Overview

overview

10

Static

static

10

Release/Server.exe

windows7-x64

7

Release/Server.exe

windows10-2004-x64

10

Resubmissions

26-07-2024 05:05

240726-frc1ds1drf 10

25-07-2024 07:20

240725-h567hayclf 10

24-07-2024 14:30

240724-rvd8ea1akj 10

24-07-2024 13:56

240724-q83bqasdqb 10

23-07-2024 11:06

240723-m7t26stbmr 10

Analysis

  • max time kernel
    660s
  • max time network
    446s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2024 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Release/Server.exe

  • Size

    1.0MB

  • MD5

    97fdf675692906714405d7e9bd6a9c61

  • SHA1

    f388a87852ca61122f2563b9919625d33c7efe78

  • SHA256

    dd3c72966f70692309714ec42461021fef21c26ad33b1b43e3232186b632a44b

  • SHA512

    06f371bbec435746a876bb8127979c46fb1a21949c7f2b1f0e7edd4895382c5018113d52cf86485fa8d269f5c4b597c2739519db11b78bb7574638272ebf925c

  • SSDEEP

    24576:UcBAVQOcXu65lmmomlEkmmsEnE7E7E7EUmemmmmmmIDmeQaKM:USAVQTXuElmmomSkmmtEQQQUmemmmmmL

Score
10/10
defense_evasiondiscoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 18 IoCs
  • Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs

    UAC Bypass Attempt via SilentCleanup Task.

    defense_evasionprivilege_escalation
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 14 IoCs
  • Modifies registry class 53 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 60 IoCs
  • Suspicious use of SendNotifyMessage 59 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Release\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Release\Server.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1424
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1856
    • C:\Users\Admin\Desktop\Client.exe
      "C:\Users\Admin\Desktop\Client.exe"
      1⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "MicrosoftEdgeUpdateServices" /tr "C:\Windows\Vss\Svhost.exe" & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "MicrosoftEdgeUpdateServices" /tr "C:\Windows\Vss\Svhost.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1568
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "MircosftEdge" /tr "C:\Windows\Vss\Svhost.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3728
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo 5 /tn "MircosftEdge" /tr "C:\Windows\Vss\Svhost.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4940
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "MicrosoftEdgeUpdater" /tr "C:\Windows\Vss\Writers\System\Smss.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3980
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo 5 /tn "MicrosoftEdgeUpdater" /tr "C:\Windows\Vss\Writers\System\Smss.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2052
      • C:\Users\Admin\Desktop\Client.exe
        C:\Users\Admin\Desktop\Client.exe /WithTokenOf:TrustedInstaller.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\windows\system32\schtasks.exe
          "C:\windows\system32\schtasks.exe" /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
          3⤵
          • Abuse Elevation Control Mechanism: Bypass User Account Control
          PID:2164
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:1648
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:1888
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4596
    • C:\Windows\Vss\Writers\System\Smss.exe
      C:\Windows\Vss\Writers\System\Smss.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:976
    • C:\Windows\Vss\Svhost.exe
      C:\Windows\Vss\Svhost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:3892

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Event Triggered Execution

    1
    T1546

    AppInit DLLs

    1
    T1546.010

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Event Triggered Execution

    1
    T1546

    AppInit DLLs

    1
    T1546.010

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL
      Filesize

      1.3MB

      MD5

      14393eb908e072fa3164597414bb0a75

      SHA1

      5e04e084ec44a0b29196d0c21213201240f11ba0

      SHA256

      59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80

      SHA512

      f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_jmtcyt32s450mrkqcfhpdrl3u0cpu3sy\1.0.0.0\hqlpt5ax.newcfg
      Filesize

      805B

      MD5

      eb5e7c02c1994e15cdaf2a8a052477bf

      SHA1

      8ce675a1d2780867fa05f6698aeff55cf41966de

      SHA256

      8ea66baaffc61a5e5bca357f010dfbb45b57dd3fd0bd528e67c0b65a23e6be44

      SHA512

      cdc8b3725c056abd180b7ac6d15eb5279f330f0ea0c4c2919404b6e2ddf55e3347ffcacb9a9ed47f4c4241874a08be07af354dc8f594860c3b89baf321fb63d4

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_jmtcyt32s450mrkqcfhpdrl3u0cpu3sy\1.0.0.0\user.config
      Filesize

      311B

      MD5

      a35bc67d130a4fb76c2c2831cbdddd55

      SHA1

      66502423bba03870522e50608212b6ee27ebf4c5

      SHA256

      e94a97e512fbc8ed9f5691d921fdeddbff4cc16b024c5335adf66bff3a7a8192

      SHA512

      4401b234d7914afa860e356be1667cc5f44402255f7cc6cc3d8df80883167f6b55463e62156df57be697ee501897fac61a71f97911c6fdb6630272341ac8a07e

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_jmtcyt32s450mrkqcfhpdrl3u0cpu3sy\1.0.0.0\user.config
      Filesize

      434B

      MD5

      cfcf8e91857f364e002065c52ff8f91c

      SHA1

      8407ecb3c33a1f3fcf18a723e6884acf7e5a0f4a

      SHA256

      572dda8c7f211dc6a4efc7aecb4a54cb4e0ced1e4c9a4b9f96bb329c983c64e6

      SHA512

      364fecac3a051441b4fefcebb2cc9e38632f99dd04593cd5d9b148986afb09b195e88cdbfa2e778b8934564b76d04fe053f919f0a60769b023f2f753ede06d1e

