Analysis
-
max time kernel
15s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 00:58
Static task
static1
Behavioral task
behavioral1
Sample
3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps1
Resource
win7v20210408
Behavioral task
behavioral2
Sample
3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps1
Resource
win10v20210408
General
-
Target
3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps1
-
Size
814KB
-
MD5
c925822c6d5175c30ba96388b07e9e16
-
SHA1
dd10c4c9a71b5850c23fde513525cac86943523e
-
SHA256
3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5
-
SHA512
754f9cd80df7f78bbc1ea1bf0b4bfddcff815702649c8227defa62308cee96e5db1c526739a2caf4b50e784f60d131e49b078ba94cd1c0656f44d08efd02ec53
Malware Config
Extracted
metasploit
windows/download_exec
http://157.230.184.142:443/ST/TWGRYKf0/d/du92w/RUk/Z2l.htm
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1340 280 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeWerFault.exepid process 280 powershell.exe 1340 WerFault.exe 1340 WerFault.exe 1340 WerFault.exe 1340 WerFault.exe 1340 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 280 powershell.exe Token: SeDebugPrivilege 1340 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
powershell.execsc.exedescription pid process target process PID 280 wrote to memory of 1064 280 powershell.exe csc.exe PID 280 wrote to memory of 1064 280 powershell.exe csc.exe PID 280 wrote to memory of 1064 280 powershell.exe csc.exe PID 1064 wrote to memory of 816 1064 csc.exe cvtres.exe PID 1064 wrote to memory of 816 1064 csc.exe cvtres.exe PID 1064 wrote to memory of 816 1064 csc.exe cvtres.exe PID 280 wrote to memory of 1340 280 powershell.exe WerFault.exe PID 280 wrote to memory of 1340 280 powershell.exe WerFault.exe PID 280 wrote to memory of 1340 280 powershell.exe WerFault.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rkywclmr\rkywclmr.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA61F.tmp" "c:\Users\Admin\AppData\Local\Temp\rkywclmr\CSC7FBA6451522541D1BF3781DA8AE1EE44.TMP"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 280 -s 13482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESA61F.tmpMD5
998ebf6ec27f8f67c98bfc7c62defe80
SHA1e262d62817833a4aa8c808f05ce8e9fd871af969
SHA256e6958208258f1386999340740a439587b5a3e0338f69945f6ecd9c6e6fc0bd45
SHA512f4e65178dcba77ff09a735ab64c1a40e28512f107dc524953c5e94edcead7765e8ed1be548e60f132c369c56705be50a352d74602432e596318dea0a0613248a
-
C:\Users\Admin\AppData\Local\Temp\rkywclmr\rkywclmr.dllMD5
e979512e03556b986018e1228289445e
SHA16633e49a49f3ebe404fa34dc53dadfbdb5e84f81
SHA2567a21d903c41d417f97dd904f668fa654d316bfda9916cf87415fe22541f2e7d9
SHA512cf8173c1aefb2214ff94f076f25b841b74d404846f88e825128cb8feb127fdec6c9afff01ebd3121468d3a9ca6a07b394cbe14b06090a96829a443f18da2db92
-
\??\c:\Users\Admin\AppData\Local\Temp\rkywclmr\CSC7FBA6451522541D1BF3781DA8AE1EE44.TMPMD5
556d200922dd6281f6bea33259466415
SHA17652682b7b653db27501dbb873986dc23cd4bdf1
SHA2567f87d2cbe4a06a5fe41789fd2584d0f875c32644ba95d6c745e5f5b977314ed8
SHA512e646b68e3a4a90f35ae617bb242a11365dbe9e6d685f7da1d2217ea20e6da890c1240d0849fe049c0a7fbccea3557bb57bb504e8f113d29cd22565093898fd04
-
\??\c:\Users\Admin\AppData\Local\Temp\rkywclmr\rkywclmr.0.csMD5
a389a7ef15e3b09cfb3690bc909266d5
SHA12bd8c9a9a96fffff27f81306a8bc91e4fca7fa15
SHA256ebf32f279e139576b159cafcf9cc217ca43b9e342d882471c8da84a243206ac9
SHA5129797b728fec11e2e359051cbc0049e3abfbd8396a819dbeed0b2d8bd083b1a5bf45c04243fb44e4a8c99388177e46161fb5d449028d16d504dfd35888cff591c
-
\??\c:\Users\Admin\AppData\Local\Temp\rkywclmr\rkywclmr.cmdlineMD5
aa2c6ffa49f9c4d28dc3d10d22b2d6bf
SHA1c6dc70de55c5041a89712ebb11ff211c0f9e2959
SHA256d018d8179160d5889c82639ef39117a5d6847de9ac84ce4a7e2f33df95e90908
SHA51265ef014958ecac64a0d7db50ad251cb17a3fe8b84665bcfc0dc8fa2abb2d1cd7820bc79b9ca42b673345fb7f4c3b7fb5bb420a2a07d7eac438349b7f16091ce1
-
memory/280-64-0x000000001AB90000-0x000000001AB92000-memory.dmpFilesize
8KB
-
memory/280-63-0x0000000002520000-0x0000000002521000-memory.dmpFilesize
4KB
-
memory/280-67-0x000000001C630000-0x000000001C631000-memory.dmpFilesize
4KB
-
memory/280-78-0x0000000002650000-0x0000000002651000-memory.dmpFilesize
4KB
-
memory/280-65-0x000000001AB94000-0x000000001AB96000-memory.dmpFilesize
8KB
-
memory/280-60-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB
-
memory/280-75-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/280-66-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/280-62-0x000000001AC10000-0x000000001AC11000-memory.dmpFilesize
4KB
-
memory/280-61-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/816-71-0x0000000000000000-mapping.dmp
-
memory/1064-68-0x0000000000000000-mapping.dmp
-
memory/1340-76-0x0000000000000000-mapping.dmp
-
memory/1340-79-0x0000000001C10000-0x0000000001C11000-memory.dmpFilesize
4KB