Overview

overview

7

Static

static

3

server.exe

windows7-x64

7

server.exe

windows10-2004-x64

7

server.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    1798s
  • max time network
    1494s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/01/2024, 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    server.exe

  • Size

    1.4MB

  • MD5

    badc8cbde455d9b56fbe91c28f986ba3

  • SHA1

    7fe5d8b6c33a37d02decea07f6ce3a880f659ac1

  • SHA256

    d2a44fcb2c471c4e1c8ef74dc87dcade91c0d04d9b23d557b2a3d2ffd0202d27

  • SHA512

    47c33947a18c5b7c62f880eecb1ed795c4ab72166afdc3347570b796731b3002eb424c8c0fc346477a53cb077e04658340eaedc9292941a0cfc9bcdcf8806893

  • SSDEEP

    24576:oxLsMs8WdUS88xLsMs8WdUS88TsQfxLsMs8WdUS8ysxLsMs8WdUS82lQTTXZ:MsldsAsldss9sldsyQslds2liTJ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 11 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3864
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\70DA.tmp\70DB.tmp\70DC.bat C:\Users\Admin\AppData\Local\Temp\setup.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Create /sc onidle /i 1 /tn OracleUpdate /tr C:\Users\Admin\AppData\Roaming\Oracle\null.exe
          4⤵
          • Creates scheduled task(s)
          PID:4232
        • C:\Users\Admin\AppData\Roaming\Oracle\null.exe
          C:\Users\Admin\AppData\Roaming\Oracle\null.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B5A4.tmp\B5A5.tmp\B5A6.bat C:\Users\Admin\AppData\Roaming\Oracle\null.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:776
            • C:\ProgramData\Oracle\ver.exe
              C:\ProgramData\Oracle\ver.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:412
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im "ver.exe"
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1872
            • C:\Windows\system32\timeout.exe
              timeout 25
              6⤵
              • Delays execution with timeout.exe
              PID:4584
            • C:\ProgramData\Oracle\mblctr.exe
              C:\ProgramData\Oracle\mblctr.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1436
              • C:\Windows\system32\cmd.exe
                "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\172D.tmp\172E.tmp\172F.bat C:\ProgramData\Oracle\mblctr.exe"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1848
                • C:\Windows\system32\PING.EXE
                  ping 216.58.209.174 -t -l 65500
                  8⤵
                  • Runs ping.exe
                  PID:3768
  • C:\Users\Admin\AppData\Local\Temp\TMP_1.exe
    TMP_1.exe
    1⤵
    • Executes dropped EXE
    PID:3584
  • C:\Windows\system32\timeout.exe
    timeout 17
    1⤵
    • Delays execution with timeout.exe
    PID:5104
  • C:\Users\Admin\AppData\Local\Temp\TMP_4.exe
    TMP_4.exe
    1⤵
    • Executes dropped EXE
    PID:4804
  • C:\Users\Admin\AppData\Local\Temp\TMP_3.exe
    TMP_3.exe
    1⤵
    • Executes dropped EXE
    PID:232
  • C:\Users\Admin\AppData\Local\Temp\TMP_2.exe
    TMP_2.exe
    1⤵
    • Executes dropped EXE
    PID:1112
  • C:\Users\Admin\AppData\Roaming\Oracle\null.exe
    C:\Users\Admin\AppData\Roaming\Oracle\null.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\220A.tmp\220B.tmp\220C.bat C:\Users\Admin\AppData\Roaming\Oracle\null.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\ProgramData\Oracle\ver.exe
        C:\ProgramData\Oracle\ver.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "ver.exe"
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:404
      • C:\Windows\system32\timeout.exe
        timeout 25
        3⤵
        • Delays execution with timeout.exe
        PID:1620
      • C:\ProgramData\Oracle\mblctr.exe
        C:\ProgramData\Oracle\mblctr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\843E.tmp\843F.tmp\8440.bat C:\ProgramData\Oracle\mblctr.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3352
          • C:\Windows\system32\PING.EXE
            ping 216.58.209.174 -t -l 65500
            5⤵
            • Runs ping.exe
            PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Media\cfg.bat
    Filesize

    31B

    MD5

    37e327fb49eca19fd9e7d645f448aef9

    SHA1

    f0706e13faa83b0e61eee140c379cded955bb8f7

    SHA256

    ae2bc8114e5458119304fcecfb105e27921803fca5849856d1d2cfd1fc9274b6

    SHA512

    6da7f17cf360145c7d7303d435bf2afa89bbd661dd1df5328c0ed00c98b4731930273e5f12fe4325f6a19dfed664f035233b2d5902b12bf527f843e3e1b2f3aa

    Download Submit

  • C:\ProgramData\Oracle\mblctr.exe
    Filesize

    173KB

    MD5

    ecf80bb163eb2fd9b67f0417a9a48b60

    SHA1

    3f6e873c6c298aa5b101d0b472730568f64a8bb3

    SHA256

    b4fa97a98d23a9f1be5327f676f2fe1985124561aa9b1fc1fa432db8c582989b

    SHA512

    ea5d98af577f066f1ca275a354d53a824f1b2caa67b2308576118e29796b6202cb52a46542b19a41b6cbc7d1591c01a14b641b37a5adbd0de54924030fa07078

    Download Submit

  • C:\ProgramData\Oracle\ver.exe
    Filesize

    32KB

    MD5

    339a704c50db1d4348a13219372dcf82

    SHA1

    2a76adb21991a6017cdb2cc5a38080421e6f158c

    SHA256

    f724e20d9b00d5a9c3109388c4154a3ad8449e5486c8feeae306acae432d89a0

    SHA512

    5e69f2e2deca461db47aa149b1b0ab324b57142c6dedc5142abd6c38e5395109c05e763011b5ee0b8749eb41419526f9d148502f1f284fff48969dbf5d2ff492

