Analysis
-
max time kernel
120s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:19
Behavioral task
behavioral1
Sample
70edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
120 seconds
Behavioral task
behavioral2
Sample
70edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
120 seconds
General
-
Target
70edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a.exe
-
Size
92KB
-
MD5
d2fe48b6139405269f194f1c9da8c94d
-
SHA1
bce75393d5f9a1dd4fd55c579d3e68f8aaea9838
-
SHA256
70edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a
-
SHA512
9f63e8872d49ea09bde18eb1181ec5c849b098b80562de09cfff66b4d99adf5f6a4e187ed654261c0096503f693cfbd423828f1bdb74f7650c88748a1ac5a05c
-
SSDEEP
1536:607nGfBulrp69O6+kp36hjQ58WCmB3cFwzvkc/9:/nGfBulU9O6+kpVztlewzco
Malware Config
Extracted
Family
latentbot
C2
testttt8745.zapto.org
Signatures
-
Latentbot family
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2136 netsh.exe 2520 netsh.exe 3248 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 70edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\773c023ab493abba427474dceaf3b613Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\773c023ab493abba427474dceaf3b613Windows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 1068 server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe 1068 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1068 server.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe Token: 33 1068 server.exe Token: SeIncBasePriorityPrivilege 1068 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4364 wrote to memory of 1068 4364 70edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a.exe 83 PID 4364 wrote to memory of 1068 4364 70edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a.exe 83 PID 4364 wrote to memory of 1068 4364 70edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a.exe 83 PID 1068 wrote to memory of 2136 1068 server.exe 84 PID 1068 wrote to memory of 2136 1068 server.exe 84 PID 1068 wrote to memory of 2136 1068 server.exe 84 PID 1068 wrote to memory of 3248 1068 server.exe 87 PID 1068 wrote to memory of 3248 1068 server.exe 87 PID 1068 wrote to memory of 3248 1068 server.exe 87 PID 1068 wrote to memory of 2520 1068 server.exe 88 PID 1068 wrote to memory of 2520 1068 server.exe 88 PID 1068 wrote to memory of 2520 1068 server.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\70edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a.exe"C:\Users\Admin\AppData\Local\Temp\70edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\ProgramData\server.exe"C:\ProgramData\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\ProgramData\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3248
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2520
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5d2fe48b6139405269f194f1c9da8c94d
SHA1bce75393d5f9a1dd4fd55c579d3e68f8aaea9838
SHA25670edbf6d01029edd6329a1a01091a21fb57c19b4171ff8021405ade0ebdbcf2a
SHA5129f63e8872d49ea09bde18eb1181ec5c849b098b80562de09cfff66b4d99adf5f6a4e187ed654261c0096503f693cfbd423828f1bdb74f7650c88748a1ac5a05c
-
Filesize
5B
MD55014379cf5fa31db8a73d68d6353a145
SHA12a1a5138e8c9e7547caae1c9fb223afbf714ed00
SHA256538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8
SHA5125091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f