560d49387e813dbf14946bfa1d7db5b4038a90f87feba2b846676ee99f8e7de0

Analysis

max time kernel
148s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02/05/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

dc39a37ae63c2456cd23252be31d3562
SHA1

5ef126dc5b5e4cd2570016ff3afb53af1f6f4afe
SHA256

560d49387e813dbf14946bfa1d7db5b4038a90f87feba2b846676ee99f8e7de0
SHA512

d6c212b729497d199864c2b4119d88e0fda17f8a82d294127a38905baaf5a6430a2a8203fe63a98f5ad35d3260f8a6d758b84b030a1d6cc41aaf7df872e112e9
SSDEEP

1536:j6K1GkeUqZJO5wNSimjEwzGi1dDUDigS:j61UqZJOeAOi1dCH

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 34 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1312	netsh.exe
4548	netsh.exe
2788	netsh.exe
60	netsh.exe
3428	netsh.exe
4316	netsh.exe
3452	netsh.exe
4320	netsh.exe
4700	netsh.exe
4764	netsh.exe
1792	netsh.exe
3856	netsh.exe
4704	netsh.exe
632	netsh.exe
1456	netsh.exe
4556	netsh.exe
3224	netsh.exe
4252	netsh.exe
4256	netsh.exe
4360	netsh.exe
4708	netsh.exe
4280	netsh.exe
4424	netsh.exe
1532	netsh.exe
3588	netsh.exe
4352	netsh.exe
4664	netsh.exe
4248	netsh.exe
4924	netsh.exe
1576	netsh.exe
4304	netsh.exe
4920	netsh.exe
4568	netsh.exe
3384	netsh.exe

Deletes itself 1 IoCs

pid	Process
2548	svchost.exe

Drops startup file 40 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\236a28b95be2e64f419c0d11d3ee97c0windows update.exe	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	server.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\microsoft corporation.exe	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\236a28b95be2e64f419c0d11d3ee97c0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe

Executes dropped EXE 22 IoCs

pid	Process
2548	svchost.exe
4620	server.exe
2676	svchost.exe
1500	server.exe
4528	svchost.exe
2116	server.exe
4268	svchost.exe
3460	server.exe
2820	svchost.exe
4284	server.exe
1316	svchost.exe
4592	server.exe
3416	svchost.exe
4984	server.exe
1776	svchost.exe
3532	server.exe
560	svchost.exe
3564	server.exe
2100	svchost.exe
4360	server.exe
4340	svchost.exe
4736	server.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Server.exe
File opened for modification	C:\autorun.inf	Server.exe
File created	F:\autorun.inf	Server.exe
File opened for modification	F:\autorun.inf	Server.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File created	C:\Windows\SysWOW64\Explower.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	Server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File created	C:\Program Files (x86)\Explower.exe	Server.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe
4668	Server.exe

Suspicious behavior: GetForegroundWindowSpam 12 IoCs

pid	Process
4668	Server.exe
4620	server.exe
1500	server.exe
2116	server.exe
3460	server.exe
4284	server.exe
4592	server.exe
4984	server.exe
3532	server.exe
3564	server.exe
4360	server.exe
4736	server.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	Server.exe
Token: SeDebugPrivilege	4452	taskmgr.exe
Token: SeSystemProfilePrivilege	4452	taskmgr.exe
Token: SeCreateGlobalPrivilege	4452	taskmgr.exe
Token: SeDebugPrivilege	4620	server.exe
Token: SeDebugPrivilege	1500	server.exe
Token: SeDebugPrivilege	2116	server.exe
Token: SeDebugPrivilege	3460	server.exe
Token: SeDebugPrivilege	4284	server.exe
Token: SeDebugPrivilege	4592	server.exe
Token: SeDebugPrivilege	4984	server.exe
Token: SeDebugPrivilege	3532	server.exe
Token: SeDebugPrivilege	3564	server.exe
Token: SeDebugPrivilege	4360	server.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4568	4668	Server.exe	72
PID 4668 wrote to memory of 4568	4668	Server.exe	72
PID 4668 wrote to memory of 4568	4668	Server.exe	72
PID 4668 wrote to memory of 4256	4668	Server.exe	74
PID 4668 wrote to memory of 4256	4668	Server.exe	74
PID 4668 wrote to memory of 4256	4668	Server.exe	74
PID 4668 wrote to memory of 1456	4668	Server.exe	75
PID 4668 wrote to memory of 1456	4668	Server.exe	75
PID 4668 wrote to memory of 1456	4668	Server.exe	75
PID 4668 wrote to memory of 2548	4668	Server.exe	78
PID 4668 wrote to memory of 2548	4668	Server.exe	78
PID 4668 wrote to memory of 2548	4668	Server.exe	78
PID 2548 wrote to memory of 4620	2548	svchost.exe	79
PID 2548 wrote to memory of 4620	2548	svchost.exe	79
PID 2548 wrote to memory of 4620	2548	svchost.exe	79
PID 4620 wrote to memory of 60	4620	server.exe	81
PID 4620 wrote to memory of 60	4620	server.exe	81
PID 4620 wrote to memory of 60	4620	server.exe	81
PID 4620 wrote to memory of 1532	4620	server.exe	83
PID 4620 wrote to memory of 1532	4620	server.exe	83
PID 4620 wrote to memory of 1532	4620	server.exe	83
PID 4620 wrote to memory of 4360	4620	server.exe	84
PID 4620 wrote to memory of 4360	4620	server.exe	84
PID 4620 wrote to memory of 4360	4620	server.exe	84
PID 4620 wrote to memory of 2676	4620	server.exe	87
PID 4620 wrote to memory of 2676	4620	server.exe	87
PID 4620 wrote to memory of 2676	4620	server.exe	87
PID 2676 wrote to memory of 1500	2676	svchost.exe	88
PID 2676 wrote to memory of 1500	2676	svchost.exe	88
PID 2676 wrote to memory of 1500	2676	svchost.exe	88
PID 1500 wrote to memory of 4556	1500	server.exe	89
PID 1500 wrote to memory of 4556	1500	server.exe	89
PID 1500 wrote to memory of 4556	1500	server.exe	89
PID 1500 wrote to memory of 3428	1500	server.exe	91
PID 1500 wrote to memory of 3428	1500	server.exe	91
PID 1500 wrote to memory of 3428	1500	server.exe	91
PID 1500 wrote to memory of 4248	1500	server.exe	92
PID 1500 wrote to memory of 4248	1500	server.exe	92
PID 1500 wrote to memory of 4248	1500	server.exe	92
PID 1500 wrote to memory of 4528	1500	server.exe	95
PID 1500 wrote to memory of 4528	1500	server.exe	95
PID 1500 wrote to memory of 4528	1500	server.exe	95
PID 4528 wrote to memory of 2116	4528	svchost.exe	96
PID 4528 wrote to memory of 2116	4528	svchost.exe	96
PID 4528 wrote to memory of 2116	4528	svchost.exe	96
PID 2116 wrote to memory of 4316	2116	server.exe	97
PID 2116 wrote to memory of 4316	2116	server.exe	97
PID 2116 wrote to memory of 4316	2116	server.exe	97
PID 2116 wrote to memory of 3452	2116	server.exe	99
PID 2116 wrote to memory of 3452	2116	server.exe	99
PID 2116 wrote to memory of 3452	2116	server.exe	99
PID 2116 wrote to memory of 4708	2116	server.exe	100
PID 2116 wrote to memory of 4708	2116	server.exe	100
PID 2116 wrote to memory of 4708	2116	server.exe	100
PID 2116 wrote to memory of 4268	2116	server.exe	103
PID 2116 wrote to memory of 4268	2116	server.exe	103
PID 2116 wrote to memory of 4268	2116	server.exe	103
PID 4268 wrote to memory of 3460	4268	svchost.exe	104
PID 4268 wrote to memory of 3460	4268	svchost.exe	104
PID 4268 wrote to memory of 3460	4268	svchost.exe	104
PID 3460 wrote to memory of 4320	3460	server.exe	105
PID 3460 wrote to memory of 4320	3460	server.exe	105
PID 3460 wrote to memory of 4320	3460	server.exe	105
PID 3460 wrote to memory of 1312	3460	server.exe	107

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4568
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Modifies Windows Firewall
  PID:4256
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:1456
- C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:60
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Modifies Windows Firewall
      PID:1532
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4360
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:4556
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        6⤵
        Modifies Windows Firewall
        
        PID:3428
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:4248
      - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        8⤵
        Modifies Windows Firewall
        
        PID:4316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        8⤵
        Modifies Windows Firewall
        
        PID:3452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        8⤵
        Modifies Windows Firewall
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        9⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        10⤵
        Modifies Windows Firewall
        
