Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 11:33
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
4106c643751ca405526c35082b61e21e
-
SHA1
a00c03ab8b002b561489b2ef981a23136523949d
-
SHA256
6cd803552c3fccea87f24655af28a08bef2593590c6d418f8e6157c50a4f3938
-
SHA512
a780ed987ad64983c21a44a84285f1cd00d5e32449c85bdf1ffc7822424bec3c7bcf4823071268989a5a6f583d01e98a632a999eba0d8b613ffe8fc77419bbdb
-
SSDEEP
1536:JcwC+xhUa9urgOBPmNvM4jEwzGi1dDUD+gS:JcmUa9urgOkdGi1d6j
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2884 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b441dab2dad78af5af045a19f94e9c80Windows Update.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b441dab2dad78af5af045a19f94e9c80Windows Update.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Server.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3832 Server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe Token: 33 3832 Server.exe Token: SeIncBasePriorityPrivilege 3832 Server.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3832 wrote to memory of 2884 3832 Server.exe 83 PID 3832 wrote to memory of 2884 3832 Server.exe 83 PID 3832 wrote to memory of 2884 3832 Server.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD54106c643751ca405526c35082b61e21e
SHA1a00c03ab8b002b561489b2ef981a23136523949d
SHA2566cd803552c3fccea87f24655af28a08bef2593590c6d418f8e6157c50a4f3938
SHA512a780ed987ad64983c21a44a84285f1cd00d5e32449c85bdf1ffc7822424bec3c7bcf4823071268989a5a6f583d01e98a632a999eba0d8b613ffe8fc77419bbdb