58f5e810373d4099f4730d5d63ca9bcb9088caa3db3aaa1843fa39230db7abf3

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

f6675a418b2c5a731eb55d098ff4811b
SHA1

2644b64d63915e3fd4bfe24beb310a093d4f441d
SHA256

58f5e810373d4099f4730d5d63ca9bcb9088caa3db3aaa1843fa39230db7abf3
SHA512

d32e4962e6a85e5c9f025561d4a8401bc056e82842e792b3fc2c488692beac92b935d46c6be444ad708898595ab200e88f672bf5ea73ac0380d98c6f4f291bde
SSDEEP

1536:PdwC+xhUa9urgOBPRNvM4jEwzGi1dD7D1gS:PdmUa9urgObdGi1drC

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2180	netsh.exe
2112	netsh.exe
2160	netsh.exe
2788	netsh.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\148a892b37f45e5773518d8932c75e38Windows Update.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\148a892b37f45e5773518d8932c75e38Windows Update.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Server.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2980	cmd.exe
2848	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2848	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe
2500	Server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2500	Server.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	Server.exe
Token: 33	2500	Server.exe
Token: SeIncBasePriorityPrivilege	2500	Server.exe
Token: 33	2500	Server.exe
Token: SeIncBasePriorityPrivilege	2500	Server.exe
Token: 33	2500	Server.exe
Token: SeIncBasePriorityPrivilege	2500	Server.exe
Token: 33	2500	Server.exe
Token: SeIncBasePriorityPrivilege	2500	Server.exe
Token: 33	2500	Server.exe
Token: SeIncBasePriorityPrivilege	2500	Server.exe
Token: 33	2500	Server.exe
Token: SeIncBasePriorityPrivilege	2500	Server.exe
Token: 33	2500	Server.exe
Token: SeIncBasePriorityPrivilege	2500	Server.exe
Token: 33	2500	Server.exe
Token: SeIncBasePriorityPrivilege	2500	Server.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2180	2500	Server.exe	30
PID 2500 wrote to memory of 2180	2500	Server.exe	30
PID 2500 wrote to memory of 2180	2500	Server.exe	30
PID 2500 wrote to memory of 2180	2500	Server.exe	30
PID 2500 wrote to memory of 2112	2500	Server.exe	32
PID 2500 wrote to memory of 2112	2500	Server.exe	32
PID 2500 wrote to memory of 2112	2500	Server.exe	32
PID 2500 wrote to memory of 2112	2500	Server.exe	32
PID 2500 wrote to memory of 2160	2500	Server.exe	33
PID 2500 wrote to memory of 2160	2500	Server.exe	33
PID 2500 wrote to memory of 2160	2500	Server.exe	33
PID 2500 wrote to memory of 2160	2500	Server.exe	33
PID 2500 wrote to memory of 2788	2500	Server.exe	38
PID 2500 wrote to memory of 2788	2500	Server.exe	38
PID 2500 wrote to memory of 2788	2500	Server.exe	38
PID 2500 wrote to memory of 2788	2500	Server.exe	38
PID 2500 wrote to memory of 2980	2500	Server.exe	40
PID 2500 wrote to memory of 2980	2500	Server.exe	40
PID 2500 wrote to memory of 2980	2500	Server.exe	40
PID 2500 wrote to memory of 2980	2500	Server.exe	40
PID 2980 wrote to memory of 2848	2980	cmd.exe	42
PID 2980 wrote to memory of 2848	2980	cmd.exe	42
PID 2980 wrote to memory of 2848	2980	cmd.exe	42
PID 2980 wrote to memory of 2848	2980	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\PING.EXE
    ping 0 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

Filesize
93KB

MD5
f6675a418b2c5a731eb55d098ff4811b

SHA1
2644b64d63915e3fd4bfe24beb310a093d4f441d

SHA256
58f5e810373d4099f4730d5d63ca9bcb9088caa3db3aaa1843fa39230db7abf3

SHA512
d32e4962e6a85e5c9f025561d4a8401bc056e82842e792b3fc2c488692beac92b935d46c6be444ad708898595ab200e88f672bf5ea73ac0380d98c6f4f291bde

Download Submit
memory/2500-0-0x0000000074951000-0x0000000074952000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-2-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-16-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-15-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-18-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download