Resubmissions
30/07/2024, 21:22
240730-z732astepd 1030/07/2024, 21:18
240730-z5vl5szalj 1030/07/2024, 21:06
240730-zx8h2atala 10Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
30/07/2024, 21:06
Behavioral task
behavioral1
Sample
Injectorka.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Injectorka.exe
Resource
win10v2004-20240730-en
General
-
Target
Injectorka.exe
-
Size
93KB
-
MD5
c40c09bf0ce0defbe50f123e8d6a6174
-
SHA1
d39b7893f4ec53f38e3d05051097fb6cfee2ff7f
-
SHA256
272f68e5e473b2b091e97ee249a7a95aedef51070dcaf94211e573771477a672
-
SHA512
8f5a3b47ae47e0be43ad2925adc36b661c75f64bec2b3e797fc744925cdc186a1dda85ba2907e5a621f0c61a47662e1d3874ee8b3f7c8b31d79ba6ed3af069c4
-
SSDEEP
768:RY3PI530YTXspgM0m2zGjpyDtdXWuDtXYLWhyXxrjEtCdnl2pi1Rz4Rk3zsGdpD3:8IZ0AA0mT1mrWnL5jEwzGi1dD/DDgS
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 4380 netsh.exe 5032 netsh.exe 3696 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation Injectorka.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\007c897a11747d51de02720e8e1c37d9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\007c897a11747d51de02720e8e1c37d9Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 3984 server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 10 2.tcp.eu.ngrok.io 20 2.tcp.eu.ngrok.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injectorka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe 3984 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3984 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe Token: 33 3984 server.exe Token: SeIncBasePriorityPrivilege 3984 server.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3984 server.exe 3984 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4912 wrote to memory of 3984 4912 Injectorka.exe 84 PID 4912 wrote to memory of 3984 4912 Injectorka.exe 84 PID 4912 wrote to memory of 3984 4912 Injectorka.exe 84 PID 3984 wrote to memory of 4380 3984 server.exe 85 PID 3984 wrote to memory of 4380 3984 server.exe 85 PID 3984 wrote to memory of 4380 3984 server.exe 85 PID 3984 wrote to memory of 3696 3984 server.exe 87 PID 3984 wrote to memory of 3696 3984 server.exe 87 PID 3984 wrote to memory of 3696 3984 server.exe 87 PID 3984 wrote to memory of 5032 3984 server.exe 88 PID 3984 wrote to memory of 5032 3984 server.exe 88 PID 3984 wrote to memory of 5032 3984 server.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injectorka.exe"C:\Users\Admin\AppData\Local\Temp\Injectorka.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4380
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3696
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5032
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5b66e20886f9675fe4dbf430ea2d0bf8d
SHA12e676da72201e6e4482e00b300511900c6aee5a0
SHA256899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414
SHA512f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870
-
Filesize
93KB
MD5c40c09bf0ce0defbe50f123e8d6a6174
SHA1d39b7893f4ec53f38e3d05051097fb6cfee2ff7f
SHA256272f68e5e473b2b091e97ee249a7a95aedef51070dcaf94211e573771477a672
SHA5128f5a3b47ae47e0be43ad2925adc36b661c75f64bec2b3e797fc744925cdc186a1dda85ba2907e5a621f0c61a47662e1d3874ee8b3f7c8b31d79ba6ed3af069c4