Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
31-12-2020 11:13
Static task
static1
Behavioral task
behavioral1
Sample
paste-battar-2020-12-30.vba.vbs
Resource
win7v20201028
Behavioral task
behavioral2
Sample
paste-battar-2020-12-30.vba.vbs
Resource
win10v20201028
General
-
Target
paste-battar-2020-12-30.vba.vbs
-
Size
7KB
-
MD5
2d279b1ff24694aedac0940f3e297a71
-
SHA1
983522f60204a435e0b05ee93608303c177a296d
-
SHA256
ed7953e4573f862ce1ff418416e392670944a7d1f25ce25b2164c903470b6daf
-
SHA512
3948feaefed27971edf6d8f725a867b6975f54e9f9e183dfa8f61482303a300cb7910a920cf98ee5e7b65ef4e302f6da4b39d9a9a69cfd2b9c71af0cd1e9cde3
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_tcp
192.168.77.130:8080
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
gvUnDdEkO.exepid process 4056 gvUnDdEkO.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 828 wrote to memory of 4056 828 WScript.exe gvUnDdEkO.exe PID 828 wrote to memory of 4056 828 WScript.exe gvUnDdEkO.exe PID 828 wrote to memory of 4056 828 WScript.exe gvUnDdEkO.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\paste-battar-2020-12-30.vba.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rad9108A.tmp\gvUnDdEkO.exe"C:\Users\Admin\AppData\Local\Temp\rad9108A.tmp\gvUnDdEkO.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rad9108A.tmp\gvUnDdEkO.exeMD5
1d47107ef6844fb699ae752396f92f8c
SHA193aa8d70d4bccfb9c02ca049b2c7fe82e1347554
SHA256d3f8a7c6d7e89756278d20a9c0de00a9809bf374ec0a40c20500b809607344b7
SHA512844bf95165246687ae55f1ac485c01181709fb9d03c80aa9b0f2c534ee34040cc92d70218366f183ee8a746688bfe7c0dafd81ab43d9815c31c38f06e4fdff5c
-
C:\Users\Admin\AppData\Local\Temp\rad9108A.tmp\gvUnDdEkO.exeMD5
1d47107ef6844fb699ae752396f92f8c
SHA193aa8d70d4bccfb9c02ca049b2c7fe82e1347554
SHA256d3f8a7c6d7e89756278d20a9c0de00a9809bf374ec0a40c20500b809607344b7
SHA512844bf95165246687ae55f1ac485c01181709fb9d03c80aa9b0f2c534ee34040cc92d70218366f183ee8a746688bfe7c0dafd81ab43d9815c31c38f06e4fdff5c
-
memory/4056-2-0x0000000000000000-mapping.dmp