Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
23/01/2025, 18:30
Behavioral task
behavioral1
Sample
Server.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10ltsc2021-20250113-en
windows10-ltsc 2021-x64
16 signatures
150 seconds
Behavioral task
behavioral3
Sample
Server.exe
Resource
win11-20241023-en
windows11-21h2-x64
14 signatures
150 seconds
General
-
Target
Server.exe
-
Size
93KB
-
MD5
96ce0bd41a130c362b1166c770960287
-
SHA1
01bfe9caf709cb3ab3366fd7cd28a5dd95ea4b30
-
SHA256
4fd30f330a4150ba28848121c9c0e99c98b198b6abeeceba5c08024c0ab9a851
-
SHA512
933e6af32e68822eef6bfd941a7f027eb8aeceb745b0fb091a79aa8e327ca955e8af20e4032debbee43233b03287321abab3ca95ffc2da127ac299fada9c78c1
-
SSDEEP
1536:ZajFQWqkqqoLc2mLiIjEwzGi1dDyDMgS:ZajmkqqoA28i5i1dkl
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 400 netsh.exe 1584 netsh.exe 2864 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9026faf0d7bc26a38f2e53c5ac0d583bWindows Update.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9026faf0d7bc26a38f2e53c5ac0d583bWindows Update.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe -
Executes dropped EXE 2 IoCs
pid Process 852 StUpdate.exe 2836 StUpdate.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf Server.exe File opened for modification F:\autorun.inf Server.exe File created C:\autorun.inf Server.exe File opened for modification C:\autorun.inf Server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explorer.exe.exe Server.exe File opened for modification C:\Windows\SysWOW64\Explorer.exe.exe Server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explorer.exe.exe Server.exe File opened for modification C:\Program Files (x86)\Explorer.exe.exe Server.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe 4492 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4492 Server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe Token: 33 4492 Server.exe Token: SeIncBasePriorityPrivilege 4492 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4492 wrote to memory of 1584 4492 Server.exe 78 PID 4492 wrote to memory of 1584 4492 Server.exe 78 PID 4492 wrote to memory of 1584 4492 Server.exe 78 PID 4492 wrote to memory of 2864 4492 Server.exe 80 PID 4492 wrote to memory of 2864 4492 Server.exe 80 PID 4492 wrote to memory of 2864 4492 Server.exe 80 PID 4492 wrote to memory of 400 4492 Server.exe 81 PID 4492 wrote to memory of 400 4492 Server.exe 81 PID 4492 wrote to memory of 400 4492 Server.exe 81 PID 4492 wrote to memory of 4372 4492 Server.exe 82 PID 4492 wrote to memory of 4372 4492 Server.exe 82 PID 4492 wrote to memory of 4372 4492 Server.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1584
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2864
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:400
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:852
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD596ce0bd41a130c362b1166c770960287
SHA101bfe9caf709cb3ab3366fd7cd28a5dd95ea4b30
SHA2564fd30f330a4150ba28848121c9c0e99c98b198b6abeeceba5c08024c0ab9a851
SHA512933e6af32e68822eef6bfd941a7f027eb8aeceb745b0fb091a79aa8e327ca955e8af20e4032debbee43233b03287321abab3ca95ffc2da127ac299fada9c78c1
-
Filesize
408B
MD5593f806d2255a76afcad5d4a8395781b
SHA13990edff12ef61875bb4206b25a97a9440a8998c
SHA256beb8b3a764b3e94cc547be84090345e833be03d95d680ad4d75734ccd6485757
SHA51297440ebd7f8aac1030fe83c7f32a40a986d0fa6faec2c8b8cfbce093a3f27e7626c0b6e768ce6c753ac4dddc4227057b3a6e1d5a652d1f4a9cf64fa8efbad017
-
Filesize
5B
MD5c2844bc9e1bd64168a727b0680ae4d90
SHA17bb263540de557f5a4e09c6c78b7dbb314a0df9a
SHA2569c9701ab918368b615fc6a0dbeb5efa286a232d751982ae70b48ad6914bf01e5
SHA512360953bb20d91539022fcb1becf4638970c4452816797a8dca65e3ae4a542302e6e89f0828087caaa63a0750aa78605f8034da7c8663fa4fc677c8f3e53655ed