        PID:4320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        10⤵
        Modifies Windows Firewall
        
        PID:1312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        10⤵
        Modifies Windows Firewall
        
        PID:3588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        10⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        11⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        12⤵
        Modifies Windows Firewall
        
        PID:4548
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        12⤵
        Modifies Windows Firewall
        
        PID:4280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        12⤵
        Modifies Windows Firewall
        
        PID:4764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        12⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        13⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        14⤵
        Modifies Windows Firewall
        
        PID:4924
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        14⤵
        Modifies Windows Firewall
        
        PID:1792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        14⤵
        Modifies Windows Firewall
        
        PID:3856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        14⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        15⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        16⤵
        Modifies Windows Firewall
        
        PID:4352
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        16⤵
        Modifies Windows Firewall
        
        PID:1576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        16⤵
        Modifies Windows Firewall
        
        PID:4704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        16⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        17⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        18⤵
        Modifies Windows Firewall
        
        PID:3384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        18⤵
        Modifies Windows Firewall
        
        PID:632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        18⤵
        Modifies Windows Firewall
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        18⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        19⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        20⤵
        Modifies Windows Firewall
        
        PID:4304
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        20⤵
        Modifies Windows Firewall
        
        PID:4664
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        20⤵
        Modifies Windows Firewall
        
        PID:3224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        20⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        21⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        22⤵
        Modifies Windows Firewall
        
        PID:4424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        22⤵
        Modifies Windows Firewall
        
        PID:4252
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        22⤵
        Modifies Windows Firewall
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        22⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        23⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        24⤵
        Modifies Windows Firewall
        
        PID:4920

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Umbrella.flv.exe

Filesize
93KB

MD5
dc39a37ae63c2456cd23252be31d3562

SHA1
5ef126dc5b5e4cd2570016ff3afb53af1f6f4afe

SHA256
560d49387e813dbf14946bfa1d7db5b4038a90f87feba2b846676ee99f8e7de0

SHA512
d6c212b729497d199864c2b4119d88e0fda17f8a82d294127a38905baaf5a6430a2a8203fe63a98f5ad35d3260f8a6d758b84b030a1d6cc41aaf7df872e112e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
496B

MD5
10ed88ccab68027f754c46ee20645665

SHA1
6aa95ea2c58267311eaf81bf598f26708c9f6572

SHA256
e76e115def675e2ef12faca4479c1f968b62e961d520dc49a1576915c1d5ff95

SHA512
731ea8cf60d9513c1b60d4a59eb39f2a5f6581752419cbb5633dd0fe5ef916bcf620a1ed932221589ad50c462f8f46191a912784dab75c98fdd4e0faed13ffca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

Filesize
408B

MD5
6b062b48db9a8e149e10fefd80ab54ef

SHA1
1e72855f88c33b6ddce512b079bbe2e4aa2b6b57

SHA256
026518c621aa1e908fd3617fe1d684a6225393659345ad4f9c085fc4f6b3cf43

SHA512
b36007e2b0b71247979cdac1b17520cc37065c001464b4c70d642c8a059510d28ed8b57b7e4df59a43d99d69c588c1bab7b3c95c6a75c0ab98317246b56f7832

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
44B

MD5
298802dff6aa26d4fb941c7ccf5c0849

SHA1
11e518ca3409f1863ebc2d3f1be9fb701bad52c0

SHA256
df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

SHA512
0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
931db99e42055249760280846b3d667a

SHA1
9e0e0cea04560fcbf4ded54640a65a6987943672

SHA256
2a6b5dd5f6530a184eba6f0cced2c935751cf2c27fc3ab2e7124e76a249fdee6

SHA512
66471125ec18e0573e51decaf82bd7e1c792bad12ee0d98697a0870d1ddc670a6407912a648f44d5500ee543f37180ddf8825c86c8f990c2f8305620cf1ea6e0

Download Submit
memory/4668-0-0x0000000073381000-0x0000000073382000-memory.dmp

Filesize
4KB

Download
memory/4668-1-0x0000000073380000-0x0000000073930000-memory.dmp

Filesize
5.7MB

Download
memory/4668-2-0x0000000073380000-0x0000000073930000-memory.dmp

Filesize
5.7MB

Download
memory/4668-42-0x0000000073380000-0x0000000073930000-memory.dmp

Filesize
5.7MB

Download