b9418ffff1fdc91b3257ef2c42e6edc1605b38f2534e93c4f487a72f98279496

General

Target

Server3.exe
Size

37KB
MD5

9572900a67ed67c643c7298b951d2104
SHA1

e3b7291e39cafe608ffbeadba8135658d22dde2f
SHA256

b9418ffff1fdc91b3257ef2c42e6edc1605b38f2534e93c4f487a72f98279496
SHA512

07a115cfb2d5a97f06a10740c1e0f5ef9fb13bb248e6fbf1d7a815fe7139d7d499d4dfc638fe6544012bfa27b324535487b8446234edd4480e0b0446f8f22173
SSDEEP

384:rkc6ikDRxdDsyNyyszPIRPr28msD+rAF+rMRTyN/0L+EcoinblneHQM3epzXoNC/:ADeyNBszPIRy1sqrM+rMRa8NuKgt

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1968 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Server3.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Server3.exe

pid	process
1968	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Server3.exe

Drops startup file 2 IoCs

Processes:

Windows.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf19f19ec90f55db9d548f83598227f.exe	Windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf19f19ec90f55db9d548f83598227f.exe	Windows.exe

Executes dropped EXE 1 IoCs

Processes:

Windows.exe

pid process

1616 Windows.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcf19f19ec90f55db9d548f83598227f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .."	Windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bcf19f19ec90f55db9d548f83598227f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .."	Windows.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

Windows.exe

description	ioc	process
File created	C:\autorun.inf	Windows.exe
File opened for modification	C:\autorun.inf	Windows.exe
File created	D:\autorun.inf	Windows.exe
File created	F:\autorun.inf	Windows.exe
File opened for modification	F:\autorun.inf	Windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3496 taskkill.exe

pid	process
3496	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows.exe

pid	process
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe
1616	Windows.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Windows.exe

pid process

1616 Windows.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

Windows.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1616	Windows.exe
Token: SeDebugPrivilege	3496	taskkill.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe
Token: 33	1616	Windows.exe
Token: SeIncBasePriorityPrivilege	1616	Windows.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Server3.exeWindows.exe

description	pid	process	target process
PID 1396 wrote to memory of 1616	1396	Server3.exe	Windows.exe
PID 1396 wrote to memory of 1616	1396	Server3.exe	Windows.exe
PID 1396 wrote to memory of 1616	1396	Server3.exe	Windows.exe
PID 1616 wrote to memory of 1968	1616	Windows.exe	netsh.exe
PID 1616 wrote to memory of 1968	1616	Windows.exe	netsh.exe
PID 1616 wrote to memory of 1968	1616	Windows.exe	netsh.exe
PID 1616 wrote to memory of 3496	1616	Windows.exe	taskkill.exe
PID 1616 wrote to memory of 3496	1616	Windows.exe	taskkill.exe
PID 1616 wrote to memory of 3496	1616	Windows.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Server3.exe
"C:\Users\Admin\AppData\Local\Temp\Server3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1968

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Exsample.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows.exe

Filesize
37KB

MD5
9572900a67ed67c643c7298b951d2104

SHA1
e3b7291e39cafe608ffbeadba8135658d22dde2f

SHA256
b9418ffff1fdc91b3257ef2c42e6edc1605b38f2534e93c4f487a72f98279496

SHA512
07a115cfb2d5a97f06a10740c1e0f5ef9fb13bb248e6fbf1d7a815fe7139d7d499d4dfc638fe6544012bfa27b324535487b8446234edd4480e0b0446f8f22173

Download Submit
memory/1396-0-0x0000000074A72000-0x0000000074A73000-memory.dmp

Filesize
4KB

Download
memory/1396-1-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/1396-2-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/1396-12-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/1616-13-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/1616-14-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/1616-24-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads