e5c1eaf188efbdb3c073170c5feace9217d8fbe0136d1d653bde0fd241132007

Analysis

max time kernel
163s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

860d460eee71e45b0f371841a3df000a.exe
Size

93KB
MD5

860d460eee71e45b0f371841a3df000a
SHA1

d0231d6b9674a08d7dd133f30f3f664b94d0dcd6
SHA256

e5c1eaf188efbdb3c073170c5feace9217d8fbe0136d1d653bde0fd241132007
SHA512

50c70a8a188fa158f46db1133570c2a7182838371ea4a2afe36c4af61dbc6350eb2306fab5c0907e806e35ba6a6376d62d566840619dc8ca6f23dff8c7483450
SSDEEP

768:5Y31mnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk36sGU:OmxOx6baIa9ROj00ljEwzGi1dD2DegS

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4356	netsh.exe
4664	netsh.exe
3332	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	860d460eee71e45b0f371841a3df000a.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ce05379ba15309f7cafb16f87e52ed8eWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ce05379ba15309f7cafb16f87e52ed8eWindows Update.exe	server.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	server.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe
2116	server.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
392	860d460eee71e45b0f371841a3df000a.exe
2116	server.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe
Token: 33	2116	server.exe
Token: SeIncBasePriorityPrivilege	2116	server.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2116	392	860d460eee71e45b0f371841a3df000a.exe	86
PID 392 wrote to memory of 2116	392	860d460eee71e45b0f371841a3df000a.exe	86
PID 392 wrote to memory of 2116	392	860d460eee71e45b0f371841a3df000a.exe	86
PID 2116 wrote to memory of 4356	2116	server.exe	88
PID 2116 wrote to memory of 4356	2116	server.exe	88
PID 2116 wrote to memory of 4356	2116	server.exe	88
PID 2116 wrote to memory of 3332	2116	server.exe	94
PID 2116 wrote to memory of 3332	2116	server.exe	94
PID 2116 wrote to memory of 3332	2116	server.exe	94
PID 2116 wrote to memory of 4664	2116	server.exe	93
PID 2116 wrote to memory of 4664	2116	server.exe	93
PID 2116 wrote to memory of 4664	2116	server.exe	93

C:\Users\Admin\AppData\Local\Temp\860d460eee71e45b0f371841a3df000a.exe
"C:\Users\Admin\AppData\Local\Temp\860d460eee71e45b0f371841a3df000a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4356
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4664
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
860d460eee71e45b0f371841a3df000a

SHA1
d0231d6b9674a08d7dd133f30f3f664b94d0dcd6

SHA256
e5c1eaf188efbdb3c073170c5feace9217d8fbe0136d1d653bde0fd241132007

SHA512
50c70a8a188fa158f46db1133570c2a7182838371ea4a2afe36c4af61dbc6350eb2306fab5c0907e806e35ba6a6376d62d566840619dc8ca6f23dff8c7483450

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
4d853d9c7197ee7fa81c6535b1f7d655

SHA1
eac3d866e991967b385f3dd22da25e410d8f7f49

SHA256
5abdb6175f820f0ac3d8647fbb1f7a0bcc91757a782a8a145570944ca6a00c96

SHA512
dc5a09d8586eb9f591f6e00187817c19f693e9328a1b2e5838c61c0b234e9608eecc45bbf7f4a90912e9a456d0ab469ed2503bafb4988b276cec8d5f0b18fda7

Download Submit
memory/392-19-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/392-2-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/392-12-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/392-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/392-0-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2116-13-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2116-14-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/2116-15-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2116-48-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2116-49-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/2116-50-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download