Overview

overview

10

Static

static

10

Server.exe

windows7-x64

8

Server.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Server.exe

  • Size

    37KB

  • MD5

    335be1326b13b14c6ee270b44ed2cf06

  • SHA1

    dc98abe479388455a9b3e758f48946f3bdfc6213

  • SHA256

    94350910c19be89121292a1ea10101b6ff95c0ae0067c3ab2a4b28f96da41d52

  • SHA512

    3d05817caea6789e2bf580e34e7703df6adc0bf23d94a475afd1fd52035f829597ef3581f71a1ddc4d0fdbc65a43fb60212cc589c41a6f1a15868947ffb45a1c

  • SSDEEP

    384:6+OIiu/jtD+P3V+y0bFwRktv7ms2cPPrAF+rMRTyN/0L+EcoinblneHQM3epzXog:rXmV10bFwRktalc3rM+rMRa8Nuagt

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:3028
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.0.1589848879\387928571" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e07c893-98be-46af-9fbe-8e5da97eaab0} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 1296 45df858 gpu
        3⤵
          PID:584
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.1.845802120\1757282504" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11d15c36-1f93-44a4-874a-e845ffc1f22e} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 1488 e71c58 socket
          3⤵
          • Checks processor information in registry
          PID:2100
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.2.1821165699\2088058912" -childID 1 -isForBrowser -prefsHandle 1852 -prefMapHandle 1972 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 784 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc0c33b3-3441-42fe-9a58-a2904e9d79a2} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 1948 1a180d58 tab
          3⤵
            PID:1780
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.3.347734653\926211056" -childID 2 -isForBrowser -prefsHandle 2412 -prefMapHandle 2396 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 784 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce05cbe3-e1ef-44dc-86d2-c58ce8261409} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 2500 1acdb558 tab
            3⤵
              PID:1100
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.4.1157790448\1059023946" -childID 3 -isForBrowser -prefsHandle 2972 -prefMapHandle 2968 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 784 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd26173b-61e8-4dd2-b316-3c86d01a4310} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 2984 e62258 tab
              3⤵
                PID:852
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.5.368525071\1181584512" -childID 4 -isForBrowser -prefsHandle 3636 -prefMapHandle 3860 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 784 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdd4fecc-c95b-433f-98b2-230429072ce6} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 3872 1ed21958 tab
                3⤵
                  PID:2944
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.6.475490268\265587501" -childID 5 -isForBrowser -prefsHandle 3980 -prefMapHandle 3984 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 784 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd143a30-6cf6-4c95-9d40-ab00d4c8bc3a} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 3968 1ed22558 tab
                  3⤵
                    PID:1932
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.7.2049221718\1244165466" -childID 6 -isForBrowser -prefsHandle 4172 -prefMapHandle 4176 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 784 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8045d33d-eb46-4aea-bd93-f2a8f588c50d} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 4160 20944558 tab
                    3⤵
                      PID:2712
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.8.323199113\746262064" -childID 7 -isForBrowser -prefsHandle 4584 -prefMapHandle 4580 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 784 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28183239-b11b-4491-a73d-f1371fdf55ad} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 4564 20605558 tab
                      3⤵
                        PID:3108
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.9.913534667\295818067" -childID 8 -isForBrowser -prefsHandle 3928 -prefMapHandle 2248 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 784 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eed8a11e-00fd-41ce-9664-208dc61cab18} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 4132 1bb97458 tab
                        3⤵
                          PID:3856

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmhyv50e.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      23KB

                      MD5

                      b24891fd8b60aaba4506090f81949181

                      SHA1

                      86c0b7a7e2e2ab052039f3553c73b947bba177ea

                      SHA256

                      9efe04ed0fc8c0d96d71504e6a62c3e236cb57a6680f59d2793d99d3e189a315

                      SHA512

                      919aac51d05e40011f338e52722226738468b81c0b5c3c04744479c6552b453793fb55982efb13d0b8d952ddc965c0e2ec06593cb8222e24e171bb5f9c9dbb77

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmhyv50e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                      Filesize

                      13KB

                      MD5

                      f99b4984bd93547ff4ab09d35b9ed6d5

                      SHA1

                      73bf4d313cb094bb6ead04460da9547106794007

                      SHA256

                      402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

                      SHA512

                      cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      3KB

                      MD5

                      b60dc63057135faae5e7040e4b45d457

                      SHA1

                      8d413ba7a226fb32f155154b40807b066e53d0bd

                      SHA256

                      9a1a10d1121ba93928678760f2e3a0f2fe0ad02ffec9b88f30533c87d2d9ef31

                      SHA512

                      fd699a15859a9eced924664b578c3c9d5e04329993b57a540c5f6db1cb7f3fcba77b50c64921227a9054df3f7421c60fecbd003adaa8510487c5b41533f49d38

