Analysis

  • max time kernel
    15s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 16:59

General

  • Target

    Server.exe

  • Size

    93KB

  • MD5

    bb3fb4c6cf26e4c493e408d0edb5e829

  • SHA1

    88da923e8d993a87b8d8970b54f774b47e2b1dc1

  • SHA256

    c52b9ffe033d174b2f93b44280c637e8fed9ec36cbf0a391c72a4e421830c6eb

  • SHA512

    4d911914d49355b0ebe006b686dd6075b3ba1aa3aeb6425846cd5203d94683f33cbe44cadf909cd68577e404d628e0bfca6fa33b31dc2f668b5673d6446128c7

  • SSDEEP

    1536:MO9r7EkrjaFIs7E5OxFJn8LjEwzGi1dD/DKgS:MOhjau5OfVni1dXP

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Drops startup file 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2248
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2276
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:628
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fd9758,0x7fef6fd9768,0x7fef6fd9778
      2⤵
        PID:2808
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1332,i,4765439814459808409,325740130109601930,131072 /prefetch:2
        2⤵
          PID:2256
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1332,i,4765439814459808409,325740130109601930,131072 /prefetch:8
          2⤵
            PID:2540
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1332,i,4765439814459808409,325740130109601930,131072 /prefetch:8
            2⤵
              PID:2852
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1332,i,4765439814459808409,325740130109601930,131072 /prefetch:1
              2⤵
                PID:2216
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 --field-trial-handle=1332,i,4765439814459808409,325740130109601930,131072 /prefetch:1
                2⤵
                  PID:1720
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1332,i,4765439814459808409,325740130109601930,131072 /prefetch:2
                  2⤵
                    PID:1380
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2732 --field-trial-handle=1332,i,4765439814459808409,325740130109601930,131072 /prefetch:1
                    2⤵
                      PID:952
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 --field-trial-handle=1332,i,4765439814459808409,325740130109601930,131072 /prefetch:8
                      2⤵
                        PID:236
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 --field-trial-handle=1332,i,4765439814459808409,325740130109601930,131072 /prefetch:8
                        2⤵
                          PID:1736
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 --field-trial-handle=1332,i,4765439814459808409,325740130109601930,131072 /prefetch:8
                          2⤵
                            PID:2184
                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                          1⤵
                            PID:2468

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                            Filesize

                            933B

                            MD5

                            a6cd8b685ccd829448ff6cf9dc42ff36

                            SHA1

                            2e9709c306155c31d118581a08efae0b7ec4be76

                            SHA256

                            ce5d1a5496b0639d1df690f84c75b1db9ece44e17ccf111c28f1df8a5b0b87dc

                            SHA512

                            eab5e80940af23f4a73bafd61679fd9072260cdfb43e67ceec48aeeff51d4ab980d90344021f79276c2f9378d04ead7645dce22d9e36e7a0f40f16271a53dfe9

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                            Filesize

                            1KB

                            MD5

                            40f8fe9c931a683ea5e6a9e550cfb4cd

                            SHA1

                            f1d1215f808e90b888feaa030903ea3c109f4a39

                            SHA256

                            66ea4bd36feb3218977140ede87b6dead470e813dd01370e63ae40a3b33fa088

                            SHA512

                            c204fd5eb9006031a3e79ce1c9c1e8d25423e2d803f9fc23e6c1191b9a6fd46cb39c24dd7e26874799d95f67189cb06ea030dfd68f9498e9e2452ae6d64de1cc

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            d6f481fcab7311ce1a24e20cafe112ba

                            SHA1

                            114c5cb2d2a664d2fe484052ed9665c5693ed15c

                            SHA256

                            9a09afeabbb489a335032f6b2d5b2ab9539e5897984f007072d5091c2a51bac2

                            SHA512

                            165703dc13d1d3e86c8bf42e19575bcbdb30c95322fd9ba62870d561a58e8789eaf6b361b4c9e158c75e140d9f3a67c9a5ef4b9038b759c4f8a6d03656821010

