Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-02-2024 23:23
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240221-en
4 signatures
150 seconds
General
-
Target
Server.exe
-
Size
93KB
-
MD5
13cd46a5eb8b646c2cd750f4e9b3d4d6
-
SHA1
9105e699f21dec42b1576b7fbd12fe5d31a0d27c
-
SHA256
a6325fc6013fad487c39965c87b0b45cea072d93248b0da741a94f3e843fd7c4
-
SHA512
5bfdd1c812102ec057cce3ea0d4a67974fca54857fb2606ac16c43659bb7acbe4896408613f91944e6c09899a3f954d6a5d18a749e1b52cd50d59d110d81201e
-
SSDEEP
768:VY3oyU3hWXxyFcxovUKUJuROprXtWNzeYhYbmXxrjEtCdnl2pi1Rz4Rk3dsGdpR3:YURWhIUKcuOJ2PhBjEwzGi1dDtDRgS
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2624 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2944 Server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe Token: 33 2944 Server.exe Token: SeIncBasePriorityPrivilege 2944 Server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2624 2944 Server.exe 28 PID 2944 wrote to memory of 2624 2944 Server.exe 28 PID 2944 wrote to memory of 2624 2944 Server.exe 28 PID 2944 wrote to memory of 2624 2944 Server.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2624
-