Analysis
-
max time kernel
899s -
max time network
725s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30-01-2025 22:46
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20241010-en
windows7-x64
17 signatures
900 seconds
General
-
Target
Server.exe
-
Size
93KB
-
MD5
cc560bdc2869ccf4ae0e939a1aa7f1b4
-
SHA1
f16b12272a26df1bb2dffe5ebbd8483b30d59ee5
-
SHA256
88438e680d7127491c1bed3f762ac9fc7839e08e710cb8f9da9d1cfbaf772f68
-
SHA512
d57d6e8e1d27d41c01f3a6c6bcdb8f522748527678539f816b94da3b5cba8a75a96b8d1b0677ef77925eb579d2c7d374f50b91df9887f734ff288a303ddbae12
-
SSDEEP
1536:PUwC+xhUa9urgOBPRNvM4jEwzGi1dDxD8gS:PUmUa9urgObdGi1dNV
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1716 netsh.exe -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log ehshell.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz ehshell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ehshell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ehshell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ehshell.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer wmplayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" wmplayer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2864 ehshell.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2864 ehshell.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1268 Server.exe 2864 ehshell.exe 2436 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1268 Server.exe Token: 33 1268 Server.exe Token: SeIncBasePriorityPrivilege 1268 Server.exe Token: 33 1268 Server.exe Token: SeIncBasePriorityPrivilege 1268 Server.exe Token: SeDebugPrivilege 2864 ehshell.exe Token: 33 1268 Server.exe Token: SeIncBasePriorityPrivilege 1268 Server.exe Token: SeDebugPrivilege 2436 taskmgr.exe Token: 33 2756 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2756 AUDIODG.EXE Token: 33 2756 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2756 AUDIODG.EXE Token: SeShutdownPrivilege 2864 ehshell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1268 wrote to memory of 1716 1268 Server.exe 29 PID 1268 wrote to memory of 1716 1268 Server.exe 29 PID 1268 wrote to memory of 1716 1268 Server.exe 29 PID 1268 wrote to memory of 1716 1268 Server.exe 29 PID 2864 wrote to memory of 1888 2864 ehshell.exe 35 PID 2864 wrote to memory of 1888 2864 ehshell.exe 35 PID 2864 wrote to memory of 1888 2864 ehshell.exe 35 PID 2864 wrote to memory of 1888 2864 ehshell.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\eHome\ehshell.exe"C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Desktop\DismountLock.DVR"1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /SkipFUE /RemoteOCXLaunch /SuppressDialogs2⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1888
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5c01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2436
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{5CF40005-EFF1-4E4A-AFAF-35F6B699D6FB}.jpg
Filesize22KB
MD535e787587cd3fa8ed360036c9fca3df2
SHA184c76a25c6fe336f6559c033917a4c327279886d
SHA25698c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2
SHA512aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9
-
Filesize
5KB
MD51c6a4f664e8e18eba1a5b61ac4dde46f
SHA1f09e10bc312f20ccd61c65c892666677d54d2282
SHA256ccc20b7b3b29325db0a0b1c2127c12d8a1c019ca159505a96cbcbc89701702f9
SHA5123ff32e45c7b0c1f38d5296c0a1ed6a87c987d1b5a4fd0efed2aacbce0794a8f804ec985891bf03ed1ec4bf03b18b25b9717a2aa405dc45aadae4b2b30d6012a6
