Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 16:19
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
77e8ae03f54ed1ce413314dbb8e00435
-
SHA1
398ce9204237c30280dce2f3d6cfed34946383c0
-
SHA256
430d6a10f2a37a3a8957e5fabfda4f3c7fa9af76bc4b2c020638f023e06f0267
-
SHA512
6a679cd51e75ed9374cd17da763f180fd370e7d86fa88475a75eb1b07bd4f0e4f72b4fdf006345af3c0086a1978a358ade19a3ca422d892e41c3d0a47032b159
-
SSDEEP
768:gY3wI7yZnDQMMpAZrGSt6udttXy4sahkGJiXxrjEtCdnl2pi1Rz4Rk3wsGdpTgS7:II+ZD3rGWNd7dhkhjEwzGi1dDoDTgS
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 3972 netsh.exe 1448 netsh.exe 1344 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Server.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdce5dfdbb5ec4d4d26d1b02578ff07bWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdce5dfdbb5ec4d4d26d1b02578ff07bWindows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 4484 server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe 4484 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4484 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe Token: 33 4484 server.exe Token: SeIncBasePriorityPrivilege 4484 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2804 wrote to memory of 4484 2804 Server.exe 82 PID 2804 wrote to memory of 4484 2804 Server.exe 82 PID 2804 wrote to memory of 4484 2804 Server.exe 82 PID 4484 wrote to memory of 3972 4484 server.exe 83 PID 4484 wrote to memory of 3972 4484 server.exe 83 PID 4484 wrote to memory of 3972 4484 server.exe 83 PID 4484 wrote to memory of 1344 4484 server.exe 85 PID 4484 wrote to memory of 1344 4484 server.exe 85 PID 4484 wrote to memory of 1344 4484 server.exe 85 PID 4484 wrote to memory of 1448 4484 server.exe 86 PID 4484 wrote to memory of 1448 4484 server.exe 86 PID 4484 wrote to memory of 1448 4484 server.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3972
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1344
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1448
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408B
MD5661cab77d3b907e8057f2e689e995af3
SHA15d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c
SHA2568f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2
SHA5122523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67
-
Filesize
5B
MD5bbcd2be775370c1e106e66d077a93f3b
SHA1a44b6a98f30e3275fc304bc3b29e0eab8ae47f20
SHA256a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1
SHA512bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72
-
Filesize
93KB
MD577e8ae03f54ed1ce413314dbb8e00435
SHA1398ce9204237c30280dce2f3d6cfed34946383c0
SHA256430d6a10f2a37a3a8957e5fabfda4f3c7fa9af76bc4b2c020638f023e06f0267
SHA5126a679cd51e75ed9374cd17da763f180fd370e7d86fa88475a75eb1b07bd4f0e4f72b4fdf006345af3c0086a1978a358ade19a3ca422d892e41c3d0a47032b159