Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 01:43
Behavioral task
behavioral1
Sample
6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd.exe
Resource
win10v2004-20241007-en
General
-
Target
6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd.exe
-
Size
93KB
-
MD5
83f90cb80993c51fe93a9f341922a3c8
-
SHA1
0fb07736f3a7be6f69e17525e32337bd88ff4fd6
-
SHA256
6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd
-
SHA512
7600ce9c8e603b2329c2fd98d36143ccb52ff6e11a2679c8cc47b1ce78938c752003c4d482c6fbfe5ad22f5e4594b72f5ed46443e9c2b0b7483116757a529c4f
-
SSDEEP
768:4Y3TVfhWXxyFcxovUKUJuROprXtWN8eYhYbmXxrjEtCdnl2pi1Rz4Rk3rTYsGdpv:TV5WhIUKcuOJhPhBjEwzGi1dD3gDPgS
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2376 netsh.exe 2180 netsh.exe 5072 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd.exe -
Executes dropped EXE 1 IoCs
pid Process 4244 server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 51 0.tcp.ngrok.io 68 0.tcp.ngrok.io 71 0.tcp.ngrok.io 15 0.tcp.ngrok.io 18 0.tcp.ngrok.io -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe 4244 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4244 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe Token: 33 4244 server.exe Token: SeIncBasePriorityPrivilege 4244 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1120 wrote to memory of 4244 1120 6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd.exe 83 PID 1120 wrote to memory of 4244 1120 6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd.exe 83 PID 1120 wrote to memory of 4244 1120 6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd.exe 83 PID 4244 wrote to memory of 2376 4244 server.exe 84 PID 4244 wrote to memory of 2376 4244 server.exe 84 PID 4244 wrote to memory of 2376 4244 server.exe 84 PID 4244 wrote to memory of 5072 4244 server.exe 87 PID 4244 wrote to memory of 5072 4244 server.exe 87 PID 4244 wrote to memory of 5072 4244 server.exe 87 PID 4244 wrote to memory of 2180 4244 server.exe 88 PID 4244 wrote to memory of 2180 4244 server.exe 88 PID 4244 wrote to memory of 2180 4244 server.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd.exe"C:\Users\Admin\AppData\Local\Temp\6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5072
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2180
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD583f90cb80993c51fe93a9f341922a3c8
SHA10fb07736f3a7be6f69e17525e32337bd88ff4fd6
SHA2566289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd
SHA5127600ce9c8e603b2329c2fd98d36143ccb52ff6e11a2679c8cc47b1ce78938c752003c4d482c6fbfe5ad22f5e4594b72f5ed46443e9c2b0b7483116757a529c4f
-
Filesize
5B
MD52099bb64fd1770d321df364f99b658d1
SHA13124edeaa14c060becfa8b980ed77db15d56a9e3
SHA256d53ce6bdbd0c3cb4596ac3103f15824570a9858da95f63cedf64cec11dc44e2d
SHA5123481f2a02f7b1255ad0f3cd8a716de9c7414753b6f8657f0bf99738ff6623f8717469bc10e737d6c0d1d13846e726d50baeb5e8ef73efcfce7be5c63327c4895