9147c7836fe827450e7f0d66e8337fbd07928a0ea19f428db38657fbdffd2075

Analysis

max time kernel
134s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
13/09/2024, 19:44 UTC

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

deb54ef342e3a0ec27127a3e7d652d26
SHA1

e06df21ee97e502b70dc7bde782eb74207903eda
SHA256

9147c7836fe827450e7f0d66e8337fbd07928a0ea19f428db38657fbdffd2075
SHA512

a0a3b05849e2601c35f41f5bd6a281c012e16dc496bb6f6037cfa539dc4dc2e3d1d5bd8fdcf782a800096682cd8969316913ebd226d07a8eb66025980ca48a3f
SSDEEP

1536:z9PTr1IDavlZhbSKl9YdjEwzGi1dDUDSgS:z9PSDavlZIQmqi1da3

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3464	netsh.exe
3436	netsh.exe
4300	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 2 IoCs

pid	Process
5608	server.exe
5140	tmp8BAC.tmp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8BAC.tmp.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "253"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe
5608	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5608	server.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: SeShutdownPrivilege	5488	Shutdown.exe
Token: SeRemoteShutdownPrivilege	5488	Shutdown.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe
Token: 33	5608	server.exe
Token: SeIncBasePriorityPrivilege	5608	server.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5660	PickerHost.exe
556	LogonUI.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 5608	3756	Server.exe	81
PID 3756 wrote to memory of 5608	3756	Server.exe	81
PID 3756 wrote to memory of 5608	3756	Server.exe	81
PID 5608 wrote to memory of 3464	5608	server.exe	82
PID 5608 wrote to memory of 3464	5608	server.exe	82
PID 5608 wrote to memory of 3464	5608	server.exe	82
PID 5608 wrote to memory of 3436	5608	server.exe	84
PID 5608 wrote to memory of 3436	5608	server.exe	84
PID 5608 wrote to memory of 3436	5608	server.exe	84
PID 5608 wrote to memory of 4300	5608	server.exe	85
PID 5608 wrote to memory of 4300	5608	server.exe	85
PID 5608 wrote to memory of 4300	5608	server.exe	85
PID 5608 wrote to memory of 5488	5608	server.exe	90
PID 5608 wrote to memory of 5488	5608	server.exe	90
PID 5608 wrote to memory of 5488	5608	server.exe	90
PID 5608 wrote to memory of 5140	5608	server.exe	94
PID 5608 wrote to memory of 5140	5608	server.exe	94
PID 5608 wrote to memory of 5140	5608	server.exe	94

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3756
- C:\ProgramData\server.exe
  "C:\ProgramData\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5608
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3464
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3436
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4300
- - C:\Windows\SysWOW64\Shutdown.exe
    Shutdown -r
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5488
- - C:\Users\Admin\AppData\Local\Temp\tmp8BAC.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp8BAC.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4768

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5660

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a1a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:556

Network

DNS

else-treatment.gl.at.ply.gg

server.exe

Remote address:

8.8.8.8:53

Request

else-treatment.gl.at.ply.gg

IN A

Response

else-treatment.gl.at.ply.gg

IN A

147.185.221.22
DNS

22.221.185.147.in-addr.arpa

server.exe

Remote address:

8.8.8.8:53

Request

22.221.185.147.in-addr.arpa

IN PTR

Response
DNS

self.events.data.microsoft.com

server.exe

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdeus03.eastus.cloudapp.azure.com

onedscolprdeus03.eastus.cloudapp.azure.com

IN A

20.42.73.24
DNS

24.73.42.20.in-addr.arpa

server.exe

Remote address:

8.8.8.8:53

Request

24.73.42.20.in-addr.arpa

IN PTR

Response

147.185.221.22:31932

else-treatment.gl.at.ply.gg

server.exe

4.7kB
79.2kB
75
107
147.185.221.22:31932

else-treatment.gl.at.ply.gg

server.exe

1.0kB
976 B
18
22
147.185.221.22:31932

else-treatment.gl.at.ply.gg

server.exe

819 B
52 B
12
1

8.8.8.8:53

else-treatment.gl.at.ply.gg

dns

server.exe

292 B
569 B
4
4

DNS Request

else-treatment.gl.at.ply.gg

DNS Response

147.185.221.22

DNS Request

22.221.185.147.in-addr.arpa

DNS Request

self.events.data.microsoft.com

DNS Response

20.42.73.24

DNS Request

24.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\server.exe

Filesize
93KB

MD5
deb54ef342e3a0ec27127a3e7d652d26

SHA1
e06df21ee97e502b70dc7bde782eb74207903eda

SHA256
9147c7836fe827450e7f0d66e8337fbd07928a0ea19f428db38657fbdffd2075

SHA512
a0a3b05849e2601c35f41f5bd6a281c012e16dc496bb6f6037cfa539dc4dc2e3d1d5bd8fdcf782a800096682cd8969316913ebd226d07a8eb66025980ca48a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
408B

MD5
593f806d2255a76afcad5d4a8395781b

SHA1
3990edff12ef61875bb4206b25a97a9440a8998c

SHA256
beb8b3a764b3e94cc547be84090345e833be03d95d680ad4d75734ccd6485757

SHA512
97440ebd7f8aac1030fe83c7f32a40a986d0fa6faec2c8b8cfbce093a3f27e7626c0b6e768ce6c753ac4dddc4227057b3a6e1d5a652d1f4a9cf64fa8efbad017

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BAC.tmp.exe

Filesize
28KB

MD5
6c2210ba180f0e1b9d831c3c6c14c8b4

SHA1
00bebdf704f4cabf254583c6ad87c6e72872b61a

SHA256
501c36ac282029ccf7950a4957d4c10ea72fe18f0ad8d6daeabfe628fa4070a7

SHA512
26a63ad05199cf45acd7519fbc63945097b4c4a89bb2cdfa4f87ba004e1ce106220b0b99419e656de26d164265b3868a9ce541c71b05d4e4db1a9a1343130e9b

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
bbcd2be775370c1e106e66d077a93f3b

SHA1
a44b6a98f30e3275fc304bc3b29e0eab8ae47f20

SHA256
a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1

SHA512
bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72

Download Submit
memory/3756-0-0x0000000074F91000-0x0000000074F92000-memory.dmp

Filesize
4KB

Download
memory/3756-14-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3756-2-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3756-1-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/5140-53-0x00000000058A0000-0x0000000005E46000-memory.dmp

Filesize
5.6MB

Download
memory/5140-51-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download
memory/5140-52-0x0000000005250000-0x00000000052EC000-memory.dmp

Filesize
624KB

Download
memory/5140-54-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/5140-55-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/5140-56-0x0000000005520000-0x0000000005576000-memory.dmp

Filesize
344KB

Download
memory/5608-39-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/5608-16-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/5608-15-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/5608-57-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.