a13ed5c6556e32a91cb9379fac3ccf5db98c42b157dfb89288f5a75ca326bc75

Analysis

max time kernel
79s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kaspersky.exe
Size

93KB
MD5

327274bc008bf3d8e260af2a4b70d059
SHA1

d4058bac2970b6d2da5b77c3fb5dffeec236262c
SHA256

a13ed5c6556e32a91cb9379fac3ccf5db98c42b157dfb89288f5a75ca326bc75
SHA512

bae8fc052a696de14760336a896290f304182024cfdd5176f112d93f0d7e14b6a632b0e7e01f3744df1dc5f7b9e003d61088a900a7ed7b2ad2797250d725757b
SSDEEP

1536:7V4FQWqkqqoLc2m+isjEwzGi1dDsDMgS:7V4mkqqoA2xiti1dal

Score

8^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 4 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2772	netsh.exe
4568	netsh.exe
4512	netsh.exe
4372	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Kaspersky.exe

Executes dropped EXE 1 IoCs

pid	Process
1992	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
21	2.tcp.eu.ngrok.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explorer.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explorer.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaspersky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
560	cmd.exe
2440	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2440	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe
1992	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1992	server.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	server.exe
Token: 33	1992	server.exe
Token: SeIncBasePriorityPrivilege	1992	server.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 1992	2764	Kaspersky.exe	89
PID 2764 wrote to memory of 1992	2764	Kaspersky.exe	89
PID 2764 wrote to memory of 1992	2764	Kaspersky.exe	89
PID 1992 wrote to memory of 2772	1992	server.exe	90
PID 1992 wrote to memory of 2772	1992	server.exe	90
PID 1992 wrote to memory of 2772	1992	server.exe	90
PID 1992 wrote to memory of 4568	1992	server.exe	97
PID 1992 wrote to memory of 4568	1992	server.exe	97
PID 1992 wrote to memory of 4568	1992	server.exe	97
PID 1992 wrote to memory of 4512	1992	server.exe	98
PID 1992 wrote to memory of 4512	1992	server.exe	98
PID 1992 wrote to memory of 4512	1992	server.exe	98
PID 1992 wrote to memory of 4372	1992	server.exe	104
PID 1992 wrote to memory of 4372	1992	server.exe	104
PID 1992 wrote to memory of 4372	1992	server.exe	104
PID 1992 wrote to memory of 560	1992	server.exe	105
PID 1992 wrote to memory of 560	1992	server.exe	105
PID 1992 wrote to memory of 560	1992	server.exe	105
PID 560 wrote to memory of 2440	560	cmd.exe	108
PID 560 wrote to memory of 2440	560	cmd.exe	108
PID 560 wrote to memory of 2440	560	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\Kaspersky.exe
"C:\Users\Admin\AppData\Local\Temp\Kaspersky.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\server.exe
  "C:\Users\Admin\server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2772
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4568
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4512
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\server.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\PING.EXE
      ping 0 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
112317d572ce0538d2d1b20d7f32170e

SHA1
c7f3714c4806b907bcff7f79aa1d1c9373b77d1e

SHA256
fd9e9a8be71786826787d6eb9aa28371d09b0515ddf0c19b082fe7bac57a88a9

SHA512
265dbebc83c74dc97770e650580b0321144990d133403bab2bc1de4618cde63dfd4fedfa56b5e4e259b510585db0f7a59042c356356c56bea3ac861d4be5337f

Download Submit
C:\Users\Admin\server.exe

Filesize
93KB

MD5
327274bc008bf3d8e260af2a4b70d059

SHA1
d4058bac2970b6d2da5b77c3fb5dffeec236262c

SHA256
a13ed5c6556e32a91cb9379fac3ccf5db98c42b157dfb89288f5a75ca326bc75

SHA512
bae8fc052a696de14760336a896290f304182024cfdd5176f112d93f0d7e14b6a632b0e7e01f3744df1dc5f7b9e003d61088a900a7ed7b2ad2797250d725757b

Download Submit
memory/1992-24-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/1992-23-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/1992-29-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/1992-32-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2764-0-0x00000000747C2000-0x00000000747C3000-memory.dmp

Filesize
4KB

Download
memory/2764-1-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2764-2-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2764-22-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download