Resubmissions
23-02-2024 22:41
240223-2l9m3abe2w 1023-02-2024 22:40
240223-2lrr9aaf67 1023-02-2024 22:34
240223-2he92sbd2t 1023-02-2024 22:31
240223-2fhbmaae23 1023-02-2024 21:56
240223-1tc4dshf83 1023-02-2024 21:49
240223-1ptkksae41 1023-02-2024 21:42
240223-1kaxnshe54 1023-02-2024 21:34
240223-1e6r6ahd88 1023-02-2024 20:17
240223-y239fagd36 10Analysis
-
max time kernel
1799s -
max time network
1802s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23-02-2024 22:40
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240221-en
10 signatures
1800 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240221-en
4 signatures
1800 seconds
General
-
Target
Server.exe
-
Size
37KB
-
MD5
3331918a0568c0d815a272bbcd21497f
-
SHA1
31b093fea6e6447fb4c232faa6d04db2e8549199
-
SHA256
e6c2602e22933912b73477dac66ed9ac50bf2de7a0254c8ac68d4034b3be7459
-
SHA512
27dbd0846d9f6e65909849b19bd4cec58f12477650b8bbae95bb8437ab5038e3f9029a3f5ef2cbaf55afa2b76ec1a367d9e3505a1d0047a880eb3d8d639b2024
-
SSDEEP
384:BLuf7WpgibTjpPu7w9qyMTczHPes2A7rbrAF+rMRTyN/0L+EcoinblneHQM3epza:EqNN9ZMTczWtAbrM+rMRa8Nuqnt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4888 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1732 Server.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe Token: SeIncBasePriorityPrivilege 1732 Server.exe Token: 33 1732 Server.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1732 wrote to memory of 4888 1732 Server.exe 87 PID 1732 wrote to memory of 4888 1732 Server.exe 87 PID 1732 wrote to memory of 4888 1732 Server.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:4888
-