Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-01-2025 07:21
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
Server.exe
-
Size
93KB
-
MD5
d61b6c8d2031c9c14fd2ca8cac4abbd0
-
SHA1
232a655eb7c720a90d30f4f51a3aa4fde319be2b
-
SHA256
c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb
-
SHA512
4649981329ec72d555af8888b3bc2b6e93d3569c232247f430147aa32b8f907dc7f1e188f3ec32c5a33fa95cf06f8c3719da033959cb1af709ab4e133a2b3e3a
-
SSDEEP
1536:1emC+xhUa9urgOB9RNvM4jEwzGi1dDlDRgS:1egUa9urgONdGi1dRO
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2800 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a5ecb8dd72f32c83945d9630db93a6c0Windows Update.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a5ecb8dd72f32c83945d9630db93a6c0Windows Update.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 2.tcp.eu.ngrok.io 18 2.tcp.eu.ngrok.io 38 2.tcp.eu.ngrok.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe Server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe Server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe Server.exe File opened for modification C:\Program Files (x86)\Explower.exe Server.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe 2776 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2776 Server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe Token: 33 2776 Server.exe Token: SeIncBasePriorityPrivilege 2776 Server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2800 2776 Server.exe 30 PID 2776 wrote to memory of 2800 2776 Server.exe 30 PID 2776 wrote to memory of 2800 2776 Server.exe 30 PID 2776 wrote to memory of 2800 2776 Server.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5d61b6c8d2031c9c14fd2ca8cac4abbd0
SHA1232a655eb7c720a90d30f4f51a3aa4fde319be2b
SHA256c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb
SHA5124649981329ec72d555af8888b3bc2b6e93d3569c232247f430147aa32b8f907dc7f1e188f3ec32c5a33fa95cf06f8c3719da033959cb1af709ab4e133a2b3e3a