Analysis
-
max time kernel
47s -
max time network
38s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 02:57
Static task
static1
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240419-en
General
-
Target
Server.exe
-
Size
38KB
-
MD5
ac91fef4ff392661cc06c326cabcac14
-
SHA1
2db2f2c6e6e15885729f92326f2990f7856133a4
-
SHA256
018c8953f0aa9d8583264f426a30303871cc76407f2e435e3065e6088c201bee
-
SHA512
eb3bff15478ce10f37e9fafc5cb4acd7b20b794b2d5c63d284348134e669d0c27340812f9217355c8c4dda398511ba744e9ea78dd263050812666fd3db5a75b2
-
SSDEEP
768:rIJSfjBLO67C+ugprhmoGPr2Uu4TQpBryb0A4T/1E4OA:QSfj5O+23u7fryAT
Malware Config
Extracted
latentbot
hhhhhhhhhhh.zapto.org
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3036 netsh.exe -
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\babe8364d0b44de2ea6e4bcccd70281e.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\babe8364d0b44de2ea6e4bcccd70281e.exe Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\babe8364d0b44de2ea6e4bcccd70281e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\babe8364d0b44de2ea6e4bcccd70281e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Server.exepid process 2936 Server.exe 2936 Server.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 2936 Server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Server.exedescription pid process target process PID 2936 wrote to memory of 3036 2936 Server.exe netsh.exe PID 2936 wrote to memory of 3036 2936 Server.exe netsh.exe PID 2936 wrote to memory of 3036 2936 Server.exe netsh.exe PID 2936 wrote to memory of 3036 2936 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\! My Picutre.SCRFilesize
38KB
MD5ac91fef4ff392661cc06c326cabcac14
SHA12db2f2c6e6e15885729f92326f2990f7856133a4
SHA256018c8953f0aa9d8583264f426a30303871cc76407f2e435e3065e6088c201bee
SHA512eb3bff15478ce10f37e9fafc5cb4acd7b20b794b2d5c63d284348134e669d0c27340812f9217355c8c4dda398511ba744e9ea78dd263050812666fd3db5a75b2
-
memory/2936-0-0x0000000074400000-0x00000000749AB000-memory.dmpFilesize
5.7MB
-
memory/2936-1-0x0000000074400000-0x00000000749AB000-memory.dmpFilesize
5.7MB
-
memory/2936-2-0x0000000001ED0000-0x0000000001F10000-memory.dmpFilesize
256KB
-
memory/2936-5-0x0000000074400000-0x00000000749AB000-memory.dmpFilesize
5.7MB
-
memory/2936-7-0x0000000001ED0000-0x0000000001F10000-memory.dmpFilesize
256KB