Analysis
-
max time kernel
54s -
max time network
55s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-12-2024 14:40
Behavioral task
behavioral1
Sample
Server.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
Server.exe
Resource
win11-20241007-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
aefe80e4e229c3e197d525a30bbf1c5c
-
SHA1
8f41c9ca904594e20265a160305ab46193f34239
-
SHA256
b96820dd387a8ee24604406c5c308edcac2bd5e165dab66e6ef12b1ef8ef02a3
-
SHA512
dede337bd34817db5f0e45c18907cc8001e6a212ddda8dbe3a2d07010507c8e4b60d26b409e6dc5f4bde7f7ca2b81d714f8c1ce1c4c352ff613dfffdb2980bdd
-
SSDEEP
768:fY3Gli6xgrKSMZAZL28d2WmtlX+jRoI++WqXxrjEtCdnl2pi1Rz4Rk3tsGdpMgS7:Plvxg1L2AZmDO+2jEwzGi1dD9DMgS
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 3388 netsh.exe 3560 netsh.exe 1948 netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1072 Server.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1072 Server.exe Token: 33 1072 Server.exe Token: SeIncBasePriorityPrivilege 1072 Server.exe Token: 33 1072 Server.exe Token: SeIncBasePriorityPrivilege 1072 Server.exe Token: 33 1072 Server.exe Token: SeIncBasePriorityPrivilege 1072 Server.exe Token: 33 1072 Server.exe Token: SeIncBasePriorityPrivilege 1072 Server.exe Token: 33 1072 Server.exe Token: SeIncBasePriorityPrivilege 1072 Server.exe Token: 33 1072 Server.exe Token: SeIncBasePriorityPrivilege 1072 Server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1072 wrote to memory of 3388 1072 Server.exe 78 PID 1072 wrote to memory of 3388 1072 Server.exe 78 PID 1072 wrote to memory of 3388 1072 Server.exe 78 PID 1072 wrote to memory of 3560 1072 Server.exe 80 PID 1072 wrote to memory of 3560 1072 Server.exe 80 PID 1072 wrote to memory of 3560 1072 Server.exe 80 PID 1072 wrote to memory of 1948 1072 Server.exe 81 PID 1072 wrote to memory of 1948 1072 Server.exe 81 PID 1072 wrote to memory of 1948 1072 Server.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3388
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3560
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1948
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:3676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f0520a7a-d18a-48f9-8984-d6c652825a1e.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3