Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 21:22
Static task
static1
Behavioral task
behavioral1
Sample
2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
Resource
win10-en-20211208
General
-
Target
2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
-
Size
120KB
-
MD5
22cbe2b0f1ef3f2b18b4c5aed6d7bb79
-
SHA1
9063797b6ebe0cb1c83cde2c15d9c69736d53c71
-
SHA256
2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233
-
SHA512
b96d33189d73f228936173293c68be3fa2545a4e36db0712d999a664bbc15c5b252b1ba1d9beb591f01c46188bdbce3845b09916ff61227e04c3c9c9c494c612
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 3 IoCs
Processes:
thinprobe.exethinprobe.exethinprobe.exepid process 288 thinprobe.exe 1060 thinprobe.exe 1804 thinprobe.exe -
Deletes itself 1 IoCs
Processes:
thinprobe.exepid process 288 thinprobe.exe -
Loads dropped DLL 2 IoCs
Processes:
2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exethinprobe.exepid process 744 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe 288 thinprobe.exe -
Drops file in Windows directory 1 IoCs
Processes:
thinprobe.exedescription ioc process File opened for modification C:\Windows\pcawhere\config.ini thinprobe.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
svchost.exepid process 1196 svchost.exe 1196 svchost.exe 1196 svchost.exe 1196 svchost.exe 1196 svchost.exe 1196 svchost.exe 1196 svchost.exe 1196 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
thinprobe.exethinprobe.exedescription pid process Token: SeDebugPrivilege 288 thinprobe.exe Token: SeDebugPrivilege 1804 thinprobe.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exethinprobe.exethinprobe.exedescription pid process target process PID 744 wrote to memory of 288 744 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe thinprobe.exe PID 744 wrote to memory of 288 744 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe thinprobe.exe PID 744 wrote to memory of 288 744 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe thinprobe.exe PID 744 wrote to memory of 288 744 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe thinprobe.exe PID 288 wrote to memory of 1060 288 thinprobe.exe thinprobe.exe PID 288 wrote to memory of 1060 288 thinprobe.exe thinprobe.exe PID 288 wrote to memory of 1060 288 thinprobe.exe thinprobe.exe PID 288 wrote to memory of 1060 288 thinprobe.exe thinprobe.exe PID 1804 wrote to memory of 1196 1804 thinprobe.exe svchost.exe PID 1804 wrote to memory of 1196 1804 thinprobe.exe svchost.exe PID 1804 wrote to memory of 1196 1804 thinprobe.exe svchost.exe PID 1804 wrote to memory of 1196 1804 thinprobe.exe svchost.exe PID 1804 wrote to memory of 1196 1804 thinprobe.exe svchost.exe PID 1804 wrote to memory of 1196 1804 thinprobe.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe"C:\Users\Admin\AppData\Local\Temp\2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinprobe.exeC:\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinprobe.exe2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\pcawhere\thinprobe.exe"C:\Windows\pcawhere\thinprobe.exe"3⤵
- Executes dropped EXE
-
C:\Windows\pcawhere\thinprobe.exeC:\Windows\pcawhere\thinprobe.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe-daemon2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7z5CC532E8\ThinHostProbedll.dllMD5
bfb71e0efe5d9208aa9cbdfd4a85a52d
SHA1ea487fbad911df1f51aa9332336847e2d5dd68bf
SHA256c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d
SHA512de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6
-
C:\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
C:\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
C:\Users\Admin\AppData\Local\Temp\7z5CC532E8\thumb.dbMD5
3de31dfdc8b414e2adc69ba0b98c15a4
SHA1e1a2fd0649a9cededc9254913b763ed0cbc4a1d8
SHA25616934d5efcc37b0d8e3cd65a8c4b60cd9a16dfd2ee15c2dfb18827b4735849e0
SHA5120e9cc74392f7a6e96ebd3ffbd858cd0dbf5d05bb81d0dbdee840cbc2905a3e3a80e2cde9c8d7e05ddd4bc4ab9745e83aeaed1b55ddba120bd4b9520939503a8c
-
C:\Windows\pcawhere\config.iniMD5
829764fab82c0a19b9eca6e2fa6547db
SHA1e074ace3328a4f151d79658c0045315f7867ceb5
SHA2564641daae5ebc1d169df2c1e5fe7f63791f193edde009aefcf3b964f0732ca8b0
SHA51267866e0cb9c49ae6a6aeb1ab6c39c82d1e1338163cedefcd91bf8b287524c6978b6df8856eb52a04ce294638a069d33e5f258a6360fe8745474abfcece43ce09
-
C:\Windows\pcawhere\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
C:\Windows\pcawhere\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinhostprobedll.dllMD5
bfb71e0efe5d9208aa9cbdfd4a85a52d
SHA1ea487fbad911df1f51aa9332336847e2d5dd68bf
SHA256c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d
SHA512de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6
-
\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
memory/288-61-0x0000000010000000-0x0000000010017000-memory.dmpFilesize
92KB
-
memory/288-66-0x0000000074A20000-0x0000000074A2D000-memory.dmpFilesize
52KB
-
memory/288-67-0x0000000000230000-0x000000000023D000-memory.dmpFilesize
52KB
-
memory/744-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1060-69-0x0000000010000000-0x0000000010017000-memory.dmpFilesize
92KB
-
memory/1060-84-0x0000000074A20000-0x0000000074A2D000-memory.dmpFilesize
52KB
-
memory/1196-78-0x00000000000C0000-0x00000000000CD000-memory.dmpFilesize
52KB
-
memory/1196-85-0x00000000000C0000-0x00000000000CD000-memory.dmpFilesize
52KB
-
memory/1804-83-0x0000000074A20000-0x0000000074A2D000-memory.dmpFilesize
52KB