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFf7759c4.TMP

                            Filesize

                            5KB

                            MD5

                            8cf8addf973b3b0f79a656206855645c

                            SHA1

                            f6e27e5080361b4184cfd866bb53ece7ec846340

                            SHA256

                            b5fd849deed969d1575b48cedf599485361dafd6ce73d134db88caaa56f0e1b0

                            SHA512

                            81e9416f3621d66aa800161f6a2d2929c0b991aa335d1cd77ca14cdf80d144081858a23d347605d4c0b46e5b1388fd0d6bd47fa68646f02b33a92d2e22c425ac

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

                            Filesize

                            16B

                            MD5

                            18e723571b00fb1694a3bad6c78e4054

                            SHA1

                            afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                            SHA256

                            8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                            SHA512

                            43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            375KB

                            MD5

                            2f3ef54d7ea55f9d38fd6927e4f9ef17

                            SHA1

                            ac43cb0288a6442b0ebaaa5813afff5a4e0bc96a

                            SHA256

                            16d909a7845b637d6d75041fa3d28be5d0d3e0d5b98c572659499d7f5cef66ef

                            SHA512

                            22851fd094c50c26f02144480f16553df48fa4820a6d8ffc01465377f5ad145db5edc0522cdeee67eb2c22f9ba9e4221a750b854ea5e5f044609985eb286c54c

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            177KB

                            MD5

                            7f9c96fb165aec3a2424f2dee16c0ab7

                            SHA1

                            f5231c6cfae4bbcf41daad2e58345a4fe6468e72

                            SHA256

                            7d145c38404b498fde35a0fd751060b850e34493cbd2774f730847a0ed6012f4

                            SHA512

                            e05f8bde7c14bc322cc6775a610f7c7fbd336fad3d756374fb6ebee7baa437163ba9d8c2304594f02f06ca649f0e7b1213188b70407cd3a306afa9e5fa711b67

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            357KB

                            MD5

                            7664b224e48f4938867084e9505f9d6b

                            SHA1

                            7d1f258ce0a5ad3e967c48c4a129f522ae30332b

                            SHA256

                            7cbaf96fed429ed5052154a55b3434a3e8e35b0d4e6bf741bf6293df4caddebe

                            SHA512

                            0e6310f3f7f063e925e87f3345b63e8160bb4e59f9701b0d43c223f9db73f5ea38aca50f8587dd09190a3db6c25003a86124645e1afe994d32eb3e1f1212b6ad

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            374KB

                            MD5

                            9b55751fe6bd4599b20ddc04f851c14b

                            SHA1

                            a68d3cd595e444bd2669dde681cbad3a68ee6912

                            SHA256

                            d3a11ae167570c2b0c313b080c24965094b914378dfeb17de09bfbecd1913d1c

                            SHA512

                            32037523170eaed02138664a05b4e7ee2f7b5ae3cd4a27938b9ba8ca4b7e5bdd79e070d6dd94a7ed22ca7cc6b847b6548026f7ca91e87f62c5f7c7bb68a555e5

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

                            Filesize

                            264KB

                            MD5

                            f50f89a0a91564d0b8a211f8921aa7de

                            SHA1

                            112403a17dd69d5b9018b8cede023cb3b54eab7d

                            SHA256

                            b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                            SHA512

                            bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

                            Filesize

                            93KB

                            MD5

                            bb3fb4c6cf26e4c493e408d0edb5e829

                            SHA1

                            88da923e8d993a87b8d8970b54f774b47e2b1dc1

                            SHA256

                            c52b9ffe033d174b2f93b44280c637e8fed9ec36cbf0a391c72a4e421830c6eb

                            SHA512

                            4d911914d49355b0ebe006b686dd6075b3ba1aa3aeb6425846cd5203d94683f33cbe44cadf909cd68577e404d628e0bfca6fa33b31dc2f668b5673d6446128c7

                          • memory/1684-71-0x0000000074A60000-0x000000007500B000-memory.dmp

                            Filesize

                            5.7MB

                          • memory/1684-0-0x0000000074A61000-0x0000000074A62000-memory.dmp

                            Filesize

                            4KB

                          • memory/1684-2-0x0000000074A60000-0x000000007500B000-memory.dmp

                            Filesize

                            5.7MB

                          • memory/1684-1-0x0000000074A60000-0x000000007500B000-memory.dmp

                            Filesize

                            5.7MB