Resubmissions

23-02-2024 22:41

240223-2l9m3abe2w 10

23-02-2024 22:40

240223-2lrr9aaf67 10

23-02-2024 22:34

240223-2he92sbd2t 10

23-02-2024 22:31

240223-2fhbmaae23 10

23-02-2024 21:56

240223-1tc4dshf83 10

23-02-2024 21:49

240223-1ptkksae41 10

23-02-2024 21:42

240223-1kaxnshe54 10

23-02-2024 21:34

240223-1e6r6ahd88 10

23-02-2024 20:17

240223-y239fagd36 10

Analysis

  • max time kernel
    1797s
  • max time network
    1803s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-02-2024 22:40

General

  • Target

    Server.exe

  • Size

    37KB

  • MD5

    3331918a0568c0d815a272bbcd21497f

  • SHA1

    31b093fea6e6447fb4c232faa6d04db2e8549199

  • SHA256

    e6c2602e22933912b73477dac66ed9ac50bf2de7a0254c8ac68d4034b3be7459

  • SHA512

    27dbd0846d9f6e65909849b19bd4cec58f12477650b8bbae95bb8437ab5038e3f9029a3f5ef2cbaf55afa2b76ec1a367d9e3505a1d0047a880eb3d8d639b2024

  • SSDEEP

    384:BLuf7WpgibTjpPu7w9qyMTczHPes2A7rbrAF+rMRTyN/0L+EcoinblneHQM3epza:EqNN9ZMTczWtAbrM+rMRa8Nuqnt

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 8 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:2516
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2592
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4b8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1876
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
        "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Windows\SysWOW64\unregmp2.exe
          C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\Windows\system32\unregmp2.exe
            "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
            4⤵
            • Modifies Installed Components in the registry
            • Drops desktop.ini file(s)
            • Drops file in Program Files directory
            • Modifies registry class
            PID:2124
        • C:\Windows\SysWOW64\unregmp2.exe
          "C:\Windows\system32\unregmp2.exe" /PerformIndivIfNeeded
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2232
          • C:\Windows\system32\unregmp2.exe
            "C:\Windows\SysNative\unregmp2.exe" /PerformIndivIfNeeded /REENTRANT
            4⤵
              PID:1044
          • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
            "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Music\ExportComplete.wm
            3⤵
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Suspicious use of FindShellTrayWindow
            PID:2616

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{D81C8585-B0F0-44BE-B1D1-40FE443E10DB}.jpg

        Filesize

        23KB

        MD5

        fd5fd28e41676618aac733b243ad54db

        SHA1

        b2d69ad6a2e22c30ef1806ac4f990790c3b44763

        SHA256

        a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

        SHA512

        4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb

        Filesize

        1.0MB

        MD5

        d01ce8738231e9ff5b39d030c9820cc3

        SHA1

        07a875a9686dbe5d69f5ee94574a1d4e8d520db7

        SHA256

        6f316c04071312a56b8dae79b25a47d31ae88821a18f20401bdb78e0eff4dc1d

        SHA512

        c07ae2e67e42926119ccab6ddac5de508805769c3afe813d69c5eb5d46a6c1d3ce5cc46d6e75b5f770d35e57416018b62480723fb7f08b7f7ca28a139b987076

      • C:\Users\Admin\AppData\Local\Temp\tmp44354.WMC\allservices.xml

        Filesize

        546B

        MD5

        df03e65b8e082f24dab09c57bc9c6241

        SHA1

        6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

        SHA256

        155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

        SHA512

        ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

      • C:\Users\Admin\AppData\Local\Temp\tmp46273.WMC\serviceinfo.xml

        Filesize

        523B

        MD5

        d58da90d6dc51f97cb84dfbffe2b2300

        SHA1

        5f86b06b992a3146cb698a99932ead57a5ec4666

        SHA256

        93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

        SHA512

        7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

      • C:\Users\Admin\AppData\Local\Temp\wmsetup.log

        Filesize

        3KB

        MD5

        9886576e66b81b25fd681b343d4fcada

        SHA1

        e521b1d0564401d3674ceeab52e047a3d3be5ac4

        SHA256

        d336097245b946c264031533e8fdb6c45da641b0ecea9107d119a87de9cc4b53

        SHA512

        2d8355732f883b4b76c14ba53cce8224c76c2431c101ab948b812658eee2125cbe11dfce8ac0ba259b46ec2bfdf565903eecf79b8fe1abcfeb36d2d8854c6041

      • C:\Users\Admin\Desktop\RegisterDisable.docx

        Filesize

        309KB

        MD5

        8705248c19e5ee1b32ebcf606966d8c9

        SHA1

        9dd1731ce1ce803e386d16f3fc513eb0e82b039f

        SHA256

        f87506719ad503481550ee959385eeb58645f65ca4e896406709c2bfab5747fc

        SHA512

        10661e2e64e555e655f387e87374569c636acf2b10692194d6fcdf1bebbab459e5c9297ae965abe409d814746beb62a338fe56b6e2f9d01495f8a2884e7ba75d

      • memory/1044-32-0x000007FEF4F00000-0x000007FEF4FD1000-memory.dmp

        Filesize

        836KB

      • memory/1044-22-0x000007FEF4FE0000-0x000007FEF50A2000-memory.dmp

        Filesize

        776KB

      • memory/1044-30-0x000007FEF40A0000-0x000007FEF41C8000-memory.dmp

        Filesize

        1.2MB

      • memory/1044-38-0x000007FEF4FE0000-0x000007FEF50A2000-memory.dmp

        Filesize

        776KB

      • memory/1044-39-0x000007FEF4F00000-0x000007FEF4FD1000-memory.dmp

        Filesize

        836KB

      • memory/1044-40-0x000007FEF40A0000-0x000007FEF41C8000-memory.dmp

        Filesize

        1.2MB

      • memory/2168-3-0x0000000000270000-0x00000000002B0000-memory.dmp

        Filesize

        256KB

      • memory/2168-0-0x0000000074A10000-0x0000000074FBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2168-2-0x0000000074A10000-0x0000000074FBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2168-4-0x0000000074A10000-0x0000000074FBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2168-5-0x0000000000270000-0x00000000002B0000-memory.dmp

        Filesize

        256KB

      • memory/2168-1-0x0000000000270000-0x00000000002B0000-memory.dmp

        Filesize

        256KB

      • memory/2616-31-0x0000000000160000-0x0000000000161000-memory.dmp

        Filesize

        4KB

      • memory/2616-52-0x0000000000160000-0x0000000000161000-memory.dmp

        Filesize

        4KB

      • memory/2616-47-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

        Filesize

        40KB

      • memory/2616-46-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

        Filesize

        40KB

      • memory/2616-45-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

        Filesize

        40KB

      • memory/2616-50-0x000000006EB20000-0x000000006EC11000-memory.dmp

        Filesize

        964KB

      • memory/2616-94-0x000000006EB20000-0x000000006EC11000-memory.dmp

        Filesize

        964KB

      • memory/2616-48-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

        Filesize

        40KB

      • memory/2616-53-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

        Filesize

        40KB

      • memory/2616-49-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

        Filesize

        40KB

      • memory/2616-90-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

        Filesize

        40KB

      • memory/2616-91-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

        Filesize

        40KB

      • memory/2616-92-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

        Filesize

        40KB

      • memory/2616-93-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

        Filesize

        40KB

      • memory/2616-44-0x0000000003EC0000-0x0000000003ECA000-memory.dmp

        Filesize

        40KB