

    Filesize

    64KB

    Download