585137c99c22cd0b08e725b6f995a85a233ae31b118e30486bfbf2bb98d39a0e

Analysis

max time kernel
108s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 13:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

123.exe
Size

93KB
MD5

b4378a070bfed34faa41bcafe7a876b7
SHA1

4129b0e4742f0713d8e264f34272dcd2e560305e
SHA256

585137c99c22cd0b08e725b6f995a85a233ae31b118e30486bfbf2bb98d39a0e
SHA512

e33547a869ba9aea236ed664bf1f69d75e9c260c9392deb413dd6137703358f5f633286e443d5ab8c1fb8286cc3003f17fdad7c0a1939ba93d415d731ff76b1a
SSDEEP

1536:wdwC+xhUa9urgOBPRNvM4jEwzGi1dDlDMgS:wdmUa9urgObdGi1dZl

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3560	netsh.exe
3120	netsh.exe
2728	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	server.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ded3b4c35b07f633f7f88a8380c030dWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ded3b4c35b07f633f7f88a8380c030dWindows Update.exe	server.exe

Executes dropped EXE 1 IoCs

pid	Process
3100	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe
3100	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3100	server.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: 33	3100	server.exe
Token: SeIncBasePriorityPrivilege	3100	server.exe
Token: SeShutdownPrivilege	4388	shutdown.exe
Token: SeRemoteShutdownPrivilege	4388	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4512	LogonUI.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3100	3056	123.exe	83
PID 3056 wrote to memory of 3100	3056	123.exe	83
PID 3056 wrote to memory of 3100	3056	123.exe	83
PID 3100 wrote to memory of 3560	3100	server.exe	84
PID 3100 wrote to memory of 3560	3100	server.exe	84
PID 3100 wrote to memory of 3560	3100	server.exe	84
PID 3100 wrote to memory of 2728	3100	server.exe	87
PID 3100 wrote to memory of 2728	3100	server.exe	87
PID 3100 wrote to memory of 2728	3100	server.exe	87
PID 3100 wrote to memory of 3120	3100	server.exe	88
PID 3100 wrote to memory of 3120	3100	server.exe	88
PID 3100 wrote to memory of 3120	3100	server.exe	88
PID 3100 wrote to memory of 2336	3100	server.exe	104
PID 3100 wrote to memory of 2336	3100	server.exe	104
PID 3100 wrote to memory of 2336	3100	server.exe	104
PID 3100 wrote to memory of 2084	3100	server.exe	106
PID 3100 wrote to memory of 2084	3100	server.exe	106
PID 3100 wrote to memory of 2084	3100	server.exe	106
PID 3100 wrote to memory of 3364	3100	server.exe	108
PID 3100 wrote to memory of 3364	3100	server.exe	108
PID 3100 wrote to memory of 3364	3100	server.exe	108
PID 2336 wrote to memory of 4388	2336	cmd.exe	110
PID 2336 wrote to memory of 4388	2336	cmd.exe	110
PID 2336 wrote to memory of 4388	2336	cmd.exe	110
PID 3100 wrote to memory of 1940	3100	server.exe	111
PID 3100 wrote to memory of 1940	3100	server.exe	111
PID 3100 wrote to memory of 1940	3100	server.exe	111
PID 3100 wrote to memory of 2076	3100	server.exe	114
PID 3100 wrote to memory of 2076	3100	server.exe	114
PID 3100 wrote to memory of 2076	3100	server.exe	114
PID 3364 wrote to memory of 3492	3364	cmd.exe	116
PID 3364 wrote to memory of 3492	3364	cmd.exe	116
PID 3364 wrote to memory of 3492	3364	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3560
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2728
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7FA6.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -s -t 1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8033.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8073.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 USER32.DLL,SwapMouseButton
      4⤵
      System Location Discovery: System Language Discovery
      PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8101.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp815F.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c5855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
b4378a070bfed34faa41bcafe7a876b7

SHA1
4129b0e4742f0713d8e264f34272dcd2e560305e

SHA256
585137c99c22cd0b08e725b6f995a85a233ae31b118e30486bfbf2bb98d39a0e

SHA512
e33547a869ba9aea236ed664bf1f69d75e9c260c9392deb413dd6137703358f5f633286e443d5ab8c1fb8286cc3003f17fdad7c0a1939ba93d415d731ff76b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FA6.tmp.BAT

Filesize
37B

MD5
1cbc3a2f81d4259e3bf61249711fec81

SHA1
7ba62560df466c6dcd794854a25aeb5b088968d8

SHA256
6a207f770478d59da0d2aa43a9719ef05b3f85c8c700400746ca3ab0463d08f0

SHA512
74ba85a391d769686c95001af6e29f9fe2ccaa4d119247fac31e65c8becda7be1ea9fa3eb9f2a06c1d48ac4b580ad8e63c14e06d94e8dd07b26129df7f1f4bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8033.tmp.BAT

Filesize
183B

MD5
ab45b6913751e20d60d6c9a44a229a66

SHA1
fbf98231ced1c5667bb8b83114ca2f83b044698f

SHA256
71385e3fb017bb452466ab1ad8764950c14a7af856d0ee8c147cf8f7f073b2ec

SHA512
b462bd82a58ff51d3351ae5168028439fe3dbfbaeb2465c8b300419fb5d9115eb2091aa6fe4e11cf30ba9ee37e3ef175211e5053d6fc7a3398deace787180f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8073.tmp.BAT

Filesize
67B

MD5
1cc401169ef8cf1e8977f4e92dfe72c7

SHA1
d04c32295d4e563978fa0abb1b32ba52699cb08d

SHA256
32c699ebb7394ddb2d56f092ef10fde4d9f4bcf808dbe11bad777e7bc73f7aae

SHA512
076eb06d9fbf8bf1d6a4c5043d803ee7b5cf0307253de6358f8ea70e0bf240f5ae2208fbe9a44778e782e29c54751936f393ade6e292064d2134ed223506866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8101.tmp.BAT

Filesize
83B

MD5
cc795c9c4a83aa1ede067f96f1eb8d15

SHA1
32b8e1c43787353f7d87514e279288aff5f7d4f6

SHA256
37d23694738615464be8a3234bcc59592987432c8863db67e30385b8bb3ef450

SHA512
ec0b8f6600b2b0443ea6f271fcf16804e380b6f51f3f74997dc5c53ed28ece8ece58a12686b451532ed31941a67fa075305314fba7fa8555a7fb8cf6424c6fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp815F.tmp.BAT

Filesize
76B

MD5
18dc60bfb068d99a80fd22499ec5f252

SHA1
4939c87a7ff6456971aa4baf517646d3df2a7710

SHA256
3be1adc56cfae9722bfa25df2ed2b112349b7aa4d8088cbf694e560dd9e53817

SHA512
890ba3a69f516df93154b7534f2530a5004f9d6ccc01e4f59a434e4c2c49912cc2630d34afcb24a60208173a089b8934ace4acad4cc587d21988a150d9ad32e3

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
d43c5b07c128b116b7bc8faf7b8efa9d

SHA1
dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa

SHA256
80ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f

SHA512
618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334

Download Submit
memory/3056-1-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3056-13-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3056-2-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3056-0-0x0000000075302000-0x0000000075303000-memory.dmp

Filesize
4KB

Download
memory/3100-15-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3100-29-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3100-14-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3100-50-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads