Analysis
-
max time kernel
209s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 03:18
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240215-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240221-en
4 signatures
150 seconds
General
-
Target
Server.exe
-
Size
93KB
-
MD5
1c0e0635365312368a9576eeb8d73ba5
-
SHA1
842c11c9b8f101e92565d6c61ae2fb06bada15ce
-
SHA256
f7d1655402571e508ffde1b36b75322782c40fa9a269bc13a246220bf16bccb6
-
SHA512
715de4c6f3f27d12f8c810b45bedd99459a2df20b095e809661b09eef1b7a20d2bf7aa6cd7d8a7530f31fe834c58a60970f055fc15b0e98c0750f0e8e1cb948c
-
SSDEEP
768:vY33UYSgmnldjcRoMwrx7Y+DIkIITJbXX0pOt8ux82WXxrjEtCdnl2pi1Rz4Rk3Z:WUmmlbrq+1NTZ0OojEwzGi1dDNDbgS
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1096 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1568 Server.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe Token: 33 1568 Server.exe Token: SeIncBasePriorityPrivilege 1568 Server.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1568 wrote to memory of 1096 1568 Server.exe 90 PID 1568 wrote to memory of 1096 1568 Server.exe 90 PID 1568 wrote to memory of 1096 1568 Server.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:1096
-