Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 05:16
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
3f3ae3a450723c80b1aaff419e0d1369
-
SHA1
bb3e89cde4dd9d29a688b25a0002163540555b6d
-
SHA256
8d4c9b97cae0f3c35ab9a5ffa7f1ab45f7c304fb0d7c517828fed0c2048f6d4a
-
SHA512
81cfe00bfb7ff567b66747937c37ee846ae8a672dd3be573b013bc431c2d7d9602f7c02f568a3c996cefc2f86ca9597bc64e9f615b3ef7aae45360e3d15f6aab
-
SSDEEP
768:QY33lgSRmnldjcRoMwrx7Y+DIkIITJbXX0pOt8ux82SXxrjEtCdnl2pi1Rz4Rk33:PlTmlbrq+1NTZ0OMjEwzGi1dDzDXgS
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 1136 netsh.exe 2364 netsh.exe 2368 netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 40 6.tcp.eu.ngrok.io 2 6.tcp.eu.ngrok.io 21 6.tcp.eu.ngrok.io 37 6.tcp.eu.ngrok.io -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3052 Server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe Token: 33 3052 Server.exe Token: SeIncBasePriorityPrivilege 3052 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3052 wrote to memory of 1136 3052 Server.exe 30 PID 3052 wrote to memory of 1136 3052 Server.exe 30 PID 3052 wrote to memory of 1136 3052 Server.exe 30 PID 3052 wrote to memory of 1136 3052 Server.exe 30 PID 3052 wrote to memory of 2368 3052 Server.exe 32 PID 3052 wrote to memory of 2368 3052 Server.exe 32 PID 3052 wrote to memory of 2368 3052 Server.exe 32 PID 3052 wrote to memory of 2368 3052 Server.exe 32 PID 3052 wrote to memory of 2364 3052 Server.exe 33 PID 3052 wrote to memory of 2364 3052 Server.exe 33 PID 3052 wrote to memory of 2364 3052 Server.exe 33 PID 3052 wrote to memory of 2364 3052 Server.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1136
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2368
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2364
-
Network
-
Remote address:8.8.8.8:53Request6.tcp.eu.ngrok.ioIN AResponse6.tcp.eu.ngrok.ioIN A3.68.171.119
-
Remote address:8.8.8.8:53Request6.tcp.eu.ngrok.ioIN AResponse6.tcp.eu.ngrok.ioIN A18.197.239.109
-
Remote address:8.8.8.8:53Request6.tcp.eu.ngrok.ioIN AResponse6.tcp.eu.ngrok.ioIN A3.68.171.119
-
Remote address:8.8.8.8:53Request6.tcp.eu.ngrok.ioIN AResponse6.tcp.eu.ngrok.ioIN A52.28.247.255
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 80 B 3 2
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
52 B 40 B 1 1
-
63 B 79 B 1 1
DNS Request
6.tcp.eu.ngrok.io
DNS Response
3.68.171.119
-
63 B 79 B 1 1
DNS Request
6.tcp.eu.ngrok.io
DNS Response
18.197.239.109
-
63 B 79 B 1 1
DNS Request
6.tcp.eu.ngrok.io
DNS Response
3.68.171.119
-
63 B 79 B 1 1
DNS Request
6.tcp.eu.ngrok.io
DNS Response
52.28.247.255