Overview

overview

10

Static

static

10

Server.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15/09/2024, 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Server.exe

  • Size

    93KB

  • MD5

    cae829650163a7e8f8f857b0ac6605ce

  • SHA1

    2c4259e3ee77f97174c8c3fffcf07ea7c44ccff6

  • SHA256

    81a3d311446404df9a2c3c845a0bf68021c524c5bd67047e52095b864079d17f

  • SHA512

    ac8fcf23c5be81c5938ae2d40cabb4cad8f3b80d79f6f2ed368b3ca75ce3b30e0ac03e9a34562ddc6a6e08be569d7b5e8857cefaa8e8819577358e4f13a43226

  • SSDEEP

    768:AY3xYnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk32sGg:5YxOx6baIa9RZj00ljEwzGi1dDSDigS

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 3 IoCs
    evasion
  • Drops startup file 4 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Drops startup file
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3324
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2812
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2840
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:448
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:492
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:2084
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa3a24055 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:2948

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Umbrella.flv.exe
        Filesize

        93KB

        MD5

        cae829650163a7e8f8f857b0ac6605ce

        SHA1

        2c4259e3ee77f97174c8c3fffcf07ea7c44ccff6

        SHA256

        81a3d311446404df9a2c3c845a0bf68021c524c5bd67047e52095b864079d17f

        SHA512

        ac8fcf23c5be81c5938ae2d40cabb4cad8f3b80d79f6f2ed368b3ca75ce3b30e0ac03e9a34562ddc6a6e08be569d7b5e8857cefaa8e8819577358e4f13a43226

        Download Submit

      • C:\Windows - Shortcut.lnk
        Filesize

        911B

        MD5

        d057817d0f9581084162a4c52190f5fe

        SHA1

        df6af85eb3a50a7858f0908a229cc3de134315d4

        SHA256

        93c1b77aeee2757545bb9421dc26677d4fc7e17214ab203e54b9d101ed3df69f

        SHA512

        0cf5e2d71d3da1d3237f12a772501e0753b7d38f1c50578680e68f2e39c68321d9c51698a59126c62bb54189f5f6cdc63df3b849e3629b46c2d23e08d1cd7cc9

        Download Submit

      • C:\vcredist2010_x86.log-MSI_vc_red.msi.txt
        Filesize

        396KB

        MD5

        41f950c853058c1dc7326345cbe5f643

        SHA1

        cdd16e1ac63327b9d1ece4ca8d5465dfa503e733

        SHA256

        9b83fc3ce0f91605539e4af1edfd07e42eeaa92a3deafbe57f7eb06353979f52

        SHA512

        44bab1d750315c231e60e6cca843ac7258f9e8ec08367cab9f19f99c0a6130aed4b12a4274eec9f540f9f2842c90dc45afc7b1b7a48b749438fae2b05cc8a9d8

        Download Submit

      • C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log
        Filesize

        167KB

        MD5

        21e5c7cf4bff26600060ed008c8aae07

        SHA1

        7f61bf334ad4b55c93341d005868d39de9b3b5d0

        SHA256

        421b16db16f871ec30e1f90c76d923fcd6f67e9788b60d45d3f9de56892df4f8

        SHA512

        79a70eec107aee3f95f88e131927c1e7a191ec6284049949a27932113b0ea0403d1e8c63dec94b590a2caa1fc4d42d166acb52646cf162d050ab72e57fc06897

        Download Submit

      • C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log
        Filesize

        195KB

        MD5

        67474b0d87e8c01234e8f740cdac9efe

        SHA1

        36638bc9b75b85bec65f0f2d9c4ecfe675a991a4

        SHA256

        7c5be1bafd8fc23b18295b9c48a5654f4f62de969b6ba772a42802391f145556

        SHA512

        96e0341e087c69d635f1e37a32a8d58ff85ac6ef1d3269e78393b1596f72ff10895f682182398967ec4d7cbe1bd5d22e0c7dcb29ddf5a6e01b20a12c17d8b3c2

        Download Submit

      • C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
        Filesize

        171KB

        MD5

        d767a665ff723964d522749d4ef58087

        SHA1

        b2f1f79a4dcae65fce65b034d8ad25a7b481e1b7

        SHA256

        c79fec834b45d12f1694e51e858c52534c3fe0505b45b6360575ef9b60186130

        SHA512

        90e8f7e1bc28262fb1bdd7d852eb4c1b17eccf0ec6fcc41722e2449b2d231d77edcde2935c9de46f5a2abfabfeec7672e8a788c28ba09acd7b7ecdb5ac03b3b5

        Download Submit

      • C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log
        Filesize

        208KB

        MD5

        a3f5c53079021202e723b296cc25b957

        SHA1

        5bc98579ed61654f510d71a474db8a98838b2fab

        SHA256

        ba4233e1353127445512d4dcfd3ac7319c8582c11ef75c04c8a91433cf6cd79f

        SHA512

        1828bedbf157bcab4dcb4da99fbf568ec4b03c123291c3cdb25cd964891514f1b739ab8abfc16c6b1a2e37c918daa3d0962d4552eef56b09c773558c241e7283

