Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 23:46
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
Server.exe
-
Size
93KB
-
MD5
bac3c65b9f6c783c9e13fce59d20732c
-
SHA1
b6e7fa7440ca9431e6d3d799a5451baeadc4f7b1
-
SHA256
9b6c13d822606bdb533b624456a59ddf015789337e821b14b60241b872cecc99
-
SHA512
af1b006ef3dac4df5b0b3ef25db03f768e21b40442e7cd672a2ce10fa221d09a6ec6c9493aa3dd8c3e41002f5aa83d4c2df05040095f2140cd560fb4afe4628a
-
SSDEEP
1536:QI/r7EkrjaFIs7E5OxzJn8LjEwzGi1dDHDhgS:QI7jau5OVVni1dfe
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 1744 netsh.exe 2060 netsh.exe 2844 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef639845e8835c28bb4b03f7f234b37aWindows Update.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef639845e8835c28bb4b03f7f234b37aWindows Update.exe Server.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf Server.exe File opened for modification F:\autorun.inf Server.exe File created C:\autorun.inf Server.exe File opened for modification C:\autorun.inf Server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe Server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe Server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe Server.exe File opened for modification C:\Program Files (x86)\Explower.exe Server.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe 2640 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2640 Server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe Token: 33 2640 Server.exe Token: SeIncBasePriorityPrivilege 2640 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2844 2640 Server.exe 31 PID 2640 wrote to memory of 2844 2640 Server.exe 31 PID 2640 wrote to memory of 2844 2640 Server.exe 31 PID 2640 wrote to memory of 2844 2640 Server.exe 31 PID 2640 wrote to memory of 2060 2640 Server.exe 33 PID 2640 wrote to memory of 2060 2640 Server.exe 33 PID 2640 wrote to memory of 2060 2640 Server.exe 33 PID 2640 wrote to memory of 2060 2640 Server.exe 33 PID 2640 wrote to memory of 1744 2640 Server.exe 34 PID 2640 wrote to memory of 1744 2640 Server.exe 34 PID 2640 wrote to memory of 1744 2640 Server.exe 34 PID 2640 wrote to memory of 1744 2640 Server.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2060
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5bac3c65b9f6c783c9e13fce59d20732c
SHA1b6e7fa7440ca9431e6d3d799a5451baeadc4f7b1
SHA2569b6c13d822606bdb533b624456a59ddf015789337e821b14b60241b872cecc99
SHA512af1b006ef3dac4df5b0b3ef25db03f768e21b40442e7cd672a2ce10fa221d09a6ec6c9493aa3dd8c3e41002f5aa83d4c2df05040095f2140cd560fb4afe4628a