Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 11:09
Behavioral task
behavioral1
Sample
testingg.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
testingg.exe
Resource
win10v2004-20241007-en
General
-
Target
testingg.exe
-
Size
93KB
-
MD5
87301d7789d34f5f9e2d497b4d9b8f88
-
SHA1
b65a76d11f1d2e44d6f5113cf0212bc36abb17b1
-
SHA256
fdab671fc30cd30956d58c4b148fc1164cf45c9d766bb0e5b34f144b40d68516
-
SHA512
e60f39a599e59e72137edc83b00704abd716fbadc2a46b942aa325491a9af02628b2225123ba27ed09c077933b526917b3004d7e6659708e43308eb1fbfe7856
-
SSDEEP
1536:jey1GkeUqZJO5kNSimjEwzGi1dDYDfgS:jedUqZJOiAOi1dO4
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2692 netsh.exe 3036 netsh.exe 1532 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2956 server.exe -
Loads dropped DLL 2 IoCs
pid Process 2380 testingg.exe 2380 testingg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\svchost.exe.exe server.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\svchost.exe.exe server.exe File opened for modification C:\Program Files (x86)\svchost.exe.exe server.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language testingg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe 2956 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2956 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe Token: 33 2956 server.exe Token: SeIncBasePriorityPrivilege 2956 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2956 2380 testingg.exe 30 PID 2380 wrote to memory of 2956 2380 testingg.exe 30 PID 2380 wrote to memory of 2956 2380 testingg.exe 30 PID 2380 wrote to memory of 2956 2380 testingg.exe 30 PID 2956 wrote to memory of 2692 2956 server.exe 31 PID 2956 wrote to memory of 2692 2956 server.exe 31 PID 2956 wrote to memory of 2692 2956 server.exe 31 PID 2956 wrote to memory of 2692 2956 server.exe 31 PID 2956 wrote to memory of 3036 2956 server.exe 33 PID 2956 wrote to memory of 3036 2956 server.exe 33 PID 2956 wrote to memory of 3036 2956 server.exe 33 PID 2956 wrote to memory of 3036 2956 server.exe 33 PID 2956 wrote to memory of 1532 2956 server.exe 34 PID 2956 wrote to memory of 1532 2956 server.exe 34 PID 2956 wrote to memory of 1532 2956 server.exe 34 PID 2956 wrote to memory of 1532 2956 server.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\testingg.exe"C:\Users\Admin\AppData\Local\Temp\testingg.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3036
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1532
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5bbcd2be775370c1e106e66d077a93f3b
SHA1a44b6a98f30e3275fc304bc3b29e0eab8ae47f20
SHA256a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1
SHA512bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72
-
Filesize
93KB
MD587301d7789d34f5f9e2d497b4d9b8f88
SHA1b65a76d11f1d2e44d6f5113cf0212bc36abb17b1
SHA256fdab671fc30cd30956d58c4b148fc1164cf45c9d766bb0e5b34f144b40d68516
SHA512e60f39a599e59e72137edc83b00704abd716fbadc2a46b942aa325491a9af02628b2225123ba27ed09c077933b526917b3004d7e6659708e43308eb1fbfe7856