Analysis
-
max time kernel
91s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 07:34
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240412-en
General
-
Target
Server.exe
-
Size
37KB
-
MD5
de43783b8b13388eb629c7675983def1
-
SHA1
9d8285f25c0e8d2a16fae6cba5d5dfbcf2c1d1f7
-
SHA256
0837d32cd4aabde333efdfc2695f522c07e505131b3d36cc12618be91a057290
-
SHA512
1052d7f2a2efb7543b970278f11e0b71410386fb7f8b1322ec14ec5681caf114e4f5ef2e30e1d3975207406559595a51d0e3c496de35a9bef6a3b58a6ca32a43
-
SSDEEP
384:SgzZxj6ic7ri5Z7JAyk/Y4IvDfZeKQVerAF+rMRTyN/0L+EcoinblneHQM3epzXl:RznHJ7k/Y4IDZbQorM+rMRa8NuTht
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 4492 netsh.exe 3836 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Server.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation Server.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1292 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1292 server.exe Token: 33 1292 server.exe Token: SeIncBasePriorityPrivilege 1292 server.exe Token: 33 1292 server.exe Token: SeIncBasePriorityPrivilege 1292 server.exe Token: 33 1292 server.exe Token: SeIncBasePriorityPrivilege 1292 server.exe Token: 33 1292 server.exe Token: SeIncBasePriorityPrivilege 1292 server.exe Token: 33 1292 server.exe Token: SeIncBasePriorityPrivilege 1292 server.exe Token: 33 1292 server.exe Token: SeIncBasePriorityPrivilege 1292 server.exe Token: 33 1292 server.exe Token: SeIncBasePriorityPrivilege 1292 server.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Server.exeserver.execmd.exedescription pid process target process PID 2260 wrote to memory of 1292 2260 Server.exe server.exe PID 2260 wrote to memory of 1292 2260 Server.exe server.exe PID 2260 wrote to memory of 1292 2260 Server.exe server.exe PID 1292 wrote to memory of 4492 1292 server.exe netsh.exe PID 1292 wrote to memory of 4492 1292 server.exe netsh.exe PID 1292 wrote to memory of 4492 1292 server.exe netsh.exe PID 1292 wrote to memory of 3836 1292 server.exe netsh.exe PID 1292 wrote to memory of 3836 1292 server.exe netsh.exe PID 1292 wrote to memory of 3836 1292 server.exe netsh.exe PID 1292 wrote to memory of 2256 1292 server.exe cmd.exe PID 1292 wrote to memory of 2256 1292 server.exe cmd.exe PID 1292 wrote to memory of 2256 1292 server.exe cmd.exe PID 2256 wrote to memory of 3516 2256 cmd.exe PING.EXE PID 2256 wrote to memory of 3516 2256 cmd.exe PING.EXE PID 2256 wrote to memory of 3516 2256 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd.exe /k ping 0 & del "C:\Users\Admin\AppData\Roaming\server.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 04⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.logFilesize
319B
MD5da4fafeffe21b7cb3a8c170ca7911976
SHA150ef77e2451ab60f93f4db88325b897d215be5ad
SHA2567341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7
SHA5120bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
37KB
MD5de43783b8b13388eb629c7675983def1
SHA19d8285f25c0e8d2a16fae6cba5d5dfbcf2c1d1f7
SHA2560837d32cd4aabde333efdfc2695f522c07e505131b3d36cc12618be91a057290
SHA5121052d7f2a2efb7543b970278f11e0b71410386fb7f8b1322ec14ec5681caf114e4f5ef2e30e1d3975207406559595a51d0e3c496de35a9bef6a3b58a6ca32a43
-
memory/1292-15-0x0000000001480000-0x0000000001490000-memory.dmpFilesize
64KB
-
memory/1292-14-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/1292-16-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/1292-17-0x0000000001480000-0x0000000001490000-memory.dmpFilesize
64KB
-
memory/1292-18-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/1292-19-0x0000000001480000-0x0000000001490000-memory.dmpFilesize
64KB
-
memory/1292-20-0x0000000001480000-0x0000000001490000-memory.dmpFilesize
64KB
-
memory/1292-21-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/2260-2-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/2260-1-0x00000000012E0000-0x00000000012F0000-memory.dmpFilesize
64KB
-
memory/2260-0-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/2260-13-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB