36b0a0b0cd59350e403f89ca61aadb2e6c4a899302c8c327cdc6443f6ed64d5b

Analysis

max time kernel
24s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 12:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Sena/Sena.exe
Size

1.0MB
MD5

9872c633ef83d043cfca1609c7668719
SHA1

116579be25c526f3fb21620263467717e52db237
SHA256

553cfbf1aec44f3baf003f3a095e9638d4c3ec4aa387e07cf64ff69601353306
SHA512

93bc495d230f8198e573275c037db8b3487ef8cf1ae7029a01998018f4694e2a793bc9bc73e776e171870f0ac1ebbaf3a917ec8da5be235586569989dd0be0e1
SSDEEP

24576:/EoScovLgGCJv+gy4xwpdvGzk+kKufpF:/UcoDTCBtxCdeQ+

Score

3^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe
4900	Sena.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	Sena.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe
Token: 35	2180	WMIC.exe
Token: 36	2180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe
Token: 35	2180	WMIC.exe
Token: 36	2180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1668	WMIC.exe
Token: SeSecurityPrivilege	1668	WMIC.exe
Token: SeTakeOwnershipPrivilege	1668	WMIC.exe
Token: SeLoadDriverPrivilege	1668	WMIC.exe
Token: SeSystemProfilePrivilege	1668	WMIC.exe
Token: SeSystemtimePrivilege	1668	WMIC.exe
Token: SeProfSingleProcessPrivilege	1668	WMIC.exe
Token: SeIncBasePriorityPrivilege	1668	WMIC.exe
Token: SeCreatePagefilePrivilege	1668	WMIC.exe
Token: SeBackupPrivilege	1668	WMIC.exe
Token: SeRestorePrivilege	1668	WMIC.exe
Token: SeShutdownPrivilege	1668	WMIC.exe
Token: SeDebugPrivilege	1668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1668	WMIC.exe
Token: SeRemoteShutdownPrivilege	1668	WMIC.exe
Token: SeUndockPrivilege	1668	WMIC.exe
Token: SeManageVolumePrivilege	1668	WMIC.exe
Token: 33	1668	WMIC.exe
Token: 34	1668	WMIC.exe
Token: 35	1668	WMIC.exe
Token: 36	1668	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 2912	4900	Sena.exe	96
PID 4900 wrote to memory of 2912	4900	Sena.exe	96
PID 4900 wrote to memory of 2912	4900	Sena.exe	96
PID 2912 wrote to memory of 3508	2912	cmd.exe	98
PID 2912 wrote to memory of 3508	2912	cmd.exe	98
PID 2912 wrote to memory of 3508	2912	cmd.exe	98
PID 3508 wrote to memory of 2180	3508	cmd.exe	99
PID 3508 wrote to memory of 2180	3508	cmd.exe	99
PID 3508 wrote to memory of 2180	3508	cmd.exe	99
PID 3508 wrote to memory of 2688	3508	cmd.exe	100
PID 3508 wrote to memory of 2688	3508	cmd.exe	100
PID 3508 wrote to memory of 2688	3508	cmd.exe	100
PID 2912 wrote to memory of 2292	2912	cmd.exe	101
PID 2912 wrote to memory of 2292	2912	cmd.exe	101
PID 2912 wrote to memory of 2292	2912	cmd.exe	101
PID 2912 wrote to memory of 2116	2912	cmd.exe	102
PID 2912 wrote to memory of 2116	2912	cmd.exe	102
PID 2912 wrote to memory of 2116	2912	cmd.exe	102
PID 2912 wrote to memory of 4024	2912	cmd.exe	103
PID 2912 wrote to memory of 4024	2912	cmd.exe	103
PID 2912 wrote to memory of 4024	2912	cmd.exe	103
PID 2912 wrote to memory of 3820	2912	cmd.exe	104
PID 2912 wrote to memory of 3820	2912	cmd.exe	104
PID 2912 wrote to memory of 3820	2912	cmd.exe	104
PID 2912 wrote to memory of 2520	2912	cmd.exe	105
PID 2912 wrote to memory of 2520	2912	cmd.exe	105
PID 2912 wrote to memory of 2520	2912	cmd.exe	105
PID 2520 wrote to memory of 1668	2520	cmd.exe	106
PID 2520 wrote to memory of 1668	2520	cmd.exe	106
PID 2520 wrote to memory of 1668	2520	cmd.exe	106
PID 2520 wrote to memory of 4404	2520	cmd.exe	107
PID 2520 wrote to memory of 4404	2520	cmd.exe	107
PID 2520 wrote to memory of 4404	2520	cmd.exe	107
PID 2912 wrote to memory of 4284	2912	cmd.exe	108
PID 2912 wrote to memory of 4284	2912	cmd.exe	108
PID 2912 wrote to memory of 4284	2912	cmd.exe	108
PID 2912 wrote to memory of 1752	2912	cmd.exe	109
PID 2912 wrote to memory of 1752	2912	cmd.exe	109
PID 2912 wrote to memory of 1752	2912	cmd.exe	109
PID 2912 wrote to memory of 3780	2912	cmd.exe	110
PID 2912 wrote to memory of 3780	2912	cmd.exe	110
PID 2912 wrote to memory of 3780	2912	cmd.exe	110
PID 2912 wrote to memory of 4800	2912	cmd.exe	111
PID 2912 wrote to memory of 4800	2912	cmd.exe	111
PID 2912 wrote to memory of 4800	2912	cmd.exe	111
PID 2912 wrote to memory of 3644	2912	cmd.exe	112
PID 2912 wrote to memory of 3644	2912	cmd.exe	112
PID 2912 wrote to memory of 3644	2912	cmd.exe	112
PID 3644 wrote to memory of 3384	3644	cmd.exe	113
PID 3644 wrote to memory of 3384	3644	cmd.exe	113
PID 3644 wrote to memory of 3384	3644	cmd.exe	113
PID 2912 wrote to memory of 3716	2912	cmd.exe	114
PID 2912 wrote to memory of 3716	2912	cmd.exe	114
PID 2912 wrote to memory of 3716	2912	cmd.exe	114
PID 4900 wrote to memory of 2912	4900	Sena.exe	96
PID 4900 wrote to memory of 2912	4900	Sena.exe	96
PID 4900 wrote to memory of 2912	4900	Sena.exe	96
PID 2912 wrote to memory of 3508	2912	cmd.exe	98
PID 2912 wrote to memory of 3508	2912	cmd.exe	98
PID 2912 wrote to memory of 3508	2912	cmd.exe	98
PID 3508 wrote to memory of 2180	3508	cmd.exe	99
PID 3508 wrote to memory of 2180	3508	cmd.exe	99
PID 3508 wrote to memory of 2180	3508	cmd.exe	99
PID 3508 wrote to memory of 2688	3508	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\Sena\Sena.exe
"C:\Users\Admin\AppData\Local\Temp\Sena\Sena.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Sena\bin\mac_changer.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2180
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [0-9]
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2292
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4024
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 82B0E17AF4CF /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1668
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [0-9]
      4⤵
      System Location Discovery: System Language Discovery
      PID:4404
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4284
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3780
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      System Location Discovery: System Language Discovery
      PID:3384
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface set interface name="Ethernet" disable
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Sena\bin\mac_changer.bat

Filesize
2KB

MD5
86630f471a1c7f40e8494347f9ab8249

SHA1
10a2139adfb884f01799de89bf9b9ccb2a8bb460

SHA256
c15faade0e71acd4abcb60a7e9f3f002a46d3d47bd294f7b12d811c871d1292c

SHA512
666fe7866c2bedc78aad081bddf7e4dc8a9038b173527dc9464dd9c0776314a8c3e1ec7f4d0f34aff0d946b94ed1178a5c665d79173d1bfe0a0a611f6af65369

Download Submit
memory/4900-7-0x000000000B2B0000-0x000000000B2BE000-memory.dmp

Filesize
56KB

Download
memory/4900-6-0x000000000B2E0000-0x000000000B318000-memory.dmp

Filesize
224KB

Download
memory/4900-3-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4900-4-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4900-5-0x000000000F090000-0x000000000F098000-memory.dmp

Filesize
32KB

Download
memory/4900-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/4900-1-0x00000000007F0000-0x00000000008FA000-memory.dmp

Filesize
1.0MB

Download
memory/4900-8-0x000000000B3A0000-0x000000000B406000-memory.dmp

Filesize
408KB

Download
memory/4900-11-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/4900-12-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4900-2-0x0000000007750000-0x000000000794A000-memory.dmp

Filesize
2.0MB

Download
memory/4900-13-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4900-4-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4900-1-0x00000000007F0000-0x00000000008FA000-memory.dmp

Filesize
1.0MB

Download
memory/4900-2-0x0000000007750000-0x000000000794A000-memory.dmp

Filesize
2.0MB

Download
memory/4900-3-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4900-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/4900-5-0x000000000F090000-0x000000000F098000-memory.dmp

Filesize
32KB

Download
memory/4900-7-0x000000000B2B0000-0x000000000B2BE000-memory.dmp

Filesize
56KB

Download
memory/4900-6-0x000000000B2E0000-0x000000000B318000-memory.dmp

Filesize
224KB

Download
memory/4900-8-0x000000000B3A0000-0x000000000B406000-memory.dmp

Filesize
408KB

Download
memory/4900-11-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/4900-12-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4900-13-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download