Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-11-2020 18:08
Static task
static1
Behavioral task
behavioral1
Sample
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe
Resource
win10v20201028
General
-
Target
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe
-
Size
275KB
-
MD5
24db12df9a2c5e70aa0f83eaaa2ef3ee
-
SHA1
224c8c0c0519c9891224fa28d990cd63c8e6e457
-
SHA256
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e
-
SHA512
673fbb054f353286118ebee7776237a4774647f75adbc3e91fb11d943249f16292603ee27fe084c7789475d0b1ebf4c1ddb70e6ccdc1b5ac00cfa0e1cce17995
Malware Config
Extracted
metasploit
windows/download_exec
http://144.48.9.115:443/YCiX
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exedescription pid process target process PID 2036 created 1252 2036 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exepid process 2036 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exedescription pid process target process PID 2036 wrote to memory of 1248 2036 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe calc.exe PID 2036 wrote to memory of 1248 2036 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe calc.exe PID 2036 wrote to memory of 1248 2036 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe calc.exe PID 2036 wrote to memory of 1248 2036 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe calc.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe"C:\Users\Admin\AppData\Local\Temp\5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