        Download Submit

      • C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log
        Filesize

        170KB

        MD5

        9bbc60dabc19dd70ba4bb23888bcf675

        SHA1

        8c574ab040c7d390a3a22ee8721278a4fa44c0d8

        SHA256

        0eff9b85cd3341cbff9aa1ea12a04f3030f2155719f36651c7209ec7fbfc27bc

        SHA512

        7b93ddd490380a75f46e4440661e211be9ec7e699d22c09b16ab634980d7c1545623ac1620edfe736c0ae14df3cc8b441c51e5ac588048f1b88b16c8c7df8df2

        Download Submit

      • C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log
        Filesize

        190KB

        MD5

        bdc6d1d047c4a27685a0c7e995d290d0

        SHA1

        688be72056ea606235963688d2862ce2a8c6787b

        SHA256

        ff0bae7daf82379d7907c1fdd6f2326f1f346b2565d337bcafddb0a82571e7e3

        SHA512

        0367a2359c8f25b12a5e9533e4595fe4ecc577e538587b85bf17326d8ed5a73e01a14fc395f8033f1395954134f0f17996d9f1d9409a7cfee0eb8d13a7897b09

        Download Submit

      • C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log
        Filesize

        170KB

        MD5

        af212e1db3119edfa2585a3f0a8e4a24

        SHA1

        8316de83c43d845f6eaf4ca00e5d0153c64a89c5

        SHA256

        b4875d9f9b9b01ce2c18c2e69630b50d28e17ce60af0cb7124850e7a4a246f97

        SHA512

        3bade0342e8e2dbe1c6c9b65d33b50b43b7e49671cfb201ee05e4e842480f4f2282e95392b7948f414c86a0610b02f391432bb2881965db169200a8be071447d

        Download Submit

      • C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log
        Filesize

        198KB

        MD5

        f4c57aaeda9a14be4fabfa95dd838ca6

        SHA1

        3c8e9bc90225f813015a3137087b9b68bac30ea1

        SHA256

        c99ecba1067dfe9bcfb4bdb6fb36427b29c06a0236f918a45870142c2f6e4926

        SHA512

        889657b3749980ba2025bc5b2196edc8ca6de71067a8b76d6e2aa775e86eb4b7c46d20c4d29c258119c3b4879fd111bbcbf91ff3f8fc2d50c0da6457d53421e4

        Download Submit

      • C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log
        Filesize

        123KB

        MD5

        75503358514a0222ffccf541f9236b7d

        SHA1

        68f64d0986f12836411cedb78d7b49462de42f65

        SHA256

        bdef77ceb71698bbef557caa1af25af991393e7fbb45c1118fe0a7c91fe9ffcc

        SHA512

        9905f0958ba115d28535a8f61c1ea707191728904c0310c9a43f1a2be7dc077c7cbd59d3b73062911b26b97eb927408e9deac5a850b5a357e32385b035791ec7

        Download Submit

      • C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log
        Filesize

        129KB

        MD5

        74e6fb88c9adc6cb86a4605b16e34fcb

        SHA1

        065fecd502727305fbb79c770e6c4a4170dec441

        SHA256

        477ee7e4577d89ce948783049de0a3c522665efc5df5238b5e4f2cc6bfc9cb8d

        SHA512

        70562a41639b299d85e7c4e0176be4023ab1c3d6fdb60613a6813703bbc1ebff84524eee58276db45b3401643fa85aa908d8580b10bc50ae999db72469b5cbe7

        Download Submit

      • C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log
        Filesize

        123KB

        MD5

        d4a6bd21bdcf705d9fa0af246dd551f6

        SHA1

        ae06f62f153d13d8f52e699703b0af88b11d58aa

        SHA256

        2fbe418b8c0a6ad86b733c78dabc816299595072bf0bf17e5e4aee2fec671b17

        SHA512

        c48ee45e9471f21c6a14d018df3ad09199765e3bcfc660d007a57d93d7440c0f224039f1c84e59c994c488aecc017c9b1c8e1cd875ad3a64fdb821f7fcbfe21d

        Download Submit

      • C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log
        Filesize

        135KB

        MD5

        7ce31a8b34b584502fb2a9a478887bf1

        SHA1

        e13a7a08112cd660c1ab14b2101800a3ee8ca012

        SHA256

        0e3ac154deb199a5d7d7a0c9b7284dca4c3216ef41cc0bc75eafd0458c9462ff

        SHA512

        77b6cfb330b9594a1fc9eebf2646e3ae580c45cc7953e223c27bdf162c047a175957e171e6bb0dcc332794c62019277dea5d5929b1356b958dad475f01b19cac

        Download Submit

      • memory/3324-17-0x0000000074A20000-0x0000000074FD1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3324-18-0x0000000074A20000-0x0000000074FD1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3324-0-0x0000000074A21000-0x0000000074A22000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3324-16-0x0000000074A20000-0x0000000074FD1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3324-3-0x0000000074A20000-0x0000000074FD1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3324-2-0x0000000074A20000-0x0000000074FD1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3324-1-0x0000000074A20000-0x0000000074FD1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3324-38-0x0000000074A20000-0x0000000074FD1000-memory.dmp

        Filesize

        5.7MB

        Download