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_jmtcyt32s450mrkqcfhpdrl3u0cpu3sy\1.0.0.0\user.config
      Filesize

      688B

      MD5

      1b3ada0fdd06f798be1c03cb51b07db6

      SHA1

      da4de6b4d4e3660947059a20e966d01c40d8c2ee

      SHA256

      15f11b3764eca4b990052e1fdfbbb33025baa1455a35e80e5dfef63349ecdf92

      SHA512

      a3d0721cb04eebb677ae80b9738e65aa7c98e9797b08201c548bf1628028a4f3afdb92333703a20ed21cc2fd632733c26524b8d81d9502a7555c9571f3b933d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_jmtcyt32s450mrkqcfhpdrl3u0cpu3sy\1.0.0.0\zi2rik12.newcfg
      Filesize

      560B

      MD5

      463d2a6611fbb9f0657b8c8c9783f6e0

      SHA1

      9fbda301bda3be3c9c2362b08cf4046857e2612d

      SHA256

      31d89529523e9b788ceec89cb43f1d2d26b44829e720324facf0906251135046

      SHA512

      c2b30090064b389eed8f79429765dc881c74c83352c7bb6e81585b81e9df6010cc89150766e94bf5091279a54b50301a529af70ec2626e2da2a842040424b169

      Download Submit

    • C:\Users\Admin\Desktop\Client.exe
      Filesize

      611KB

      MD5

      471703351f302e92661dc7635cf3783f

      SHA1

      201b9d9e49017af3c9de2355ea29abdf4d4b4212

      SHA256

      f46e89be4cff92390440379ab4ee7ea333746083497c8cbc76e220749e1b769e

      SHA512

      88579b2109f7e3b9dc7164746d8c6a4af7d1538f95b03ca4cbe6d28d368dfdb5a201b49f29435bde40fc59aa265626b503b4bf62f6327f4a16e54865774c35c4

      Download Submit

    • C:\Windows\xdwd.dll
      Filesize

      136KB

      MD5

      16e5a492c9c6ae34c59683be9c51fa31

      SHA1

      97031b41f5c56f371c28ae0d62a2df7d585adaba

      SHA256

      35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

      SHA512

      20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

      Download Submit

    • memory/1424-109-0x0000000075330000-0x0000000075AE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1424-112-0x0000000075330000-0x0000000075AE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1424-10-0x00000000098F0000-0x000000000991C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1424-11-0x0000000009C10000-0x0000000009EF2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1424-12-0x000000000A170000-0x000000000A4C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1424-13-0x00000000071C0000-0x00000000071E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1424-8-0x00000000088D0000-0x000000000897A000-memory.dmp

      Filesize

      680KB

      Download

    • memory/1424-18-0x0000000007210000-0x000000000735B000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1424-30-0x0000000007360000-0x00000000073AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1424-31-0x0000000075330000-0x0000000075AE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1424-7-0x0000000075330000-0x0000000075AE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1424-6-0x0000000005B00000-0x0000000005B0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1424-5-0x00000000065E0000-0x0000000006832000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/1424-58-0x0000000009A60000-0x0000000009A9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1424-59-0x0000000009A20000-0x0000000009A41000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1424-69-0x000000000D880000-0x000000000D932000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1424-4-0x0000000005B30000-0x0000000005BC2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1424-3-0x00000000056B0000-0x000000000570C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/1424-107-0x000000007533E000-0x000000007533F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1424-108-0x0000000075330000-0x0000000075AE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1424-0-0x000000007533E000-0x000000007533F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1424-110-0x0000000075330000-0x0000000075AE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1424-111-0x0000000075330000-0x0000000075AE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1424-9-0x0000000075330000-0x0000000075AE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1424-113-0x000000000A670000-0x000000000A792000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1424-2-0x0000000005C60000-0x0000000006204000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1424-475-0x0000000006370000-0x0000000006380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1424-296-0x0000000006370000-0x0000000006380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1424-1-0x0000000000BF0000-0x0000000000D00000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1424-181-0x0000000010520000-0x00000000105BC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1592-498-0x00000000010F0000-0x0000000001102000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4568-211-0x00007FFCE11F3000-0x00007FFCE11F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4568-118-0x0000000000E40000-0x0000000000EE0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4568-297-0x000000001D900000-0x000000001D976000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4568-298-0x000000001C070000-0x000000001C0CE000-memory.dmp

      Filesize

      376KB

      Download

    • memory/4568-300-0x000000001D5D0000-0x000000001D5EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4568-469-0x000000001C0D0000-0x000000001C0DC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4568-117-0x00007FFCE11F3000-0x00007FFCE11F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4596-482-0x0000025407210000-0x0000025407211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4596-483-0x0000025407210000-0x0000025407211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4596-493-0x0000025407210000-0x0000025407211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4596-492-0x0000025407210000-0x0000025407211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4596-491-0x0000025407210000-0x0000025407211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4596-490-0x0000025407210000-0x0000025407211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4596-489-0x0000025407210000-0x0000025407211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4596-488-0x0000025407210000-0x0000025407211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4596-487-0x0000025407210000-0x0000025407211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4596-481-0x0000025407210000-0x0000025407211000-memory.dmp

      Filesize

      4KB

      Download