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      b0203601594b775a82ca8c266ab4e515

                      SHA1

                      ce9284c3f960fe2b531792b68f17c265a063d7f8

                      SHA256

                      db92b268015764bbcb71d81d6040a22e403cb20ba14fa6ea3b138adf2f159e4b

                      SHA512

                      559232860fc85de6ccaee96efd26ecfef84b65a45b8f12af8842a4e3bcf59fd1d434b6eb2221cb2ea335f2b2b657717484a241d919b6531c5c4b0c0a085027ad

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      5642902f71aea141c14d92dca7db79b7

                      SHA1

                      99b6bf85dfa97d7d0878826e80b422d4f7d1e5b6

                      SHA256

                      f762e0401e9d4bc39ec074d001799a74f6fe42aaff9c3053c2d09282b0b73b4f

                      SHA512

                      9fca7146343dcf314895eb1cac73ba7c4914e633095286444a75b39b119aeb6ed431136bd80f1966eea932de83bd260aec2ea1c20d83c041217bf2613c86c5a7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\pending_pings\91f393d9-38a2-478d-8411-8e8a39abd000
                      Filesize

                      745B

                      MD5

                      bd59ba1a21081353007e3a4a2638d6e7

                      SHA1

                      e8a2ad601b4781ad7ed38abe35fbdee37cec5b0a

                      SHA256

                      32fca2ae62e2c9daff4f994de4bb8cb5139ae59870985b0e093b13dad9ea839e

                      SHA512

                      537c9d01807f31e38f716542220091fb476f9c474643ebdf15a55a4d04c072d6bf20c55f8ad39b2cd67b5aeb4bd927fda48c3cb65b3b9d9ff8c83a09e961f791

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\pending_pings\9cec36e3-3e75-47ca-8d0b-bdd3f77df241
                      Filesize

                      10KB

                      MD5

                      e6ff078547759c55d2ebf5441697320d

                      SHA1

                      40b44fd4eff40215499b6dfc0c46fe94c2662516

                      SHA256

                      dec7660f97f732c0fc1e2fd116d2a4ef60b791a5a8eb0148ff463ab6ae31e8fd

                      SHA512

                      86f4bf6e3885a392c51860a76fd3306cc4bf4eb5e4f37aad0dc89ad14bd3a53b9523f781e57c350684fb0da652ef425fc57d29a5a3bff868103945bbb197242e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      d41a2199b58655cfa77775032cc1443c

                      SHA1

                      d4ba48640db2302a87891c86a5ae542cd599cbbf

                      SHA256

                      c197f886a236430e86e87c0d3dce3c7c5ce54406f4ced0fb4713f2dca768b72c

                      SHA512

                      289855ecf7c12d876c58878aead088f0908a09c3010ea8a4b3b7a702e312ecec46bfc81429b8efab356753674341bcb372def16c3b4e94945d0cd643af3b1d44

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      5983a4e38045e93576a02c2f5f3ba31f

                      SHA1

                      1b4ce7fa2dfc5df2898649db05a100a3f4800554

                      SHA256

                      90a3ddb7ad0f6ff785eb7df82a323686d8ebc7b75dce5cf010d4db0e3e8381d4

                      SHA512

                      ed90e8b13faf0d51d30d1e8d82861699b7cf6c9be579600973247d08ba6f916197c644d7775d284422746d80f1d923159251397a950867d02c671719d3103dd0

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\sessionstore.jsonlz4
                      Filesize

                      4KB

                      MD5

                      6ff20085834f01bf583959ba251c29d8

                      SHA1

                      407a7c61da62a4eccb52006bbf78aef1cba15ad2

                      SHA256

                      101b148648018c720e0bed48550385a19a88ba0b764e8c1112aedb3813ba339c

                      SHA512

                      8d02c8b151877f548f42f36b29f3db3049212861b1fac74493f76cb255efddd3392e1944737db9c1be3fe9937e2cf6f42c4097d9b1e4ad98e7088c8cd5bd2d7c

                      Download Submit

                    • memory/2372-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2372-3-0x0000000074FC0000-0x000000007556B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/2372-2-0x0000000074FC0000-0x000000007556B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/2372-1-0x0000000074FC0000-0x000000007556B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/2372-527-0x0000000074FC0000-0x000000007556B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/2372-528-0x0000000074FC0000-0x000000007556B000-memory.dmp

                      Filesize

                      5.7MB

                      Download