Overview

overview

10

Static

static

10

9cf9f7182f...c9.exe

windows7-x64

10

9cf9f7182f...c9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2025 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9.exe

  • Size

    136KB

  • MD5

    79500f7c4b6cf21732b6ef0414c2dfa7

  • SHA1

    512a900a0b8bbddca9071fa91958fc2ed8e1e10c

  • SHA256

    9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9

  • SHA512

    2098e52b357864b22e3f40b6d5e1bb0a830aa874eb0c6b8ad44aa04e318b810885d33806a2a67b915ed142d146fa0f702fe5c1d2eb495c34fb030b69e5481dcc

  • SSDEEP

    1536:OWzOx6baIa9RIj00ljEwzGi1dD3DXgSAhA4OK4VVpuXQQdo3MU:OWLbaIa9ijNSi1dnQD9Rea3I

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 27 IoCs
    evasion
  • Checks computer location settings 2 TTPs 19 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 20 IoCs
  • Executes dropped EXE 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9.exe
    "C:\Users\Admin\AppData\Local\Temp\9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:4156
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2364
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2204
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4888
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3388
        • C:\Users\Admin\AppData\Local\Temp\server.exe
          "C:\Users\Admin\AppData\Local\Temp\server.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:1516
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2880
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2888
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Users\Admin\AppData\Local\Temp\server.exe
              "C:\Users\Admin\AppData\Local\Temp\server.exe"
              6⤵
              • Checks computer location settings
              • Drops startup file
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of WriteProcessMemory
              PID:2736
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:3928
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:1396
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:2156
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:436
                • C:\Users\Admin\AppData\Local\Temp\server.exe
                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                  8⤵
                  • Checks computer location settings
                  • Drops startup file
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of WriteProcessMemory
                  PID:636
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2480
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1216
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1632
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1968
                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                      10⤵
                      • Checks computer location settings
                      • Drops startup file
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of WriteProcessMemory
                      PID:4044
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:3976
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:1576
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:1076
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:3160
                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                          12⤵
                          • Checks computer location settings
                          • Drops startup file
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: GetForegroundWindowSpam
                          PID:808
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:1524
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:4524
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:3348
                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                            13⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3640
                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                              14⤵
                              • Checks computer location settings
                              • Drops startup file
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: GetForegroundWindowSpam
                              PID:2488
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:3612
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:3272
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:4432
                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                15⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:3940
                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Drops startup file
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  PID:2308
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:3112
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:3664
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:5040
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    PID:3572
                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      PID:2368
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                        19⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:4876
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                        19⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:2632
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                        19⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:3384
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                        19⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:4496
                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                          20⤵
                                            PID:4308

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log
      Filesize

      496B

      MD5

      a4467dea22bfd7e0083d680c571f5e7c

      SHA1

      59682ca656f04dd57f7ef4552b96f71d73196ea2

      SHA256

      d165b248678c73e289a7d4a8aa74acc5c09408e58b8f2abd668013ca12c00cc4

      SHA512

      73d25a179994c16b2b3a357e8b068ebf415418033cd601d7084b3a44d822cb99c33c396c9a27ad6fa2066748032e21f09ce89461bc3180ec071d2d64e68ad790

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log
      Filesize

      408B

      MD5

      661cab77d3b907e8057f2e689e995af3

      SHA1

      5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

      SHA256

      8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

      SHA512

      2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\melt.txt
      Filesize

      44B

      MD5

      298802dff6aa26d4fb941c7ccf5c0849

      SHA1

      11e518ca3409f1863ebc2d3f1be9fb701bad52c0

      SHA256

      df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

      SHA512

      0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\server.exe
      Filesize

      136KB

      MD5

      79500f7c4b6cf21732b6ef0414c2dfa7

      SHA1

      512a900a0b8bbddca9071fa91958fc2ed8e1e10c

      SHA256

      9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9

      SHA512

      2098e52b357864b22e3f40b6d5e1bb0a830aa874eb0c6b8ad44aa04e318b810885d33806a2a67b915ed142d146fa0f702fe5c1d2eb495c34fb030b69e5481dcc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\app
      Filesize

      5B

      MD5

      2099bb64fd1770d321df364f99b658d1

      SHA1

      3124edeaa14c060becfa8b980ed77db15d56a9e3

      SHA256

      d53ce6bdbd0c3cb4596ac3103f15824570a9858da95f63cedf64cec11dc44e2d

      SHA512

      3481f2a02f7b1255ad0f3cd8a716de9c7414753b6f8657f0bf99738ff6623f8717469bc10e737d6c0d1d13846e726d50baeb5e8ef73efcfce7be5c63327c4895

      Download Submit

    • memory/2356-1-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2356-2-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2356-13-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2356-0-0x0000000075212000-0x0000000075213000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4156-15-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4156-47-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4156-28-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4156-14-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download