Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 03:47
Behavioral task
behavioral1
Sample
e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe
Resource
win10v2004-20241007-en
General
-
Target
e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe
-
Size
93KB
-
MD5
d7526430b723e5b9b90defdb347897d4
-
SHA1
00c6e39049ebbae9718f16ec6e12c6ddcff15ac3
-
SHA256
e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a
-
SHA512
3efa57f9ef73e6349c728406157dcd6b420910e6c41c5e4c4d6460f9c12dbe497dce2ee1a82de118f78c997e579596be8de7ec3d66df20622e036c43ede18afe
-
SSDEEP
768:hY3EcnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3+sGV:fcxOx6baIa9RZj00ljEwzGi1dDaDxgS
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 312 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 4340 server.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe 4340 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4340 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe Token: 33 4340 server.exe Token: SeIncBasePriorityPrivilege 4340 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3668 wrote to memory of 4340 3668 e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe 86 PID 3668 wrote to memory of 4340 3668 e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe 86 PID 3668 wrote to memory of 4340 3668 e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe 86 PID 4340 wrote to memory of 312 4340 server.exe 88 PID 4340 wrote to memory of 312 4340 server.exe 88 PID 4340 wrote to memory of 312 4340 server.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe"C:\Users\Admin\AppData\Local\Temp\e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:312
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5d7526430b723e5b9b90defdb347897d4
SHA100c6e39049ebbae9718f16ec6e12c6ddcff15ac3
SHA256e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a
SHA5123efa57f9ef73e6349c728406157dcd6b420910e6c41c5e4c4d6460f9c12dbe497dce2ee1a82de118f78c997e579596be8de7ec3d66df20622e036c43ede18afe
-
Filesize
5B
MD58f11404a507cfb98455f89a534077f73
SHA10716c668f504450353527aff1a6457b8348cf435
SHA256f7c301f3fcce1c2444b540090e5024f0cea1806ab8ae1d81901ecc3b63334cbb
SHA51285403dd06da5851e8c4d727ca8d87cc0e7ff4974942ec22123366684ed0e51b543a29b6d2521e2e65784c69884fde8d711e5064f104b098293fcd18c44769492