Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 11:03
Behavioral task
behavioral1
Sample
testingg.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
testingg.exe
Resource
win10v2004-20241007-en
General
-
Target
testingg.exe
-
Size
93KB
-
MD5
87301d7789d34f5f9e2d497b4d9b8f88
-
SHA1
b65a76d11f1d2e44d6f5113cf0212bc36abb17b1
-
SHA256
fdab671fc30cd30956d58c4b148fc1164cf45c9d766bb0e5b34f144b40d68516
-
SHA512
e60f39a599e59e72137edc83b00704abd716fbadc2a46b942aa325491a9af02628b2225123ba27ed09c077933b526917b3004d7e6659708e43308eb1fbfe7856
-
SSDEEP
1536:jey1GkeUqZJO5kNSimjEwzGi1dDYDfgS:jedUqZJOiAOi1dO4
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 4924 netsh.exe 2372 netsh.exe 4200 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation testingg.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2680 server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\svchost.exe.exe server.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\svchost.exe.exe server.exe File created C:\Program Files (x86)\svchost.exe.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language testingg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe 2680 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2680 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe Token: 33 2680 server.exe Token: SeIncBasePriorityPrivilege 2680 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3788 wrote to memory of 2680 3788 testingg.exe 82 PID 3788 wrote to memory of 2680 3788 testingg.exe 82 PID 3788 wrote to memory of 2680 3788 testingg.exe 82 PID 2680 wrote to memory of 4924 2680 server.exe 83 PID 2680 wrote to memory of 4924 2680 server.exe 83 PID 2680 wrote to memory of 4924 2680 server.exe 83 PID 2680 wrote to memory of 4200 2680 server.exe 85 PID 2680 wrote to memory of 4200 2680 server.exe 85 PID 2680 wrote to memory of 4200 2680 server.exe 85 PID 2680 wrote to memory of 2372 2680 server.exe 86 PID 2680 wrote to memory of 2372 2680 server.exe 86 PID 2680 wrote to memory of 2372 2680 server.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\testingg.exe"C:\Users\Admin\AppData\Local\Temp\testingg.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4924
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4200
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2372
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5bbcd2be775370c1e106e66d077a93f3b
SHA1a44b6a98f30e3275fc304bc3b29e0eab8ae47f20
SHA256a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1
SHA512bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72
-
Filesize
93KB
MD587301d7789d34f5f9e2d497b4d9b8f88
SHA1b65a76d11f1d2e44d6f5113cf0212bc36abb17b1
SHA256fdab671fc30cd30956d58c4b148fc1164cf45c9d766bb0e5b34f144b40d68516
SHA512e60f39a599e59e72137edc83b00704abd716fbadc2a46b942aa325491a9af02628b2225123ba27ed09c077933b526917b3004d7e6659708e43308eb1fbfe7856