Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 23:46
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
Server.exe
-
Size
93KB
-
MD5
bac3c65b9f6c783c9e13fce59d20732c
-
SHA1
b6e7fa7440ca9431e6d3d799a5451baeadc4f7b1
-
SHA256
9b6c13d822606bdb533b624456a59ddf015789337e821b14b60241b872cecc99
-
SHA512
af1b006ef3dac4df5b0b3ef25db03f768e21b40442e7cd672a2ce10fa221d09a6ec6c9493aa3dd8c3e41002f5aa83d4c2df05040095f2140cd560fb4afe4628a
-
SSDEEP
1536:QI/r7EkrjaFIs7E5OxzJn8LjEwzGi1dDHDhgS:QI7jau5OVVni1dfe
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2732 netsh.exe 64 netsh.exe 4164 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef639845e8835c28bb4b03f7f234b37aWindows Update.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef639845e8835c28bb4b03f7f234b37aWindows Update.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Server.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf Server.exe File opened for modification C:\autorun.inf Server.exe File created F:\autorun.inf Server.exe File opened for modification F:\autorun.inf Server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe Server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe Server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe Server.exe File opened for modification C:\Program Files (x86)\Explower.exe Server.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe 2792 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2792 Server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe Token: 33 2792 Server.exe Token: SeIncBasePriorityPrivilege 2792 Server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2732 2792 Server.exe 83 PID 2792 wrote to memory of 2732 2792 Server.exe 83 PID 2792 wrote to memory of 2732 2792 Server.exe 83 PID 2792 wrote to memory of 4164 2792 Server.exe 85 PID 2792 wrote to memory of 4164 2792 Server.exe 85 PID 2792 wrote to memory of 4164 2792 Server.exe 85 PID 2792 wrote to memory of 64 2792 Server.exe 86 PID 2792 wrote to memory of 64 2792 Server.exe 86 PID 2792 wrote to memory of 64 2792 Server.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4164
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:64
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5bac3c65b9f6c783c9e13fce59d20732c
SHA1b6e7fa7440ca9431e6d3d799a5451baeadc4f7b1
SHA2569b6c13d822606bdb533b624456a59ddf015789337e821b14b60241b872cecc99
SHA512af1b006ef3dac4df5b0b3ef25db03f768e21b40442e7cd672a2ce10fa221d09a6ec6c9493aa3dd8c3e41002f5aa83d4c2df05040095f2140cd560fb4afe4628a