Overview

overview

10

Static

static

10

Release/Server.exe

windows10-2004-x64

7

Resubmissions

26-07-2024 05:05

240726-frc1ds1drf 10

25-07-2024 07:20

240725-h567hayclf 10

24-07-2024 14:30

240724-rvd8ea1akj 10

24-07-2024 13:56

240724-q83bqasdqb 10

23-07-2024 11:06

240723-m7t26stbmr 10

Analysis

  • max time kernel
    1026s
  • max time network
    691s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2024 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Release/Server.exe

  • Size

    1.0MB

  • MD5

    97fdf675692906714405d7e9bd6a9c61

  • SHA1

    f388a87852ca61122f2563b9919625d33c7efe78

  • SHA256

    dd3c72966f70692309714ec42461021fef21c26ad33b1b43e3232186b632a44b

  • SHA512

    06f371bbec435746a876bb8127979c46fb1a21949c7f2b1f0e7edd4895382c5018113d52cf86485fa8d269f5c4b597c2739519db11b78bb7574638272ebf925c

  • SSDEEP

    24576:UcBAVQOcXu65lmmomlEkmmsEnE7E7E7EUmemmmmmmIDmeQaKM:USAVQTXuElmmomSkmmtEQQQUmemmmmmL

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 53 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Release\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Release\Server.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:4812
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:748
    • C:\Users\Admin\Desktop\MicrosoftEdge.exe
      "C:\Users\Admin\Desktop\MicrosoftEdge.exe"
      1⤵
      • Executes dropped EXE
      PID:976
    • C:\Users\Admin\Desktop\MicrosoftEdge.exe
      "C:\Users\Admin\Desktop\MicrosoftEdge.exe"
      1⤵
      • Executes dropped EXE
      PID:4384
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3616
    • C:\Users\Admin\Desktop\MicrosoftEdge.exe
      "C:\Users\Admin\Desktop\MicrosoftEdge.exe"
      1⤵
      • Executes dropped EXE
      PID:780
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\MicrosoftEdge.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Users\Admin\Desktop\MicrosoftEdge.exe
      "C:\Users\Admin\Desktop\MicrosoftEdge.exe"
      1⤵
      • Executes dropped EXE
      PID:1356
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
      Filesize

      64KB

      MD5

      d2fb266b97caff2086bf0fa74eddb6b2

      SHA1

      2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

      SHA256

      b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

      SHA512

      c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

      Download Submit

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
      Filesize

      4B

      MD5

      f49655f856acb8884cc0ace29216f511

      SHA1

      cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

      SHA256

      7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

      SHA512

      599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

      Download Submit

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
      Filesize

      944B

      MD5

      6bd369f7c74a28194c991ed1404da30f

      SHA1

      0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

      SHA256

      878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

      SHA512

      8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

      Download Submit

    • C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL
      Filesize

      1.3MB

      MD5

      14393eb908e072fa3164597414bb0a75

      SHA1

      5e04e084ec44a0b29196d0c21213201240f11ba0

      SHA256

      59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80

      SHA512

      f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftEdge.exe.log
      Filesize

      871B

      MD5

      386677f585908a33791517dfc2317f88

      SHA1

      2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

      SHA256

      7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

      SHA512

      876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_jmtcyt32s450mrkqcfhpdrl3u0cpu3sy\1.0.0.0\0ba4rrmc.newcfg
      Filesize

      688B

      MD5

      1b3ada0fdd06f798be1c03cb51b07db6

      SHA1

      da4de6b4d4e3660947059a20e966d01c40d8c2ee

      SHA256

      15f11b3764eca4b990052e1fdfbbb33025baa1455a35e80e5dfef63349ecdf92

      SHA512

      a3d0721cb04eebb677ae80b9738e65aa7c98e9797b08201c548bf1628028a4f3afdb92333703a20ed21cc2fd632733c26524b8d81d9502a7555c9571f3b933d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_jmtcyt32s450mrkqcfhpdrl3u0cpu3sy\1.0.0.0\fuqw35pf.newcfg
      Filesize

      687B

      MD5

      b18785caae8834f89e34cde89b93cafc

      SHA1

      cee194149b484295ddba88111a251986bdc0c7af

      SHA256

      105971bbe15f24f50dad97d466b55222e52dfdb4a71b1b3a6452cfba28a10811

      SHA512

      fb108e2997a0ea7bce21113118997f358d73a43a40e2b4b9962738cd88dc6d9dfc17e17e63c8ba8c5a5504e5775fbe9e8084ee8e6086cf0eab709335ed8b282c

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_jmtcyt32s450mrkqcfhpdrl3u0cpu3sy\1.0.0.0\tr4elcse.newcfg
      Filesize

      804B

      MD5

      40835a973a8950bec8a0a2a5f40828d0

      SHA1

      21dfd15e1fce33b7392dcc1e770fa3c114748c73

      SHA256

      676983bbc395e67ec554e7039469194508cc0c5222f5f316d2cb4b3d9bd8ae16

      SHA512

      324f5a79af6d74abeaafe520e138a1392f016a6a70aa0d9dd37fd8a2458cc4e08c87a24e3cb2f5a9fd250dfd6fa685016d86ff0da576e45aa4de4ffd6d9524f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_jmtcyt32s450mrkqcfhpdrl3u0cpu3sy\1.0.0.0\user.config
      Filesize

      311B

      MD5

      a35bc67d130a4fb76c2c2831cbdddd55

      SHA1

      66502423bba03870522e50608212b6ee27ebf4c5

      SHA256

      e94a97e512fbc8ed9f5691d921fdeddbff4cc16b024c5335adf66bff3a7a8192

      SHA512

      4401b234d7914afa860e356be1667cc5f44402255f7cc6cc3d8df80883167f6b55463e62156df57be697ee501897fac61a71f97911c6fdb6630272341ac8a07e

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_jmtcyt32s450mrkqcfhpdrl3u0cpu3sy\1.0.0.0\user.config
      Filesize

      434B

      MD5

      cfcf8e91857f364e002065c52ff8f91c

      SHA1

      8407ecb3c33a1f3fcf18a723e6884acf7e5a0f4a

      SHA256

      572dda8c7f211dc6a4efc7aecb4a54cb4e0ced1e4c9a4b9f96bb329c983c64e6

      SHA512

      364fecac3a051441b4fefcebb2cc9e38632f99dd04593cd5d9b148986afb09b195e88cdbfa2e778b8934564b76d04fe053f919f0a60769b023f2f753ede06d1e

      Download Submit

    • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_jmtcyt32s450mrkqcfhpdrl3u0cpu3sy\1.0.0.0\user.config
      Filesize

      560B

      MD5

      463d2a6611fbb9f0657b8c8c9783f6e0

      SHA1

      9fbda301bda3be3c9c2362b08cf4046857e2612d

      SHA256

      31d89529523e9b788ceec89cb43f1d2d26b44829e720324facf0906251135046

      SHA512

      c2b30090064b389eed8f79429765dc881c74c83352c7bb6e81585b81e9df6010cc89150766e94bf5091279a54b50301a529af70ec2626e2da2a842040424b169

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgrmpp5v.m5m.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\Desktop\MicrosoftEdge.exe
      Filesize

      607KB

      MD5

      fab682e3478137b228c110cbf18b1d91

      SHA1

      896f7ea6f85b72e3dd1c21fb8d1b2bf7b4b3a487

      SHA256

      ecd6dcd7911ca6660369e6267cf8ef29bba576619ada73ef9566106cb0678e13

      SHA512

      9e4357c01ae9502ede8bc1dec60c23e8f798792bb8e08ff4e5eefd7c33543b5d2c988702b2d35acf67759faae0730573803d5e1fad43fbf61b99d56fb37a44f2

      Download Submit

    • memory/976-130-0x00007FFCB3383000-0x00007FFCB3385000-memory.dmp

      Filesize

      8KB

      Download

    • memory/976-131-0x0000000000010000-0x00000000000AE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3616-145-0x00000208A0480000-0x00000208A0481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3616-138-0x00000208A0480000-0x00000208A0481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3616-137-0x00000208A0480000-0x00000208A0481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3616-142-0x00000208A0480000-0x00000208A0481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3616-148-0x00000208A0480000-0x00000208A0481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3616-147-0x00000208A0480000-0x00000208A0481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3616-136-0x00000208A0480000-0x00000208A0481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3616-146-0x00000208A0480000-0x00000208A0481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3616-144-0x00000208A0480000-0x00000208A0481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3616-143-0x00000208A0480000-0x00000208A0481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3824-178-0x000001E973E20000-0x000001E973E96000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3824-177-0x000001E973D50000-0x000001E973D94000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3824-176-0x000001E973990000-0x000001E9739B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4812-12-0x00000000093E0000-0x0000000009734000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4812-71-0x0000000074570000-0x0000000074D20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4812-98-0x0000000074570000-0x0000000074D20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4812-99-0x0000000074570000-0x0000000074D20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4812-70-0x0000000074570000-0x0000000074D20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4812-126-0x0000000009940000-0x0000000009A62000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4812-69-0x0000000074570000-0x0000000074D20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4812-68-0x000000007457E000-0x000000007457F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4812-67-0x000000000D060000-0x000000000D112000-memory.dmp

      Filesize

      712KB

      Download

    • memory/4812-56-0x0000000009340000-0x000000000937C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4812-57-0x0000000009300000-0x0000000009321000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4812-31-0x0000000074570000-0x0000000074D20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4812-30-0x0000000008DA0000-0x0000000008DEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4812-18-0x0000000008C50000-0x0000000008D9B000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4812-13-0x0000000008C00000-0x0000000008C22000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4812-0-0x000000007457E000-0x000000007457F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4812-11-0x0000000008E80000-0x0000000009162000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4812-10-0x0000000008B60000-0x0000000008B8C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4812-9-0x0000000074570000-0x0000000074D20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4812-8-0x00000000069A0000-0x0000000006A4A000-memory.dmp

      Filesize

      680KB

      Download

    • memory/4812-7-0x0000000074570000-0x0000000074D20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4812-6-0x0000000005300000-0x000000000530A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4812-5-0x0000000005D80000-0x0000000005FD2000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/4812-4-0x0000000005950000-0x00000000059E2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4812-3-0x0000000004EB0000-0x0000000004F0C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/4812-2-0x00000000053A0000-0x0000000005944000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4812-1-0x00000000003F0000-0x0000000000500000-memory.dmp

      Filesize

      1.1MB

      Download