Analysis
-
max time kernel
117s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 08:24
Behavioral task
behavioral1
Sample
1d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15.exe
Resource
win10v2004-20241007-en
General
-
Target
1d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15.exe
-
Size
93KB
-
MD5
f7f745caed820795ba80e629ba4bbbca
-
SHA1
3af0797e467d67dd5ffc45c8954afd468989d84b
-
SHA256
1d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15
-
SHA512
b8b2cbe7a7d7ffb7f6a66972dd73c24302455d7dc7a63d11cb4cdf2980ebea0efbea32343a3167b9f727f86a4fee6188fc71f427a21665978bfec8fbcb6907dd
-
SSDEEP
1536:s4UpR8lZc+/2HK1j+fTd5jEwzGi1dDWD5gS4:s4UpKc+/2HK1oTdWi1dQ2p
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 25 IoCs
pid Process 2764 netsh.exe 4672 netsh.exe 2968 netsh.exe 3304 netsh.exe 4620 netsh.exe 380 netsh.exe 2984 netsh.exe 4768 netsh.exe 3028 netsh.exe 3300 netsh.exe 5004 netsh.exe 2664 netsh.exe 492 netsh.exe 3700 netsh.exe 4688 netsh.exe 548 netsh.exe 1420 netsh.exe 4512 netsh.exe 3652 netsh.exe 2780 netsh.exe 3460 netsh.exe 648 netsh.exe 4584 netsh.exe 3448 netsh.exe 3452 netsh.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 1d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 20 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31a76954e6446acb903929bf0d0d71d9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31a76954e6446acb903929bf0d0d71d9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31a76954e6446acb903929bf0d0d71d9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31a76954e6446acb903929bf0d0d71d9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31a76954e6446acb903929bf0d0d71d9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31a76954e6446acb903929bf0d0d71d9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31a76954e6446acb903929bf0d0d71d9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31a76954e6446acb903929bf0d0d71d9Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31a76954e6446acb903929bf0d0d71d9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31a76954e6446acb903929bf0d0d71d9Windows Update.exe server.exe -
Executes dropped EXE 17 IoCs
pid Process 2968 server.exe 456 svchost.exe 4496 server.exe 2756 svchost.exe 1756 server.exe 2540 svchost.exe 836 server.exe 1740 svchost.exe 5088 server.exe 3232 svchost.exe 1256 server.exe 4300 svchost.exe 3060 server.exe 3912 svchost.exe 4572 server.exe 1072 svchost.exe 3420 server.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe 2968 server.exe -
Suspicious behavior: GetForegroundWindowSpam 9 IoCs
pid Process 2968 server.exe 4496 server.exe 1756 server.exe 836 server.exe 5088 server.exe 1256 server.exe 3060 server.exe 4572 server.exe 3420 server.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2968 server.exe Token: SeDebugPrivilege 4496 server.exe Token: SeDebugPrivilege 1756 server.exe Token: SeDebugPrivilege 836 server.exe Token: SeDebugPrivilege 5088 server.exe Token: SeDebugPrivilege 1256 server.exe Token: SeDebugPrivilege 3060 server.exe Token: SeDebugPrivilege 4572 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2968 2808 1d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15.exe 83 PID 2808 wrote to memory of 2968 2808 1d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15.exe 83 PID 2808 wrote to memory of 2968 2808 1d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15.exe 83 PID 2968 wrote to memory of 492 2968 server.exe 86 PID 2968 wrote to memory of 492 2968 server.exe 86 PID 2968 wrote to memory of 492 2968 server.exe 86 PID 2968 wrote to memory of 4768 2968 server.exe 96 PID 2968 wrote to memory of 4768 2968 server.exe 96 PID 2968 wrote to memory of 4768 2968 server.exe 96 PID 2968 wrote to memory of 2780 2968 server.exe 97 PID 2968 wrote to memory of 2780 2968 server.exe 97 PID 2968 wrote to memory of 2780 2968 server.exe 97 PID 2968 wrote to memory of 456 2968 server.exe 100 PID 2968 wrote to memory of 456 2968 server.exe 100 PID 2968 wrote to memory of 456 2968 server.exe 100 PID 456 wrote to memory of 4496 456 svchost.exe 101 PID 456 wrote to memory of 4496 456 svchost.exe 101 PID 456 wrote to memory of 4496 456 svchost.exe 101 PID 4496 wrote to memory of 3028 4496 server.exe 102 PID 4496 wrote to memory of 3028 4496 server.exe 102 PID 4496 wrote to memory of 3028 4496 server.exe 102 PID 4496 wrote to memory of 3700 4496 server.exe 105 PID 4496 wrote to memory of 3700 4496 server.exe 105 PID 4496 wrote to memory of 3700 4496 server.exe 105 PID 4496 wrote to memory of 2764 4496 server.exe 106 PID 4496 wrote to memory of 2764 4496 server.exe 106 PID 4496 wrote to memory of 2764 4496 server.exe 106 PID 4496 wrote to memory of 2756 4496 server.exe 109 PID 4496 wrote to memory of 2756 4496 server.exe 109 PID 4496 wrote to memory of 2756 4496 server.exe 109 PID 2756 wrote to memory of 1756 2756 svchost.exe 111 PID 2756 wrote to memory of 1756 2756 svchost.exe 111 PID 2756 wrote to memory of 1756 2756 svchost.exe 111 PID 1756 wrote to memory of 3300 1756 server.exe 113 PID 1756 wrote to memory of 3300 1756 server.exe 113 PID 1756 wrote to memory of 3300 1756 server.exe 113 PID 1756 wrote to memory of 4672 1756 server.exe 117 PID 1756 wrote to memory of 4672 1756 server.exe 117 PID 1756 wrote to memory of 4672 1756 server.exe 117 PID 1756 wrote to memory of 5004 1756 server.exe 118 PID 1756 wrote to memory of 5004 1756 server.exe 118 PID 1756 wrote to memory