Analysis
-
max time kernel
300s -
max time network
261s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2024 19:22
Behavioral task
behavioral1
Sample
Server.exe
Resource
win10-20240404-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
cea4f20992cffa364724e8b15c1673cf
-
SHA1
082e2f92180df46a35e177565158957ed8f3b0bd
-
SHA256
cb7076dd6a1a709809dec644f95d4b888bc09df369ad0cc767ee13cceb314370
-
SHA512
5ae2eef817e5cdeade5e0159bf52fbb32c6091e7b5d0d57721ed7605ffaf0efd017c738add55b45b975341e5c1d01a797fa6fec5205e8b5f315fa675408b151c
-
SSDEEP
768:kY30L4eZw0FBcp4uQwV/JMVBXFbF4qeXuOWN/XxrjEtCdnl2pi1Rz4Rk3AsGdp+3:gL40wmEQwVhMTcJLYjEwzGi1dDYD+gS
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 432 netsh.exe 4292 netsh.exe 4360 netsh.exe -
Drops startup file 4 IoCs
Processes:
Server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e19fde512dbe42326e20391d7e09012Windows Update.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e19fde512dbe42326e20391d7e09012Windows Update.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe -
Executes dropped EXE 4 IoCs
Processes:
StUpdate.exeStUpdate.exeStUpdate.exeStUpdate.exepid process 3964 StUpdate.exe 3128 StUpdate.exe 1072 StUpdate.exe 2116 StUpdate.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Server.exedescription ioc process File created C:\autorun.inf Server.exe File opened for modification C:\autorun.inf Server.exe File created F:\autorun.inf Server.exe File opened for modification F:\autorun.inf Server.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Server.exepid process 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe 4468 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 4468 Server.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe Token: SeIncBasePriorityPrivilege 4468 Server.exe Token: 33 4468 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Server.exedescription pid process target process PID 4468 wrote to memory of 4360 4468 Server.exe netsh.exe PID 4468 wrote to memory of 4360 4468 Server.exe netsh.exe PID 4468 wrote to memory of 4360 4468 Server.exe netsh.exe PID 4468 wrote to memory of 432 4468 Server.exe netsh.exe PID 4468 wrote to memory of 432 4468 Server.exe netsh.exe PID 4468 wrote to memory of 432 4468 Server.exe netsh.exe PID 4468 wrote to memory of 4292 4468 Server.exe netsh.exe PID 4468 wrote to memory of 4292 4468 Server.exe netsh.exe PID 4468 wrote to memory of 4292 4468 Server.exe netsh.exe PID 4468 wrote to memory of 2088 4468 Server.exe schtasks.exe PID 4468 wrote to memory of 2088 4468 Server.exe schtasks.exe PID 4468 wrote to memory of 2088 4468 Server.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\StUpdate.exe.logFilesize
408B
MD56b062b48db9a8e149e10fefd80ab54ef
SHA11e72855f88c33b6ddce512b079bbe2e4aa2b6b57
SHA256026518c621aa1e908fd3617fe1d684a6225393659345ad4f9c085fc4f6b3cf43
SHA512b36007e2b0b71247979cdac1b17520cc37065c001464b4c70d642c8a059510d28ed8b57b7e4df59a43d99d69c588c1bab7b3c95c6a75c0ab98317246b56f7832
-
C:\Users\Admin\AppData\Roaming\appFilesize
5B
MD5b66e20886f9675fe4dbf430ea2d0bf8d
SHA12e676da72201e6e4482e00b300511900c6aee5a0
SHA256899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414
SHA512f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870
-
F:\Umbrella.flv.exeFilesize
93KB
MD5cea4f20992cffa364724e8b15c1673cf
SHA1082e2f92180df46a35e177565158957ed8f3b0bd
SHA256cb7076dd6a1a709809dec644f95d4b888bc09df369ad0cc767ee13cceb314370
SHA5125ae2eef817e5cdeade5e0159bf52fbb32c6091e7b5d0d57721ed7605ffaf0efd017c738add55b45b975341e5c1d01a797fa6fec5205e8b5f315fa675408b151c
-
memory/4468-0-0x00000000733E1000-0x00000000733E2000-memory.dmpFilesize
4KB
-
memory/4468-1-0x00000000733E0000-0x0000000073990000-memory.dmpFilesize
5.7MB
-
memory/4468-2-0x00000000733E0000-0x0000000073990000-memory.dmpFilesize
5.7MB
-
memory/4468-19-0x00000000733E0000-0x0000000073990000-memory.dmpFilesize
5.7MB
-
memory/4468-18-0x00000000733E0000-0x0000000073990000-memory.dmpFilesize
5.7MB