Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2025 03:32
Behavioral task
behavioral1
Sample
c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe
Resource
win10v2004-20241007-en
General
-
Target
c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe
-
Size
93KB
-
MD5
d61b6c8d2031c9c14fd2ca8cac4abbd0
-
SHA1
232a655eb7c720a90d30f4f51a3aa4fde319be2b
-
SHA256
c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb
-
SHA512
4649981329ec72d555af8888b3bc2b6e93d3569c232247f430147aa32b8f907dc7f1e188f3ec32c5a33fa95cf06f8c3719da033959cb1af709ab4e133a2b3e3a
-
SSDEEP
1536:1emC+xhUa9urgOB9RNvM4jEwzGi1dDlDRgS:1egUa9urgONdGi1dRO
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1292 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a5ecb8dd72f32c83945d9630db93a6c0Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a5ecb8dd72f32c83945d9630db93a6c0Windows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2296 server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 15 2.tcp.eu.ngrok.io 104 2.tcp.eu.ngrok.io 123 2.tcp.eu.ngrok.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe 2296 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2296 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe Token: 33 2296 server.exe Token: SeIncBasePriorityPrivilege 2296 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 372 wrote to memory of 2296 372 c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe 84 PID 372 wrote to memory of 2296 372 c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe 84 PID 372 wrote to memory of 2296 372 c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe 84 PID 2296 wrote to memory of 1292 2296 server.exe 85 PID 2296 wrote to memory of 1292 2296 server.exe 85 PID 2296 wrote to memory of 1292 2296 server.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe"C:\Users\Admin\AppData\Local\Temp\c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1292
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5d61b6c8d2031c9c14fd2ca8cac4abbd0
SHA1232a655eb7c720a90d30f4f51a3aa4fde319be2b
SHA256c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb
SHA5124649981329ec72d555af8888b3bc2b6e93d3569c232247f430147aa32b8f907dc7f1e188f3ec32c5a33fa95cf06f8c3719da033959cb1af709ab4e133a2b3e3a
-
Filesize
5B
MD5d43c5b07c128b116b7bc8faf7b8efa9d
SHA1dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa
SHA25680ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f
SHA512618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334