Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 16:37
Static task
static1
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240508-en
General
-
Target
Server.exe
-
Size
76KB
-
MD5
9ca0dca75c4d1c1453d5ab26a86d85c2
-
SHA1
c85a55c7c628231beb5f8d6a32e75646c1dc7348
-
SHA256
1adc4f1c7e5cd29791e074dd27ef5bb4e6a9c14b5d8def6a4aa4d5d0e5c58fe6
-
SHA512
88efd5b1f70beceff4f99ca9834b80318ccde6ed1fe30c39de7d494e4b0b5bf00dcf52ffdc19e032367b076be53d1f18a9a9dbf1f26648e095375dec653a27ed
-
SSDEEP
1536:sjAsQye1NzY5wv3KxquaqjmRLxSXzZpozkZDt9g7:H9ye1NzYzVaqSRLxgNp5Zj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Server.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Server.exe -
Executes dropped EXE 1 IoCs
Processes:
Svchost.exepid process 1456 Svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Svchost.exe" Svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
Server.exeSvchost.exepid process 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1824 Server.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe 1456 Svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Svchost.exepid process 1456 Svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Server.exeSvchost.exedescription pid process Token: SeDebugPrivilege 1824 Server.exe Token: SeDebugPrivilege 1456 Svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Server.exeSvchost.exepid process 1824 Server.exe 1456 Svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Server.exedescription pid process target process PID 1824 wrote to memory of 1456 1824 Server.exe Svchost.exe PID 1824 wrote to memory of 1456 1824 Server.exe Svchost.exe PID 1824 wrote to memory of 1456 1824 Server.exe Svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mlt.tmpFilesize
44B
MD55389b11510f65424863e2e9724bd65e4
SHA1071102005e3217b50283b71ee33858bb15606549
SHA256fecb0cdb9664c0c83a84dff897fecff3773df1d4d5a6fc5c84e2187027315fa7
SHA512ba78a6c2619bd7a4d4428a5b0b739e109dfa9ddb8925a005067f8b7091744bd9e16e007d32f62ae42768f3f45fb8aefe496f5a3ef617862127b53a88f86514ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Svchost.exeFilesize
76KB
MD59ca0dca75c4d1c1453d5ab26a86d85c2
SHA1c85a55c7c628231beb5f8d6a32e75646c1dc7348
SHA2561adc4f1c7e5cd29791e074dd27ef5bb4e6a9c14b5d8def6a4aa4d5d0e5c58fe6
SHA51288efd5b1f70beceff4f99ca9834b80318ccde6ed1fe30c39de7d494e4b0b5bf00dcf52ffdc19e032367b076be53d1f18a9a9dbf1f26648e095375dec653a27ed
-
memory/1456-14-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/1456-16-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/1824-0-0x00000000752D2000-0x00000000752D3000-memory.dmpFilesize
4KB
-
memory/1824-1-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/1824-2-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/1824-13-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB