Analysis
-
max time kernel
17s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-11-2020 10:54
Static task
static1
Behavioral task
behavioral1
Sample
evil.hta
Resource
win7v20201028
Behavioral task
behavioral2
Sample
evil.hta
Resource
win10v20201028
General
-
Target
evil.hta
-
Size
28KB
-
MD5
05fd981b5e82d5060701f064abb4e42d
-
SHA1
5073ea76853a70b2332096bbc800525025a2e527
-
SHA256
191bd1fa383ec90337de27de9212572e710b44944cb67c3c923852a16c3783db
-
SHA512
f8e28526beca600c8d0d625f7a716a4ffe663b9c48d2016c33e94257bbc312c09c40ccc5c1055d433330607a96d35f25a8ced1f2d1e62344abf3ba49feb89328
Malware Config
Extracted
metasploit
windows/download_exec
http://45.138.172.81:443/m6Ip
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
evil.exepid process 1092 evil.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
mshta.exedescription pid process target process PID 880 wrote to memory of 1092 880 mshta.exe evil.exe PID 880 wrote to memory of 1092 880 mshta.exe evil.exe PID 880 wrote to memory of 1092 880 mshta.exe evil.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\evil.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\radAD288.tmp\evil.exe"C:\Users\Admin\AppData\Local\Temp\radAD288.tmp\evil.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\radAD288.tmp\evil.exeMD5
632c473082cd11293a641a95155dd28d
SHA125f20fd04db1e53dbd8329d18b1d6e4606863dca
SHA256af5903de7fbd2df77be4213ad29524e9066600172ecf335a98148c48734da5c2
SHA5124a780e7ee1f58594bed535ad4e36c21be027b07f0f404c30e5a2b97caa7102cfe93792b25db58f5ad7e95f3192d1f8fe5903099f087314fe0b9577af2cbf1d74
-
C:\Users\Admin\AppData\Local\Temp\radAD288.tmp\evil.exeMD5
632c473082cd11293a641a95155dd28d
SHA125f20fd04db1e53dbd8329d18b1d6e4606863dca
SHA256af5903de7fbd2df77be4213ad29524e9066600172ecf335a98148c48734da5c2
SHA5124a780e7ee1f58594bed535ad4e36c21be027b07f0f404c30e5a2b97caa7102cfe93792b25db58f5ad7e95f3192d1f8fe5903099f087314fe0b9577af2cbf1d74
-
memory/1092-0-0x0000000000000000-mapping.dmp
-
memory/1092-3-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB