Analysis
-
max time kernel
17s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-11-2020 10:54
General
-
Target
evil.hta
-
Size
28KB
-
MD5
05fd981b5e82d5060701f064abb4e42d
-
SHA1
5073ea76853a70b2332096bbc800525025a2e527
-
SHA256
191bd1fa383ec90337de27de9212572e710b44944cb67c3c923852a16c3783db
-
SHA512
f8e28526beca600c8d0d625f7a716a4ffe663b9c48d2016c33e94257bbc312c09c40ccc5c1055d433330607a96d35f25a8ced1f2d1e62344abf3ba49feb89328
Malware Config
Extracted
metasploit
windows/download_exec
http://45.138.172.81:443/m6Ip
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\evil.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\radAD288.tmp\evil.exe"C:\Users\Admin\AppData\Local\Temp\radAD288.tmp\evil.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\radAD288.tmp\evil.exeMD5
632c473082cd11293a641a95155dd28d
SHA125f20fd04db1e53dbd8329d18b1d6e4606863dca
SHA256af5903de7fbd2df77be4213ad29524e9066600172ecf335a98148c48734da5c2
SHA5124a780e7ee1f58594bed535ad4e36c21be027b07f0f404c30e5a2b97caa7102cfe93792b25db58f5ad7e95f3192d1f8fe5903099f087314fe0b9577af2cbf1d74
-
C:\Users\Admin\AppData\Local\Temp\radAD288.tmp\evil.exeMD5
632c473082cd11293a641a95155dd28d
SHA125f20fd04db1e53dbd8329d18b1d6e4606863dca
SHA256af5903de7fbd2df77be4213ad29524e9066600172ecf335a98148c48734da5c2
SHA5124a780e7ee1f58594bed535ad4e36c21be027b07f0f404c30e5a2b97caa7102cfe93792b25db58f5ad7e95f3192d1f8fe5903099f087314fe0b9577af2cbf1d74
-
memory/1092-0-0x0000000000000000-mapping.dmp
-
memory/1092-3-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB