Analysis
-
max time kernel
120s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-05-2021 11:29
Static task
static1
Behavioral task
behavioral1
Sample
d.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d.exe
Resource
win10v20210408
General
-
Target
d.exe
-
Size
556KB
-
MD5
525d814ba020a890dd87677747f01f90
-
SHA1
7525642890e312224a14754dcf4006b5cd9d1575
-
SHA256
814af02b5de01b583cad8808550f7f44c06b473cf92e04da6708120a30fbefcd
-
SHA512
e350caf0d73b9335e2544f4e63e7abd14dde08060044cf91a7259314561800f696647c7242b43a726ac7e3fe7b0fe3765b9246b8950eded7449705a3e2dc2a59
Malware Config
Extracted
metasploit
windows/download_exec
http://globalcert.io.global.prod.fastly.net:443/api/v1/user/512/avatar
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 332 1996 WerFault.exe d.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 332 WerFault.exe 332 WerFault.exe 332 WerFault.exe 332 WerFault.exe 332 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 332 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 332 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d.exed.exedescription pid process target process PID 1104 wrote to memory of 1996 1104 d.exe d.exe PID 1104 wrote to memory of 1996 1104 d.exe d.exe PID 1104 wrote to memory of 1996 1104 d.exe d.exe PID 1104 wrote to memory of 1996 1104 d.exe d.exe PID 1996 wrote to memory of 332 1996 d.exe WerFault.exe PID 1996 wrote to memory of 332 1996 d.exe WerFault.exe PID 1996 wrote to memory of 332 1996 d.exe WerFault.exe PID 1996 wrote to memory of 332 1996 d.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d.exe"C:\Users\Admin\AppData\Local\Temp\d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d.exeC:\Users\Admin\AppData\Local\Temp\d.exe wcOwQpG2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 12603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/332-63-0x0000000000000000-mapping.dmp
-
memory/332-65-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/1104-59-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1996-60-0x0000000000000000-mapping.dmp
-
memory/1996-62-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1996-64-0x0000000003850000-0x0000000003C50000-memory.dmpFilesize
4.0MB