Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 23:23
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240221-en
4 signatures
150 seconds
General
-
Target
Server.exe
-
Size
93KB
-
MD5
13cd46a5eb8b646c2cd750f4e9b3d4d6
-
SHA1
9105e699f21dec42b1576b7fbd12fe5d31a0d27c
-
SHA256
a6325fc6013fad487c39965c87b0b45cea072d93248b0da741a94f3e843fd7c4
-
SHA512
5bfdd1c812102ec057cce3ea0d4a67974fca54857fb2606ac16c43659bb7acbe4896408613f91944e6c09899a3f954d6a5d18a749e1b52cd50d59d110d81201e
-
SSDEEP
768:VY3oyU3hWXxyFcxovUKUJuROprXtWNzeYhYbmXxrjEtCdnl2pi1Rz4Rk3dsGdpR3:YURWhIUKcuOJ2PhBjEwzGi1dDtDRgS
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4248 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2376 Server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe Token: 33 2376 Server.exe Token: SeIncBasePriorityPrivilege 2376 Server.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2376 wrote to memory of 4248 2376 Server.exe 90 PID 2376 wrote to memory of 4248 2376 Server.exe 90 PID 2376 wrote to memory of 4248 2376 Server.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:4248
-