Analysis
-
max time kernel
132s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 11:29
Static task
static1
Behavioral task
behavioral1
Sample
d.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
d.exe
-
Size
556KB
-
MD5
525d814ba020a890dd87677747f01f90
-
SHA1
7525642890e312224a14754dcf4006b5cd9d1575
-
SHA256
814af02b5de01b583cad8808550f7f44c06b473cf92e04da6708120a30fbefcd
-
SHA512
e350caf0d73b9335e2544f4e63e7abd14dde08060044cf91a7259314561800f696647c7242b43a726ac7e3fe7b0fe3765b9246b8950eded7449705a3e2dc2a59
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/download_exec
C2
http://globalcert.io.global.prod.fastly.net:443/api/v1/user/512/avatar
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3800 1636 WerFault.exe d.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3800 WerFault.exe Token: SeBackupPrivilege 3800 WerFault.exe Token: SeDebugPrivilege 3800 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d.exedescription pid process target process PID 500 wrote to memory of 1636 500 d.exe d.exe PID 500 wrote to memory of 1636 500 d.exe d.exe PID 500 wrote to memory of 1636 500 d.exe d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d.exe"C:\Users\Admin\AppData\Local\Temp\d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d.exeC:\Users\Admin\AppData\Local\Temp\d.exe wcOwQpG2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 12643⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken