Analysis
-
max time kernel
173s -
max time network
189s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 21:22
Static task
static1
Behavioral task
behavioral1
Sample
2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
Resource
win10-en-20211208
General
-
Target
2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
-
Size
120KB
-
MD5
22cbe2b0f1ef3f2b18b4c5aed6d7bb79
-
SHA1
9063797b6ebe0cb1c83cde2c15d9c69736d53c71
-
SHA256
2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233
-
SHA512
b96d33189d73f228936173293c68be3fa2545a4e36db0712d999a664bbc15c5b252b1ba1d9beb591f01c46188bdbce3845b09916ff61227e04c3c9c9c494c612
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 3 IoCs
Processes:
thinprobe.exethinprobe.exethinprobe.exepid process 3784 thinprobe.exe 2844 thinprobe.exe 2700 thinprobe.exe -
Deletes itself 1 IoCs
Processes:
thinprobe.exepid process 3784 thinprobe.exe -
Loads dropped DLL 1 IoCs
Processes:
thinprobe.exepid process 3784 thinprobe.exe -
Drops file in Windows directory 1 IoCs
Processes:
thinprobe.exedescription ioc process File opened for modification C:\Windows\pcawhere\config.ini thinprobe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
svchost.exepid process 604 svchost.exe 604 svchost.exe 604 svchost.exe 604 svchost.exe 604 svchost.exe 604 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
thinprobe.exethinprobe.exedescription pid process Token: SeDebugPrivilege 3784 thinprobe.exe Token: SeDebugPrivilege 2700 thinprobe.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exethinprobe.exethinprobe.exedescription pid process target process PID 2752 wrote to memory of 3784 2752 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe thinprobe.exe PID 2752 wrote to memory of 3784 2752 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe thinprobe.exe PID 2752 wrote to memory of 3784 2752 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe thinprobe.exe PID 3784 wrote to memory of 2844 3784 thinprobe.exe thinprobe.exe PID 3784 wrote to memory of 2844 3784 thinprobe.exe thinprobe.exe PID 3784 wrote to memory of 2844 3784 thinprobe.exe thinprobe.exe PID 2700 wrote to memory of 604 2700 thinprobe.exe svchost.exe PID 2700 wrote to memory of 604 2700 thinprobe.exe svchost.exe PID 2700 wrote to memory of 604 2700 thinprobe.exe svchost.exe PID 2700 wrote to memory of 604 2700 thinprobe.exe svchost.exe PID 2700 wrote to memory of 604 2700 thinprobe.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe"C:\Users\Admin\AppData\Local\Temp\2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thinprobe.exeC:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thinprobe.exe2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\pcawhere\thinprobe.exe"C:\Windows\pcawhere\thinprobe.exe"3⤵
- Executes dropped EXE
-
C:\Windows\pcawhere\thinprobe.exeC:\Windows\pcawhere\thinprobe.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe-daemon2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\ThinHostProbedll.dllMD5
bfb71e0efe5d9208aa9cbdfd4a85a52d
SHA1ea487fbad911df1f51aa9332336847e2d5dd68bf
SHA256c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d
SHA512de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6
-
C:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
C:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
C:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thumb.dbMD5
3de31dfdc8b414e2adc69ba0b98c15a4
SHA1e1a2fd0649a9cededc9254913b763ed0cbc4a1d8
SHA25616934d5efcc37b0d8e3cd65a8c4b60cd9a16dfd2ee15c2dfb18827b4735849e0
SHA5120e9cc74392f7a6e96ebd3ffbd858cd0dbf5d05bb81d0dbdee840cbc2905a3e3a80e2cde9c8d7e05ddd4bc4ab9745e83aeaed1b55ddba120bd4b9520939503a8c
-
C:\Windows\pcawhere\config.iniMD5
f4a0bb33a4f216f3acc0c3e39b92e6aa
SHA159f1b2c58da76d8dac264f559d72bc897fd01fc3
SHA256fa1aa0780c86d904d6ebeb6935fd5ddc250f16ed80b694d3d329fde86196bc2d
SHA5121e6955bb56903dcbaf85187542721600f28d6a34d1d5a0efef9f57470f276f89fc8a62d463d722beb767e87c8d9079015b32cf3dbd709edb0289e0767a9abf25
-
C:\Windows\pcawhere\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
C:\Windows\pcawhere\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thinhostprobedll.dllMD5
bfb71e0efe5d9208aa9cbdfd4a85a52d
SHA1ea487fbad911df1f51aa9332336847e2d5dd68bf
SHA256c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d
SHA512de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6
-
memory/604-139-0x00000000024A0000-0x00000000024AD000-memory.dmpFilesize
52KB
-
memory/2700-136-0x0000000074640000-0x000000007464D000-memory.dmpFilesize
52KB
-
memory/2700-137-0x00000000001E0000-0x00000000001ED000-memory.dmpFilesize
52KB
-
memory/2844-138-0x0000000074640000-0x000000007464D000-memory.dmpFilesize
52KB
-
memory/3784-124-0x0000000074640000-0x000000007464D000-memory.dmpFilesize
52KB
-
memory/3784-120-0x0000000010000000-0x0000000010017000-memory.dmpFilesize
92KB