Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-11-2020 18:08
General
-
Target
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe
-
Size
275KB
-
MD5
24db12df9a2c5e70aa0f83eaaa2ef3ee
-
SHA1
224c8c0c0519c9891224fa28d990cd63c8e6e457
-
SHA256
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e
-
SHA512
673fbb054f353286118ebee7776237a4774647f75adbc3e91fb11d943249f16292603ee27fe084c7789475d0b1ebf4c1ddb70e6ccdc1b5ac00cfa0e1cce17995
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/download_exec
C2
http://144.48.9.115:443/YCiX
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe"C:\Users\Admin\AppData\Local\Temp\5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1476-0-0x0000000000000000-mapping.dmp