Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-11-2020 18:08
Static task
static1
Behavioral task
behavioral1
Sample
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe
Resource
win10v20201028
General
-
Target
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe
-
Size
275KB
-
MD5
24db12df9a2c5e70aa0f83eaaa2ef3ee
-
SHA1
224c8c0c0519c9891224fa28d990cd63c8e6e457
-
SHA256
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e
-
SHA512
673fbb054f353286118ebee7776237a4774647f75adbc3e91fb11d943249f16292603ee27fe084c7789475d0b1ebf4c1ddb70e6ccdc1b5ac00cfa0e1cce17995
Malware Config
Extracted
metasploit
windows/download_exec
http://144.48.9.115:443/YCiX
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exedescription pid process target process PID 944 created 2868 944 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exepid process 944 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe 944 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exedescription pid process target process PID 944 wrote to memory of 1476 944 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe calc.exe PID 944 wrote to memory of 1476 944 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe calc.exe PID 944 wrote to memory of 1476 944 5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe calc.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe"C:\Users\Admin\AppData\Local\Temp\5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1476-0-0x0000000000000000-mapping.dmp