Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 10:38
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
d43643e01d59c289b551c240242ea5cd
-
SHA1
aa17e80aac2ca4e14297b0a7cf29c85b116882c6
-
SHA256
e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460
-
SHA512
4143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd
-
SSDEEP
768:sY35xByZnDQMMpAZrGSt6udttXymsahkGJiXxrjEtCdnl2pi1Rz4Rk3YRsGdpUgM:NxUZD3rGWNd7DhkhjEwzGi1dD8DUgS
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2636 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Server.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ac168fa7329a1bbe164c59a113cb4d71Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ac168fa7329a1bbe164c59a113cb4d71Windows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 3372 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3372 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe Token: 33 3372 server.exe Token: SeIncBasePriorityPrivilege 3372 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3204 wrote to memory of 3372 3204 Server.exe 83 PID 3204 wrote to memory of 3372 3204 Server.exe 83 PID 3204 wrote to memory of 3372 3204 Server.exe 83 PID 3372 wrote to memory of 2636 3372 server.exe 84 PID 3372 wrote to memory of 2636 3372 server.exe 84 PID 3372 wrote to memory of 2636 3372 server.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2636
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408B
MD5661cab77d3b907e8057f2e689e995af3
SHA15d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c
SHA2568f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2
SHA5122523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67
-
Filesize
5B
MD5a65a8cc18c0fdcac3b78ed8f032e2f98
SHA19087f7aaf4edf3b132348b1e5dfa7a678d57d40e
SHA256ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a
SHA5128e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d
-
Filesize
93KB
MD5d43643e01d59c289b551c240242ea5cd
SHA1aa17e80aac2ca4e14297b0a7cf29c85b116882c6
SHA256e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460
SHA5124143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd