Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2025, 18:30
Behavioral task
behavioral1
Sample
Server.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10ltsc2021-20250113-en
windows10-ltsc 2021-x64
16 signatures
150 seconds
Behavioral task
behavioral3
Sample
Server.exe
Resource
win11-20241023-en
windows11-21h2-x64
14 signatures
150 seconds
General
-
Target
Server.exe
-
Size
93KB
-
MD5
96ce0bd41a130c362b1166c770960287
-
SHA1
01bfe9caf709cb3ab3366fd7cd28a5dd95ea4b30
-
SHA256
4fd30f330a4150ba28848121c9c0e99c98b198b6abeeceba5c08024c0ab9a851
-
SHA512
933e6af32e68822eef6bfd941a7f027eb8aeceb745b0fb091a79aa8e327ca955e8af20e4032debbee43233b03287321abab3ca95ffc2da127ac299fada9c78c1
-
SSDEEP
1536:ZajFQWqkqqoLc2mLiIjEwzGi1dDyDMgS:ZajmkqqoA28i5i1dkl
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 216 netsh.exe 3676 netsh.exe 4912 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9026faf0d7bc26a38f2e53c5ac0d583bWindows Update.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9026faf0d7bc26a38f2e53c5ac0d583bWindows Update.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe.exe Server.exe -
Executes dropped EXE 2 IoCs
pid Process 3728 StUpdate.exe 1664 StUpdate.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf Server.exe File opened for modification C:\autorun.inf Server.exe File created F:\autorun.inf Server.exe File opened for modification F:\autorun.inf Server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Explorer.exe.exe Server.exe File created C:\Windows\SysWOW64\Explorer.exe.exe Server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explorer.exe.exe Server.exe File opened for modification C:\Program Files (x86)\Explorer.exe.exe Server.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StUpdate.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe 3820 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3820 Server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe Token: 33 3820 Server.exe Token: SeIncBasePriorityPrivilege 3820 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3820 wrote to memory of 216 3820 Server.exe 83 PID 3820 wrote to memory of 216 3820 Server.exe 83 PID 3820 wrote to memory of 216 3820 Server.exe 83 PID 3820 wrote to memory of 3676 3820 Server.exe 89 PID 3820 wrote to memory of 3676 3820 Server.exe 89 PID 3820 wrote to memory of 3676 3820 Server.exe 89 PID 3820 wrote to memory of 4912 3820 Server.exe 90 PID 3820 wrote to memory of 4912 3820 Server.exe 90 PID 3820 wrote to memory of 4912 3820 Server.exe 90 PID 3820 wrote to memory of 3664 3820 Server.exe 91 PID 3820 wrote to memory of 3664 3820 Server.exe 91 PID 3820 wrote to memory of 3664 3820 Server.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:216
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3676
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4912
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3728
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD596ce0bd41a130c362b1166c770960287
SHA101bfe9caf709cb3ab3366fd7cd28a5dd95ea4b30
SHA2564fd30f330a4150ba28848121c9c0e99c98b198b6abeeceba5c08024c0ab9a851
SHA512933e6af32e68822eef6bfd941a7f027eb8aeceb745b0fb091a79aa8e327ca955e8af20e4032debbee43233b03287321abab3ca95ffc2da127ac299fada9c78c1
-
Filesize
408B
MD5661cab77d3b907e8057f2e689e995af3
SHA15d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c
SHA2568f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2
SHA5122523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67
-
Filesize
5B
MD5c2844bc9e1bd64168a727b0680ae4d90
SHA17bb263540de557f5a4e09c6c78b7dbb314a0df9a
SHA2569c9701ab918368b615fc6a0dbeb5efa286a232d751982ae70b48ad6914bf01e5
SHA512360953bb20d91539022fcb1becf4638970c4452816797a8dca65e3ae4a542302e6e89f0828087caaa63a0750aa78605f8034da7c8663fa4fc677c8f3e53655ed