cb7076dd6a1a709809dec644f95d4b888bc09df369ad0cc767ee13cceb314370

Analysis

max time kernel
300s
max time network
261s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

cea4f20992cffa364724e8b15c1673cf
SHA1

082e2f92180df46a35e177565158957ed8f3b0bd
SHA256

cb7076dd6a1a709809dec644f95d4b888bc09df369ad0cc767ee13cceb314370
SHA512

5ae2eef817e5cdeade5e0159bf52fbb32c6091e7b5d0d57721ed7605ffaf0efd017c738add55b45b975341e5c1d01a797fa6fec5205e8b5f315fa675408b151c
SSDEEP

768:kY30L4eZw0FBcp4uQwV/JMVBXFbF4qeXuOWN/XxrjEtCdnl2pi1Rz4Rk3AsGdp+3:gL40wmEQwVhMTcJLYjEwzGi1dDYD+gS

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

432 netsh.exe
4292 netsh.exe
4360 netsh.exe

pid	process
432	netsh.exe
4292	netsh.exe
4360	netsh.exe

Drops startup file 4 IoCs

Processes:

Server.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e19fde512dbe42326e20391d7e09012Windows Update.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e19fde512dbe42326e20391d7e09012Windows Update.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe

Executes dropped EXE 4 IoCs

Processes:

StUpdate.exeStUpdate.exeStUpdate.exeStUpdate.exe

pid process

3964 StUpdate.exe
3128 StUpdate.exe
1072 StUpdate.exe
2116 StUpdate.exe
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

Server.exe

description ioc process

File created C:\autorun.inf Server.exe
File opened for modification C:\autorun.inf Server.exe
File created F:\autorun.inf Server.exe
File opened for modification F:\autorun.inf Server.exe

pid	process
3964	StUpdate.exe
3128	StUpdate.exe
1072	StUpdate.exe
2116	StUpdate.exe

description	ioc	process
File created	C:\autorun.inf	Server.exe
File opened for modification	C:\autorun.inf	Server.exe
File created	F:\autorun.inf	Server.exe
File opened for modification	F:\autorun.inf	Server.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2088 schtasks.exe

pid	process
2088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Server.exe

pid	process
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe
4468	Server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Server.exe

pid process

4468 Server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Server.exe

description	pid	process
Token: SeDebugPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe
Token: SeIncBasePriorityPrivilege	4468	Server.exe
Token: 33	4468	Server.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Server.exe

description	pid	process	target process
PID 4468 wrote to memory of 4360	4468	Server.exe	netsh.exe
PID 4468 wrote to memory of 4360	4468	Server.exe	netsh.exe
PID 4468 wrote to memory of 4360	4468	Server.exe	netsh.exe
PID 4468 wrote to memory of 432	4468	Server.exe	netsh.exe
PID 4468 wrote to memory of 432	4468	Server.exe	netsh.exe
PID 4468 wrote to memory of 432	4468	Server.exe	netsh.exe
PID 4468 wrote to memory of 4292	4468	Server.exe	netsh.exe
PID 4468 wrote to memory of 4292	4468	Server.exe	netsh.exe
PID 4468 wrote to memory of 4292	4468	Server.exe	netsh.exe
PID 4468 wrote to memory of 2088	4468	Server.exe	schtasks.exe
PID 4468 wrote to memory of 2088	4468	Server.exe	schtasks.exe
PID 4468 wrote to memory of 2088	4468	Server.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Drops startup file
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4360

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:432

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4292

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\StUpdate.exe.log
Filesize
408B

MD5
6b062b48db9a8e149e10fefd80ab54ef

SHA1
1e72855f88c33b6ddce512b079bbe2e4aa2b6b57

SHA256
026518c621aa1e908fd3617fe1d684a6225393659345ad4f9c085fc4f6b3cf43

SHA512
b36007e2b0b71247979cdac1b17520cc37065c001464b4c70d642c8a059510d28ed8b57b7e4df59a43d99d69c588c1bab7b3c95c6a75c0ab98317246b56f7832

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
b66e20886f9675fe4dbf430ea2d0bf8d

SHA1
2e676da72201e6e4482e00b300511900c6aee5a0

SHA256
899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414

SHA512
f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870

Download Submit
F:\Umbrella.flv.exe
Filesize
93KB

MD5
cea4f20992cffa364724e8b15c1673cf

SHA1
082e2f92180df46a35e177565158957ed8f3b0bd

SHA256
cb7076dd6a1a709809dec644f95d4b888bc09df369ad0cc767ee13cceb314370

SHA512
5ae2eef817e5cdeade5e0159bf52fbb32c6091e7b5d0d57721ed7605ffaf0efd017c738add55b45b975341e5c1d01a797fa6fec5205e8b5f315fa675408b151c

Download Submit
memory/4468-0-0x00000000733E1000-0x00000000733E2000-memory.dmp

Filesize
4KB

Download
memory/4468-1-0x00000000733E0000-0x0000000073990000-memory.dmp

Filesize
5.7MB

Download
memory/4468-2-0x00000000733E0000-0x0000000073990000-memory.dmp

Filesize
5.7MB

Download
memory/4468-19-0x00000000733E0000-0x0000000073990000-memory.dmp

Filesize
5.7MB

Download
memory/4468-18-0x00000000733E0000-0x0000000073990000-memory.dmp

Filesize
5.7MB

Download