Analysis
-
max time kernel
168s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 09:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
407eaa1c3f251b3275c9c397d58f724e.exe
Resource
win7-20231129-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
407eaa1c3f251b3275c9c397d58f724e.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
407eaa1c3f251b3275c9c397d58f724e.exe
-
Size
7.6MB
-
MD5
407eaa1c3f251b3275c9c397d58f724e
-
SHA1
4edb2e1f3ce9199f08df7169ee3ba7d0e4a8039a
-
SHA256
26798421b6135d50554b84f81642acc918a7b5d7a5f0fcbb103b93e26395f3d1
-
SHA512
4d878f07f05cee2b7e787c3f6262ce3abdae96c694cfabcfccc3d5ba9d10411caf549e3418921ea59784ff0d9cf41ff0e18dc09884030b8ab9de24f4b20376d9
-
SSDEEP
196608:yaWFPZGDGp38ZwSbGbRjmpGkimF2MJtmMSmm6K2fDlA/YeVI:yrFRGDGp38K3bNmp7pnxK2fDlURVI
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4516 servbrow.exe 4256 servbrow.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies servbrow.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\7-Zip\Ws2Help.dll 407eaa1c3f251b3275c9c397d58f724e.exe File opened for modification C:\Program Files\7-Zip\Ws2Help.dll 407eaa1c3f251b3275c9c397d58f724e.exe File created C:\Program Files\VideoLAN\VLC\Ws2Help.dll 407eaa1c3f251b3275c9c397d58f724e.exe File opened for modification C:\Program Files\VideoLAN\VLC\Ws2Help.dll 407eaa1c3f251b3275c9c397d58f724e.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\servbrow.exe 407eaa1c3f251b3275c9c397d58f724e.exe -
Modifies data under HKEY_USERS 16 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P servbrow.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ servbrow.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" servbrow.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" servbrow.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History servbrow.exe Key created \REGISTRY\USER\.DEFAULT\Software servbrow.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft servbrow.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows servbrow.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing servbrow.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" servbrow.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" servbrow.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion servbrow.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings servbrow.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" servbrow.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix servbrow.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" servbrow.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTcbPrivilege 4516 servbrow.exe Token: SeChangeNotifyPrivilege 4516 servbrow.exe Token: SeIncreaseQuotaPrivilege 4516 servbrow.exe Token: SeAssignPrimaryTokenPrivilege 4516 servbrow.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3152 407eaa1c3f251b3275c9c397d58f724e.exe 4516 servbrow.exe 4256 servbrow.exe 4256 servbrow.exe 4256 servbrow.exe 4256 servbrow.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4516 wrote to memory of 4256 4516 servbrow.exe 102 PID 4516 wrote to memory of 4256 4516 servbrow.exe 102 PID 4516 wrote to memory of 4256 4516 servbrow.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\407eaa1c3f251b3275c9c397d58f724e.exe"C:\Users\Admin\AppData\Local\Temp\407eaa1c3f251b3275c9c397d58f724e.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3152
-
C:\Windows\servbrow.exe"C:\Windows\servbrow.exe" /Service1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\servbrow.exe"C:\Windows\servbrow.exe" /Popup2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4256
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.6MB
MD5e6d96471936babbb66a4d9fba1334818
SHA1c0f6cc7f2a742fc437fc5f754fef8dc5180355f7
SHA2563e6f613dac33ccda4ef50141c533804fdf938d1bd24b77ee6c0f0da72670feda
SHA512690f4e1c7a950a3d153065db4c5976399ec88ae50df00d3a0f2df837dc100ad1be2f42e89767807ad1156a347e9171d1b45ee02f1bfbabf4a4c61eb5f11d15ed