Overview

overview

8

Static

static

7

bin/admin.bat

windows7-x64

1

bin/admin.bat

windows10-2004-x64

7

bin/instsvc.bat

windows7-x64

8

bin/instsvc.bat

windows10-2004-x64

8

bin/ping.bat

windows7-x64

1

bin/ping.bat

windows10-2004-x64

7

bin/ping.sh

ubuntu-18.04-amd64

1

bin/ping.sh

debian-9-armhf

1

bin/ping.sh

debian-9-mips

bin/ping.sh

debian-9-mipsel

bin/reset-acl.bat

windows7-x64

1

bin/reset-acl.bat

windows10-2004-x64

7

bin/reset-acl.sh

ubuntu-18.04-amd64

1

bin/reset-acl.sh

debian-9-armhf

1

bin/reset-acl.sh

debian-9-mips

bin/reset-acl.sh

debian-9-mipsel

bin/reset-pw.bat

windows7-x64

1

bin/reset-pw.bat

windows10-2004-x64

7

bin/reset-pw.sh

ubuntu-18.04-amd64

1

bin/reset-pw.sh

debian-9-armhf

1

bin/reset-pw.sh

debian-9-mips

bin/reset-pw.sh

debian-9-mipsel

bin/shutdown.bat

windows7-x64

1

bin/shutdown.bat

windows10-2004-x64

7

bin/shutdown.sh

ubuntu-18.04-amd64

1

bin/shutdown.sh

debian-9-armhf

1

bin/shutdown.sh

debian-9-mips

bin/shutdown.sh

debian-9-mipsel

bin/startup.bat

windows7-x64

1

bin/startup.bat

windows10-2004-x64

7

bin/startup.sh

ubuntu-18.04-amd64

1

bin/startup.sh

debian-9-armhf

1

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 07:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bin/instsvc.bat

  • Size

    2KB

  • MD5

    21e90735471f64b9b71b37c7d8492574

  • SHA1

    05a2effac79c01bcb1f3798b11b542c63588d51c

  • SHA256

    b1f3b4370fa8e86d8d86a7ee5dbaccaff73f6fc2f04b5ff43205751d1c152918

  • SHA512

    f746d1fb930a77b36a3ffe8823abfcb8e7d81dbcd49e719e33ec82535a7464e4a0cb8df6b6ec5309e2bc7dab3dd21b02041bf88b668dad03c3578be1d2c7e053

Score
8/10
evasionupx

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 18 IoCs
    evasion
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Runs net.exe
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\instsvc.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=NxFilter_53_in
      2⤵
      • Modifies Windows Firewall
      PID:2060
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=NxFilter_80_in
      2⤵
      • Modifies Windows Firewall
      PID:2308
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=NxFilter_443_in
      2⤵
      • Modifies Windows Firewall
      PID:2580
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=NxFilter_19002_in
      2⤵
      • Modifies Windows Firewall
      PID:2668
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=NxFilter_19003_in
      2⤵
      • Modifies Windows Firewall
      PID:2568
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=NxFilter_19004_in
      2⤵
      • Modifies Windows Firewall
      PID:2572
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=NxFilter_19003_out
      2⤵
      • Modifies Windows Firewall
      PID:2600
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=NxFilter_19004_out
      2⤵
      • Modifies Windows Firewall
      PID:2800
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall delete rule name=NxFilter_1813_in
      2⤵
      • Modifies Windows Firewall
      PID:2484
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name=NxFilter_53_in protocol=UDP dir=in localport=53 action=allow
      2⤵
      • Modifies Windows Firewall
      PID:2452
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name=NxFilter_80_in protocol=TCP dir=in localport=80 action=allow
      2⤵
      • Modifies Windows Firewall
      PID:2560
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name=NxFilter_443_in protocol=TCP dir=in localport=443 action=allow
      2⤵
      • Modifies Windows Firewall
      PID:2236
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name=NxFilter_19002_in protocol=TCP dir=in localport=19002 action=allow
      2⤵
      • Modifies Windows Firewall
      PID:2488
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name=NxFilter_19003_in protocol=TCP dir=in localport=19003 action=allow
      2⤵
      • Modifies Windows Firewall
      PID:2620
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name=NxFilter_19004_in protocol=TCP dir=in localport=19004 action=allow
      2⤵
      • Modifies Windows Firewall
      PID:2892
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name=NxFilter_19003_out protocol=TCP dir=out remoteport=19003 action=allow
      2⤵
      • Modifies Windows Firewall
      PID:2920
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name=NxFilter_19004_out protocol=TCP dir=out remoteport=19004 action=allow
      2⤵
      • Modifies Windows Firewall
      PID:1056
    • C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name=NxFilter_1813_in protocol=UDP dir=in localport=1813 action=allow
      2⤵
      • Modifies Windows Firewall
      PID:1740
    • C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
      nxwrapper.exe --startup=auto install
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1988
    • C:\Windows\system32\net.exe
      net start NxFilter
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 start NxFilter
        3⤵
          PID:860
    • C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe"
      1⤵
        PID:1268
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c echo %PATH%
          2⤵
            PID:2312
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:/Users/Admin/AppData/Local/Temp/bin/startup.bat"
            2⤵
              PID:596

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1268-39-0x0000000000400000-0x000000000050A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1268-77-0x0000000000400000-0x000000000050A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1268-59-0x000000001E8C0000-0x000000001E8DA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1988-13-0x0000000000400000-0x000000000050A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1988-24-0x000000001E9B0000-0x000000001E9B7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1988-20-0x000000001E8C0000-0x000000001E8DA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1988-0-0x000000001E000000-0x000000001E0F1000-memory.dmp

            Filesize

            964KB

            Download

          • memory/1988-11-0x000000001E7D0000-0x000000001E7D9000-memory.dmp

            Filesize

            36KB

            Download

          • memory/1988-7-0x000000001E7A0000-0x000000001E7BE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1988-32-0x0000000010000000-0x0000000010016000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1988-34-0x000000001E1D0000-0x000000001E1DC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1988-38-0x0000000000400000-0x000000000050A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1988-28-0x000000001E1E0000-0x000000001E1EE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1988-16-0x000000001ECB0000-0x000000001ECBD000-memory.dmp

            Filesize

            52KB

            Download

          • memory/1988-4-0x000000001E1B0000-0x000000001E1BF000-memory.dmp

            Filesize

            60KB

            Download