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\172D.tmp\172E.tmp\172F.bat
    Filesize

    45B

    MD5

    d553475bc6ee3789c91ddf834a414451

    SHA1

    ede254d47f7beb1cac697294f3476fee15925fbb

    SHA256

    0d7c42ec32677f3ac29124733f8d8efc5befca5c352db2703157faff3e4d5958

    SHA512

    336c355ec73cb9b6f3260867ef63092056656edd20c96b49876e569c34557f2d1c09d8b413776cb000bd4ba5215df315ee9fd158c3dfd3868a5d80e2c8306186

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\70DA.tmp\70DB.tmp\70DC.bat
    Filesize

    185B

    MD5

    627cdb5811123c24df1bcc23c8fbe8c5

    SHA1

    60fa8dfa06fdc1510b03f1074e81a506b05e95b5

    SHA256

    3537ca928c5bb2598b2d8268d3d50123d76395d13cd47371d4a39bb8d0624311

    SHA512

    e991d3d403084daf2e481b0b97ab7393aff938cef89427336d2111bede0c27121bd3b4a495c5f0817dd29528ca8bce64f35a40b1536bd8e4cedeb82a06d7889e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\B5A4.tmp\B5A5.tmp\B5A6.bat
    Filesize

    104B

    MD5

    e2bf5b66bd7423fdaf861c6304b1089c

    SHA1

    5297b022ea5c0cfa4f2d7414f08262a372e91558

    SHA256

    d99094b54cc899f7068f218bdd413a0794cddf418c32e0d0d8dd8c641c8b7861

    SHA512

    6b17b0bcc9da8f9547bf7cc952d399637d6b9a4213bf68e37487011e5cfcd2a173497d36e520663d484b01bc3ae6903c34b85e17a17c3eea1dd6ce0dc17fa7cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TMP_1.exe
    Filesize

    279KB

    MD5

    22a60b9b1b7613ca33411b8427234c3e

    SHA1

    4ef6dfc3a70003a7244e562ea9ed34e26a093d46

    SHA256

    1bb0db868b236ec01778881971cfc0069aa53b1382f0e469242e9da2da4802a8

    SHA512

    67e33c6a4253f1f525ee43087ae896dc281c1efb5864ac4989ad35ffc70c3739302b392b35cf0d2d9d4a65b80aa16643e4f41b2a5241ec848631ed30780856a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TMP_2.exe
    Filesize

    401KB

    MD5

    00db7f83805c09cb5a454b3379eaf236

    SHA1

    3c70cbb4b95eed9627cc1de025def6b70e75f726

    SHA256

    cc75eb41e934a43efa6f995118c91b281bb96fc5c9702b7a02ad9ae3e7ec1003

    SHA512

    b2e6c97bd122bd6195b47d7a3696590aaa02d967156d3c4c9ff93aa965daa4417030371fca461704a9ba45b3405fbf63513f2ca06947b1c920adcd4a1ba2ceb5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TMP_3.exe
    Filesize

    289KB

    MD5

    feb910e4d725596dbff0a84b21e487e3

    SHA1

    3ebdf913474aa1e896086221c87e24dc445a9c0d

    SHA256

    524c542c27625b475a2a3cc808fe6da8c07fac2a8d5fd059b4e9035a575a4ea3

    SHA512

    a95a137d837d01709a4a71c55980f5492c28f2e45980f9c3befb90b625d1f305ea0ff5e672d115a1b2dd6f30d540b7c6436e665070a39f441d19a59a6bbbb80b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TMP_4.exe
    Filesize

    92KB

    MD5

    ba1ac0b0fa7126612987bf9e15ef99da

    SHA1

    c18dc522b5b2d20e8a158fd9fbcf0d4de29b93c2

    SHA256

    8110a2ef23d32e788268b396fd36b4e2ca348235c43bd4e97618cb473b3869d5

    SHA512

    01914ca17119a7f0ef5036301bffd4a64ffc99c2360c0d1d74143b9340985adb24cb781536692b192ee7c1df9a26e8ea22300b68ff49e31a43b999cc1c124da7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    Filesize

    86KB

    MD5

    e33c414c85c815c08e2096f7e6684e4b

    SHA1

    c97fddd7043d9c9f994741fd8903ca26a58c8a31

    SHA256

    cd6be15da6c568a8b7ffe19eef2fdc67fab0283335021715f9633714ed49c9d6

    SHA512

    1f4468cc606ab04cc23c2f7d0cc45d84cb318afb5e6c2be402f4ff0dcb338a08fd45f1c235eda8786873e6f41434f76b2f49e94d74e59533aaf8c4867a727ea4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Oracle\null.exe
    Filesize

    88KB

    MD5

    73c8962cd40f16b3df7d07f3181e8648

    SHA1

    6770c6d20b6951d461639697909184fb5cc66e1c

    SHA256

    cf160d431d0f90ec244b5f5c0615a0ece40f272175a063782dcae6d11bc457dc

    SHA512

    77f21de9b1c366eeca17ef10db9601723ab4c0794a2e73bfd5161c60408646bf51cea9ea962e60f176bbcabc69d8743d4795001ec323c710eec9731d497d8221

    Download Submit

  • memory/8-12-0x0000000000400000-0x0000000000564000-memory.dmp

    Filesize

    1.4MB

    Download