6cd803552c3fccea87f24655af28a08bef2593590c6d418f8e6157c50a4f3938

General

Target

Server.exe
Size

93KB
MD5

4106c643751ca405526c35082b61e21e
SHA1

a00c03ab8b002b561489b2ef981a23136523949d
SHA256

6cd803552c3fccea87f24655af28a08bef2593590c6d418f8e6157c50a4f3938
SHA512

a780ed987ad64983c21a44a84285f1cd00d5e32449c85bdf1ffc7822424bec3c7bcf4823071268989a5a6f583d01e98a632a999eba0d8b613ffe8fc77419bbdb
SSDEEP

1536:JcwC+xhUa9urgOBPmNvM4jEwzGi1dDUD+gS:JcmUa9urgOkdGi1d6j

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2756	netsh.exe
2784	netsh.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b441dab2dad78af5af045a19f94e9c80Windows Update.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b441dab2dad78af5af045a19f94e9c80Windows Update.exe	Server.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2492	cmd.exe
2648	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2648	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1996	Server.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe
Token: 33	1996	Server.exe
Token: SeIncBasePriorityPrivilege	1996	Server.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2756	1996	Server.exe	29
PID 1996 wrote to memory of 2756	1996	Server.exe	29
PID 1996 wrote to memory of 2756	1996	Server.exe	29
PID 1996 wrote to memory of 2756	1996	Server.exe	29
PID 1996 wrote to memory of 2784	1996	Server.exe	32
PID 1996 wrote to memory of 2784	1996	Server.exe	32
PID 1996 wrote to memory of 2784	1996	Server.exe	32
PID 1996 wrote to memory of 2784	1996	Server.exe	32
PID 1996 wrote to memory of 2492	1996	Server.exe	33
PID 1996 wrote to memory of 2492	1996	Server.exe	33
PID 1996 wrote to memory of 2492	1996	Server.exe	33
PID 1996 wrote to memory of 2492	1996	Server.exe	33
PID 2492 wrote to memory of 2648	2492	cmd.exe	36
PID 2492 wrote to memory of 2648	2492	cmd.exe	36
PID 2492 wrote to memory of 2648	2492	cmd.exe	36
PID 2492 wrote to memory of 2648	2492	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\PING.EXE
    ping 0 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

Filesize
93KB

MD5
4106c643751ca405526c35082b61e21e

SHA1
a00c03ab8b002b561489b2ef981a23136523949d

SHA256
6cd803552c3fccea87f24655af28a08bef2593590c6d418f8e6157c50a4f3938

SHA512
a780ed987ad64983c21a44a84285f1cd00d5e32449c85bdf1ffc7822424bec3c7bcf4823071268989a5a6f583d01e98a632a999eba0d8b613ffe8fc77419bbdb

Download Submit
memory/1996-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/1996-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-11-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-12-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-13-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-18-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-20-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads