Analysis
-
max time kernel
64s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 00:58
Static task
static1
Behavioral task
behavioral1
Sample
3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps1
Resource
win7v20210408
Behavioral task
behavioral2
Sample
3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps1
Resource
win10v20210408
General
-
Target
3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps1
-
Size
814KB
-
MD5
c925822c6d5175c30ba96388b07e9e16
-
SHA1
dd10c4c9a71b5850c23fde513525cac86943523e
-
SHA256
3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5
-
SHA512
754f9cd80df7f78bbc1ea1bf0b4bfddcff815702649c8227defa62308cee96e5db1c526739a2caf4b50e784f60d131e49b078ba94cd1c0656f44d08efd02ec53
Malware Config
Extracted
metasploit
windows/download_exec
http://157.230.184.142:443/ST/TWGRYKf0/d/du92w/RUk/Z2l.htm
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2792 784 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exeWerFault.exepid process 784 powershell.exe 784 powershell.exe 784 powershell.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 2792 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.execsc.exedescription pid process target process PID 784 wrote to memory of 4056 784 powershell.exe csc.exe PID 784 wrote to memory of 4056 784 powershell.exe csc.exe PID 4056 wrote to memory of 2736 4056 csc.exe cvtres.exe PID 4056 wrote to memory of 2736 4056 csc.exe cvtres.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db5.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0znjyact\0znjyact.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DF9.tmp" "c:\Users\Admin\AppData\Local\Temp\0znjyact\CSC77484ED132DE4165A48CA949FFECCC51.TMP"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 784 -s 19602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0znjyact\0znjyact.dllMD5
c7fa67a55201060ecb893f37b37ae3ed
SHA1f3d6c23fc22353c8c4f92c44f361cee64c1cb686
SHA25693541bd78813f13209088e11b98d0683f572e152c74253c98ea9bc850f59457e
SHA5121b7af9c63e0da25fd9546cd6582db3bdac2c256e4b86c3b99a2daa50387d9b78d5099d10fb1c58717fd404f6110414620eeaf7d570939093b906ff3c0611ca20
-
C:\Users\Admin\AppData\Local\Temp\RES3DF9.tmpMD5
5eb0870d4b0966364c690f2253084796
SHA155e1437c91d937ae95f287209b0bb15c3adc6652
SHA256157a1c79b8ffa99d081d2f7246e1f44a3de74c8ceeff8496c63b8ade46219936
SHA51269d16a161a8dd2c0c280e8b8fd18c6ea62dce0df38003b708768fe3100f3a25e534a7e982fcfc94c7127765de9b0609f71ef05a1f622bd51cd0d02419a573f75
-
\??\c:\Users\Admin\AppData\Local\Temp\0znjyact\0znjyact.0.csMD5
a389a7ef15e3b09cfb3690bc909266d5
SHA12bd8c9a9a96fffff27f81306a8bc91e4fca7fa15
SHA256ebf32f279e139576b159cafcf9cc217ca43b9e342d882471c8da84a243206ac9
SHA5129797b728fec11e2e359051cbc0049e3abfbd8396a819dbeed0b2d8bd083b1a5bf45c04243fb44e4a8c99388177e46161fb5d449028d16d504dfd35888cff591c
-
\??\c:\Users\Admin\AppData\Local\Temp\0znjyact\0znjyact.cmdlineMD5
126048448dfe17a51ce53b7984abdad3
SHA1d8d25e0bf456fcc4ff9aeb6ab21da801c98ab215
SHA2569829afcf21670dd57a1d3bf804ac43fb3c854b072d09c603d9558e5133d3c3e7
SHA512f342d7bb01ac5fb7ff5f8af32ef931e1688c8f76a053ff64b245ceba8bffbaf0862befc11bb2182bc313f25f8561482d235e1a12a8cb837b18436639c63c0142
-
\??\c:\Users\Admin\AppData\Local\Temp\0znjyact\CSC77484ED132DE4165A48CA949FFECCC51.TMPMD5
e9dfb746d773483ad0ff6b6c8d67c08f
SHA18149d194ba59d9ba197fb0ce6af463db5aec7be2
SHA256241a2249ca8ee93cfc2d6a5fb45eeefe6a0fd0ac709d296a77164edd85e7abc7
SHA5124a01d51f85121f2a1f20e36d44f8f4ac7ae1ae28da8075ea8aa926860a3865f42531e81321b2953ae59efbe6c54ca662ba65737be12bd226b4b6b8e1112cd456
-
memory/784-124-0x0000012178C23000-0x0000012178C25000-memory.dmpFilesize
8KB
-
memory/784-132-0x0000012178C26000-0x0000012178C28000-memory.dmpFilesize
8KB
-
memory/784-119-0x0000012160600000-0x0000012160601000-memory.dmpFilesize
4KB
-
memory/784-123-0x0000012178C20000-0x0000012178C22000-memory.dmpFilesize
8KB
-
memory/784-122-0x00000121795C0000-0x00000121795C1000-memory.dmpFilesize
4KB
-
memory/784-137-0x0000012178BC0000-0x0000012178BC1000-memory.dmpFilesize
4KB
-
memory/784-140-0x0000012178C10000-0x0000012178C11000-memory.dmpFilesize
4KB
-
memory/2736-133-0x0000000000000000-mapping.dmp
-
memory/4056-129-0x0000000000000000-mapping.dmp