0837d32cd4aabde333efdfc2695f522c07e505131b3d36cc12618be91a057290

General

Target

Server.exe
Size

37KB
MD5

de43783b8b13388eb629c7675983def1
SHA1

9d8285f25c0e8d2a16fae6cba5d5dfbcf2c1d1f7
SHA256

0837d32cd4aabde333efdfc2695f522c07e505131b3d36cc12618be91a057290
SHA512

1052d7f2a2efb7543b970278f11e0b71410386fb7f8b1322ec14ec5681caf114e4f5ef2e30e1d3975207406559595a51d0e3c496de35a9bef6a3b58a6ca32a43
SSDEEP

384:SgzZxj6ic7ri5Z7JAyk/Y4IvDfZeKQVerAF+rMRTyN/0L+EcoinblneHQM3epzXl:RznHJ7k/Y4IDZbQorM+rMRa8NuTht

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4492 netsh.exe
3836 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Server.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation Server.exe
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1292 server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3516 PING.EXE

pid	process
4492	netsh.exe
3836	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	Server.exe

pid	process
1292	server.exe

pid	process
3516	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1292	server.exe
Token: 33	1292	server.exe
Token: SeIncBasePriorityPrivilege	1292	server.exe
Token: 33	1292	server.exe
Token: SeIncBasePriorityPrivilege	1292	server.exe
Token: 33	1292	server.exe
Token: SeIncBasePriorityPrivilege	1292	server.exe
Token: 33	1292	server.exe
Token: SeIncBasePriorityPrivilege	1292	server.exe
Token: 33	1292	server.exe
Token: SeIncBasePriorityPrivilege	1292	server.exe
Token: 33	1292	server.exe
Token: SeIncBasePriorityPrivilege	1292	server.exe
Token: 33	1292	server.exe
Token: SeIncBasePriorityPrivilege	1292	server.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Server.exeserver.execmd.exe

description	pid	process	target process
PID 2260 wrote to memory of 1292	2260	Server.exe	server.exe
PID 2260 wrote to memory of 1292	2260	Server.exe	server.exe
PID 2260 wrote to memory of 1292	2260	Server.exe	server.exe
PID 1292 wrote to memory of 4492	1292	server.exe	netsh.exe
PID 1292 wrote to memory of 4492	1292	server.exe	netsh.exe
PID 1292 wrote to memory of 4492	1292	server.exe	netsh.exe
PID 1292 wrote to memory of 3836	1292	server.exe	netsh.exe
PID 1292 wrote to memory of 3836	1292	server.exe	netsh.exe
PID 1292 wrote to memory of 3836	1292	server.exe	netsh.exe
PID 1292 wrote to memory of 2256	1292	server.exe	cmd.exe
PID 1292 wrote to memory of 2256	1292	server.exe	cmd.exe
PID 1292 wrote to memory of 2256	1292	server.exe	cmd.exe
PID 2256 wrote to memory of 3516	2256	cmd.exe	PING.EXE
PID 2256 wrote to memory of 3516	2256	cmd.exe	PING.EXE
PID 2256 wrote to memory of 3516	2256	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4492

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
3⤵
- Modifies Windows Firewall
PID:3836

C:\Windows\SysWOW64\cmd.exe
cmd.exe /k ping 0 & del "C:\Users\Admin\AppData\Roaming\server.exe" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\PING.EXE
ping 0
4⤵
- Runs ping.exe
PID:3516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log
Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
37KB

MD5
de43783b8b13388eb629c7675983def1

SHA1
9d8285f25c0e8d2a16fae6cba5d5dfbcf2c1d1f7

SHA256
0837d32cd4aabde333efdfc2695f522c07e505131b3d36cc12618be91a057290

SHA512
1052d7f2a2efb7543b970278f11e0b71410386fb7f8b1322ec14ec5681caf114e4f5ef2e30e1d3975207406559595a51d0e3c496de35a9bef6a3b58a6ca32a43

Download Submit
memory/1292-15-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/1292-14-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/1292-16-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/1292-17-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/1292-18-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/1292-19-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/1292-20-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/1292-21-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-2-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-1-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/2260-0-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-13-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing