Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 17:35
Behavioral task
behavioral1
Sample
sever.exe
Resource
win7-20240708-en
General
-
Target
sever.exe
-
Size
203KB
-
MD5
d8158104745439bf75e071b4305b14cf
-
SHA1
24ad4d25061233c6266ac6c8dfe14e9120ff37e8
-
SHA256
3c4e4bfa14ccb528331fafd98accf22ca640b3d251f45859c4427df56614bcf2
-
SHA512
b0072a56bb7a4bbdcfb7a93e14732a49cf726a5b51240f1f612d056c9e06c00b53f776ec31c63ca0e2d1ac868beba1eed4035bd5a119f7acc773b54de7fd98b9
-
SSDEEP
3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIHSQYusdrK6ymbcYmRriGNnD:MLV6Bta6dtJmakIM51ax0cYgrimD
Malware Config
Signatures
-
Processes:
sever.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sever.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
sever.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sever.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
sever.exepid process 2356 sever.exe 2356 sever.exe 2356 sever.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sever.exepid process 2356 sever.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sever.exedescription pid process Token: SeDebugPrivilege 2356 sever.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
sever.exedescription pid process target process PID 2356 wrote to memory of 2680 2356 sever.exe schtasks.exe PID 2356 wrote to memory of 2680 2356 sever.exe schtasks.exe PID 2356 wrote to memory of 2680 2356 sever.exe schtasks.exe PID 2356 wrote to memory of 2680 2356 sever.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sever.exe"C:\Users\Admin\AppData\Local\Temp\sever.exe"1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5009127cd7edf551083a086d4eec66560
SHA198d6877de6d7eb0a93fa58fb0303412c1dda7458
SHA25671352e7fb7fe395e13d5be76a2d8aa8308d535519d1f7b5a05a09874073bae89
SHA512b58ea76815d34629cfddc0067e5e5896a328d4baffe7c4c8a45a158cca0be54ade114b2dbf33cab4fd96769b2658b96c4f358b04c182c5fbcf00db8cb7d26054