of 5004 1756 server.exe 118 PID 1756 wrote to memory of 2540 1756 server.exe 121 PID 1756 wrote to memory of 2540 1756 server.exe 121 PID 1756 wrote to memory of 2540 1756 server.exe 121 PID 2540 wrote to memory of 836 2540 svchost.exe 122 PID 2540 wrote to memory of 836 2540 svchost.exe 122 PID 2540 wrote to memory of 836 2540 svchost.exe 122 PID 836 wrote to memory of 2968 836 server.exe 123 PID 836 wrote to memory of 2968 836 server.exe 123 PID 836 wrote to memory of 2968 836 server.exe 123 PID 836 wrote to memory of 3304 836 server.exe 126 PID 836 wrote to memory of 3304 836 server.exe 126 PID 836 wrote to memory of 3304 836 server.exe 126 PID 836 wrote to memory of 4688 836 server.exe 127 PID 836 wrote to memory of 4688 836 server.exe 127 PID 836 wrote to memory of 4688 836 server.exe 127 PID 836 wrote to memory of 1740 836 server.exe 130 PID 836 wrote to memory of 1740 836 server.exe 130 PID 836 wrote to memory of 1740 836 server.exe 130 PID 1740 wrote to memory of 5088 1740 svchost.exe 131 PID 1740 wrote to memory of 5088 1740 svchost.exe 131 PID 1740 wrote to memory of 5088 1740 svchost.exe 131 PID 5088 wrote to memory of 548 5088 server.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15.exe"C:\Users\Admin\AppData\Local\Temp\1d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:492
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4768
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2780
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3700
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2764
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"6⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3300
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4672
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5004
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"8⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2968
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3304
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4688
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"10⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE11⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:548
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"11⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4620
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE11⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3452
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"12⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE13⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:380
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"13⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3460
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE13⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4300 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"14⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE15⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1420
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"15⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:648
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE15⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4584
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3912 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"16⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4572 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE17⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3448
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"17⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3652
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE17⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4512
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"18⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:3420 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE19⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD5a4467dea22bfd7e0083d680c571f5e7c
SHA159682ca656f04dd57f7ef4552b96f71d73196ea2
SHA256d165b248678c73e289a7d4a8aa74acc5c09408e58b8f2abd668013ca12c00cc4
SHA51273d25a179994c16b2b3a357e8b068ebf415418033cd601d7084b3a44d822cb99c33c396c9a27ad6fa2066748032e21f09ce89461bc3180ec071d2d64e68ad790
-
Filesize
408B
MD5661cab77d3b907e8057f2e689e995af3
SHA15d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c
SHA2568f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2
SHA5122523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67
-
Filesize
41B
MD5964ddaa3491c746b5ef7e7fb6b653384
SHA11bb95b5f8f514d2840cf399812631f2838979452
SHA256157eee8b1b5ad0c0beac03f59dc40c5326eae961d495cde8deb3625537810adb
SHA512a06d3735cc7e5c707b52082a061eeb0fd2298c7bdc9ff476de1d0062ae716a6ed757d3aba6e7f36d76dbe0e69349c6bef7e3f840c0516500ddd0bf0d90497752
-
Filesize
5B
MD5c2844bc9e1bd64168a727b0680ae4d90
SHA17bb263540de557f5a4e09c6c78b7dbb314a0df9a
SHA2569c9701ab918368b615fc6a0dbeb5efa286a232d751982ae70b48ad6914bf01e5
SHA512360953bb20d91539022fcb1becf4638970c4452816797a8dca65e3ae4a542302e6e89f0828087caaa63a0750aa78605f8034da7c8663fa4fc677c8f3e53655ed
-
Filesize
93KB
MD5f7f745caed820795ba80e629ba4bbbca
SHA13af0797e467d67dd5ffc45c8954afd468989d84b
SHA2561d34e2601766e0950cbd90e75e70306b475489e31c8cc2bee00c70b887e4ae15
SHA512b8b2cbe7a7d7ffb7f6a66972dd73c24302455d7dc7a63d11cb4cdf2980ebea0efbea32343a3167b9f727f86a4fee6188fc71f427a21665978bfec8fbcb6907dd