a13ed5c6556e32a91cb9379fac3ccf5db98c42b157dfb89288f5a75ca326bc75

Resubmissions

29/03/2025, 14:07

250329-rfbhzawn16 10

29/03/2025, 13:44

250329-q17w8swly5 10

Analysis

max time kernel
34s
max time network
35s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
29/03/2025, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kaspersky.exe
Size

93KB
MD5

327274bc008bf3d8e260af2a4b70d059
SHA1

d4058bac2970b6d2da5b77c3fb5dffeec236262c
SHA256

a13ed5c6556e32a91cb9379fac3ccf5db98c42b157dfb89288f5a75ca326bc75
SHA512

bae8fc052a696de14760336a896290f304182024cfdd5176f112d93f0d7e14b6a632b0e7e01f3744df1dc5f7b9e003d61088a900a7ed7b2ad2797250d725757b
SSDEEP

1536:7V4FQWqkqqoLc2m+isjEwzGi1dDsDMgS:7V4mkqqoA2xiti1dal

Score

8^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5860	netsh.exe
5464	netsh.exe
1836	netsh.exe

Executes dropped EXE 7 IoCs

pid	Process
408	server.exe
5056	Explorer.exe
2468	Explorer.exe
3796	Explorer.exe
4992	Explorer.exe
5100	Explorer.exe
3912	Explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
1	2.tcp.eu.ngrok.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explorer.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explorer.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaspersky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
416	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe
408	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
408	server.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	408	server.exe
Token: 33	408	server.exe
Token: SeIncBasePriorityPrivilege	408	server.exe
Token: 33	408	server.exe
Token: SeIncBasePriorityPrivilege	408	server.exe
Token: 33	408	server.exe
Token: SeIncBasePriorityPrivilege	408	server.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 408	3616	Kaspersky.exe	78
PID 3616 wrote to memory of 408	3616	Kaspersky.exe	78
PID 3616 wrote to memory of 408	3616	Kaspersky.exe	78
PID 408 wrote to memory of 5860	408	server.exe	79
PID 408 wrote to memory of 5860	408	server.exe	79
PID 408 wrote to memory of 5860	408	server.exe	79
PID 408 wrote to memory of 1836	408	server.exe	81
PID 408 wrote to memory of 1836	408	server.exe	81
PID 408 wrote to memory of 1836	408	server.exe	81
PID 408 wrote to memory of 5464	408	server.exe	82
PID 408 wrote to memory of 5464	408	server.exe	82
PID 408 wrote to memory of 5464	408	server.exe	82

C:\Users\Admin\AppData\Local\Temp\Kaspersky.exe
"C:\Users\Admin\AppData\Local\Temp\Kaspersky.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Users\Admin\server.exe
  "C:\Users\Admin\server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5860
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1836
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5464

C:\Users\Admin\Desktop\Explorer.exe
"C:\Users\Admin\Desktop\Explorer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5056

C:\Users\Admin\Desktop\Explorer.exe
"C:\Users\Admin\Desktop\Explorer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468

C:\Users\Admin\Desktop\Explorer.exe
"C:\Users\Admin\Desktop\Explorer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3796

C:\Users\Admin\Desktop\Explorer.exe
"C:\Users\Admin\Desktop\Explorer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992

C:\Users\Admin\Desktop\Explorer.exe
"C:\Users\Admin\Desktop\Explorer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5100

C:\Users\Admin\Desktop\Explorer.exe
"C:\Users\Admin\Desktop\Explorer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3912

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Explorer.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explorer.exe.log

Filesize
408B

MD5
593f806d2255a76afcad5d4a8395781b

SHA1
3990edff12ef61875bb4206b25a97a9440a8998c

SHA256
beb8b3a764b3e94cc547be84090345e833be03d95d680ad4d75734ccd6485757

SHA512
97440ebd7f8aac1030fe83c7f32a40a986d0fa6faec2c8b8cfbce093a3f27e7626c0b6e768ce6c753ac4dddc4227057b3a6e1d5a652d1f4a9cf64fa8efbad017

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
112317d572ce0538d2d1b20d7f32170e

SHA1
c7f3714c4806b907bcff7f79aa1d1c9373b77d1e

SHA256
fd9e9a8be71786826787d6eb9aa28371d09b0515ddf0c19b082fe7bac57a88a9

SHA512
265dbebc83c74dc97770e650580b0321144990d133403bab2bc1de4618cde63dfd4fedfa56b5e4e259b510585db0f7a59042c356356c56bea3ac861d4be5337f

Download Submit
C:\Users\Admin\server.exe

Filesize
93KB

MD5
327274bc008bf3d8e260af2a4b70d059

SHA1
d4058bac2970b6d2da5b77c3fb5dffeec236262c

SHA256
a13ed5c6556e32a91cb9379fac3ccf5db98c42b157dfb89288f5a75ca326bc75

SHA512
bae8fc052a696de14760336a896290f304182024cfdd5176f112d93f0d7e14b6a632b0e7e01f3744df1dc5f7b9e003d61088a900a7ed7b2ad2797250d725757b

Download Submit
memory/408-24-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/408-23-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/408-25-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/408-39-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/408-40-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/408-41-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3616-0-0x0000000074C51000-0x0000000074C52000-memory.dmp

Filesize
4KB

Download
memory/3616-22-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3616-2-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3616-1-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download