Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 10:38

General

  • Target

    Server.exe

  • Size

    93KB

  • MD5

    d43643e01d59c289b551c240242ea5cd

  • SHA1

    aa17e80aac2ca4e14297b0a7cf29c85b116882c6

  • SHA256

    e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460

  • SHA512

    4143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd

  • SSDEEP

    768:sY35xByZnDQMMpAZrGSt6udttXymsahkGJiXxrjEtCdnl2pi1Rz4Rk3YRsGdpUgM:NxUZD3rGWNd7DhkhjEwzGi1dD8DUgS

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3372
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

    Filesize

    408B

    MD5

    661cab77d3b907e8057f2e689e995af3

    SHA1

    5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

    SHA256

    8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

    SHA512

    2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

  • C:\Users\Admin\AppData\Roaming\app

    Filesize

    5B

    MD5

    a65a8cc18c0fdcac3b78ed8f032e2f98

    SHA1

    9087f7aaf4edf3b132348b1e5dfa7a678d57d40e

    SHA256

    ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a

    SHA512

    8e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d

  • C:\Users\Admin\AppData\Roaming\server.exe

    Filesize

    93KB

    MD5

    d43643e01d59c289b551c240242ea5cd

    SHA1

    aa17e80aac2ca4e14297b0a7cf29c85b116882c6

    SHA256

    e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460

    SHA512

    4143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd

  • memory/3204-0-0x0000000074C52000-0x0000000074C53000-memory.dmp

    Filesize

    4KB

  • memory/3204-1-0x0000000074C50000-0x0000000075201000-memory.dmp

    Filesize

    5.7MB

  • memory/3204-2-0x0000000074C50000-0x0000000075201000-memory.dmp

    Filesize

    5.7MB

  • memory/3204-15-0x0000000074C50000-0x0000000075201000-memory.dmp

    Filesize

    5.7MB

  • memory/3372-14-0x0000000074C50000-0x0000000075201000-memory.dmp

    Filesize

    5.7MB

  • memory/3372-17-0x0000000074C50000-0x0000000075201000-memory.dmp

    Filesize

    5.7MB

  • memory/3372-16-0x0000000074C50000-0x0000000075201000-memory.dmp

    Filesize

    5.7MB

  • memory/3372-23-0x0000000074C50000-0x0000000075201000-memory.dmp

    Filesize

    5.7MB