Overview

overview

10

Static

static

10

Server.exe

windows10-ltsc 2021-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    18/01/2025, 18:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Server.exe

  • Size

    37KB

  • MD5

    a404f1c74d62aa8505286bac745f65e8

  • SHA1

    583ec4674c5025734afc2e9f1981222797ea94d2

  • SHA256

    6fc5cf3fc04fa48f0052d3725ce6cc0b75a7d61e26bef113ee92b07c1dabc333

  • SHA512

    b6614f28ad19f3ebc68cba5da50cf7b30d5676798fca15ee8a112741adcf5c950ef5aa0f4ee17d2783d9f044cfdccc41988b1a6ece3f20073644b953929f835f

  • SSDEEP

    384:d36Nb7LsikZ9zNf/1uyU71evdjsOaP4rAF+rMRTyN/0L+EcoinblneHQM3epzXhb:ENf4l1lU71e9FagrM+rMRa8Nu+6t

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2060
  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1648
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 3100
      2⤵
      • Program crash
      PID:4072
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:1184
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2908 -ip 2908
    1⤵
      PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      64KB

      MD5

      987a07b978cfe12e4ce45e513ef86619

      SHA1

      22eec9a9b2e83ad33bedc59e3205f86590b7d40c

      SHA256

      f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

      SHA512

      39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      1024KB

      MD5

      fbda2b1e91de816f77a25e4512d0d601

      SHA1

      e14dc39cab38191b79f452d03fd61111779e288a

      SHA256

      3279c9c7d91b426b0f884c0feb88ce9d0f80912b704bb872c498391e746d3421

      SHA512

      c2c4d196171a76009aea0f0de095e92b7f0073f527e2727005c80d824a16dd17bfa6c4a691546bc9ef383409a81fbffcba4e1196c60445bb40499d19a2653d9e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
      Filesize

      68KB

      MD5

      f2a09dc6ac1ca7b8d6f0c31301c30345

      SHA1

      a6de88af27adfb53ba1c7b7eb9f9348f5be45fde

      SHA256

      6226f680c65cfedf3c17248a0d46540320e56f4489a79fbbea6a928466e2f87f

      SHA512

      0a4b0257bc289b89291dbc35240cc0bb5463ebde4f53877cd4feed766a56e5be4f6af89523337c8159e750664dfe0379c77d236a79a9b1c1569e817d62570551

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
      Filesize

      498B

      MD5

      90be2701c8112bebc6bd58a7de19846e

      SHA1

      a95be407036982392e2e684fb9ff6602ecad6f1e

      SHA256

      644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

      SHA512

      d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
      Filesize

      1KB

      MD5

      1e7b87421b2ec4a6ee37e6ce2605c8c8

      SHA1

      29f51bc2c6df87ca6408ad430c724b309ad178d8

      SHA256

      e971385e9971a40ce28bc65152056018594cb0a30e0032c9223c949a6380579e

      SHA512

      0e2ae0b55f2a6a259aae5c7cda252527a9a6277ee31d730350a85f5d9cb08e16d4e42368cd866c2e5607a510d48540c7c15e4f659579b093ed67263a7d01cbdd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
      Filesize

      1KB

      MD5

      55ce07b08d6a97c683564fc921662147

      SHA1

      bd43e7059a9537487e0f1a8d638441fcd3da6827

      SHA256

      b3b7f10a470fe31c11ba4c6f58f969062019f92e543fa291c750df2780b58672

      SHA512

      3d6e9a617f17cb013a23f91711a8be83f984ec75134c5a112819e698b76138b2a77d5fa552494acfa86a4605f574199c659c9410fc150836991c97d9f47e8e06

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
      Filesize

      3KB

      MD5

      c10b3f64bce0e158bf0beec3bb2113f1

      SHA1

      af606b6c1e142bd3f64324e00e959e68d695d839

      SHA256

      9facbe46df4f5febc81554779fb11c401e0662eb4d33657df1f30bf587fdcbc7

      SHA512

      06d8beb45307b07056d99d57d78e78d9b950f5f7844b4e71286a0dd760c67b228f7ed6c9f48a09a00d8ca698654ebba033260cf661420547ea6049110d3bdb64

      Download Submit

    • memory/1680-5-0x0000000074DB0000-0x0000000075361000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1680-4-0x0000000074DB0000-0x0000000075361000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1680-3-0x0000000074DB2000-0x0000000074DB3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1680-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1680-2-0x0000000074DB0000-0x0000000075361000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1680-1-0x0000000074DB0000-0x0000000075361000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2908-45-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-53-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-42-0x00000000055C0000-0x00000000055D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-41-0x00000000055C0000-0x00000000055D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-44-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-46-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-40-0x00000000055C0000-0x00000000055D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-49-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-48-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-47-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-50-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-55-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-54-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-43-0x00000000055C0000-0x00000000055D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-52-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-51-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-56-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-57-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-59-0x00000000055C0000-0x00000000055D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-58-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-60-0x00000000055C0000-0x00000000055D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-62-0x00000000088D0000-0x00000000088E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-61-0x00000000055C0000-0x00000000055D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-39-0x00000000055C0000-0x00000000055D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-37-0x0000000008000000-0x0000000008010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-36-0x0000000008000000-0x0000000008010000-memory.dmp

      Filesize

      64KB

      Download