Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 01:04
Static task
static1
Behavioral task
behavioral1
Sample
34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe
Resource
win10-en-20211208
General
-
Target
34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe
-
Size
120KB
-
MD5
0d0320878946a73749111e6c94bf1525
-
SHA1
1e9b5c685640df11659aea7748d9bf3df70aadcf
-
SHA256
34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa
-
SHA512
fc695dd905213d7b623d33d2fa9302399897970f3b8705182fa50e771dad13dac5d5d302a508cdc4f3fdb37122999f2d492188667b92050fe49a29abff53a8b1
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 3 IoCs
Processes:
thinprobe.exethinprobe.exethinprobe.exepid process 1248 thinprobe.exe 432 thinprobe.exe 1904 thinprobe.exe -
Deletes itself 1 IoCs
Processes:
thinprobe.exepid process 1248 thinprobe.exe -
Loads dropped DLL 2 IoCs
Processes:
34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exethinprobe.exepid process 1612 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe 1248 thinprobe.exe -
Drops file in Windows directory 1 IoCs
Processes:
thinprobe.exedescription ioc process File opened for modification C:\Windows\pcawhere\config.ini thinprobe.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
svchost.exepid process 1104 svchost.exe 1104 svchost.exe 1104 svchost.exe 1104 svchost.exe 1104 svchost.exe 1104 svchost.exe 1104 svchost.exe 1104 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
thinprobe.exethinprobe.exedescription pid process Token: SeDebugPrivilege 1248 thinprobe.exe Token: SeDebugPrivilege 1904 thinprobe.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exethinprobe.exethinprobe.exedescription pid process target process PID 1612 wrote to memory of 1248 1612 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe thinprobe.exe PID 1612 wrote to memory of 1248 1612 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe thinprobe.exe PID 1612 wrote to memory of 1248 1612 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe thinprobe.exe PID 1612 wrote to memory of 1248 1612 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe thinprobe.exe PID 1248 wrote to memory of 432 1248 thinprobe.exe thinprobe.exe PID 1248 wrote to memory of 432 1248 thinprobe.exe thinprobe.exe PID 1248 wrote to memory of 432 1248 thinprobe.exe thinprobe.exe PID 1248 wrote to memory of 432 1248 thinprobe.exe thinprobe.exe PID 1904 wrote to memory of 1104 1904 thinprobe.exe svchost.exe PID 1904 wrote to memory of 1104 1904 thinprobe.exe svchost.exe PID 1904 wrote to memory of 1104 1904 thinprobe.exe svchost.exe PID 1904 wrote to memory of 1104 1904 thinprobe.exe svchost.exe PID 1904 wrote to memory of 1104 1904 thinprobe.exe svchost.exe PID 1904 wrote to memory of 1104 1904 thinprobe.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe"C:\Users\Admin\AppData\Local\Temp\34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinprobe.exeC:\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinprobe.exe2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\pcawhere\thinprobe.exe"C:\Windows\pcawhere\thinprobe.exe"3⤵
- Executes dropped EXE
-
C:\Windows\pcawhere\thinprobe.exeC:\Windows\pcawhere\thinprobe.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe-daemon2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7z5A6B564C\ThinHostProbedll.dllMD5
bfb71e0efe5d9208aa9cbdfd4a85a52d
SHA1ea487fbad911df1f51aa9332336847e2d5dd68bf
SHA256c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d
SHA512de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6
-
C:\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
C:\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
C:\Users\Admin\AppData\Local\Temp\7z5A6B564C\thumb.dbMD5
fe185cb4315658e561fd789181dfd1f3
SHA1dc6468dd9ab1c73210990c55cca82111ed21e00d
SHA256eb9f6f3fb6b70d1f49c1c92442a0f96e7583e757b035cb4343767cf9382eb354
SHA51288347235e77553c976d5d45278d8d51d15815523fc57be73d21b6676ea9f296d16d6c96b6f81f1e3900c373717c589fa3c510ef8f6e33df72ea32ef036687382
-
C:\Windows\pcawhere\config.iniMD5
bd11bd032f4f32cf7324e0a302e19c54
SHA1e5953cf07b5656c486207bc3d5a1b69fea6037e0
SHA256eb3c995504c075b43239788b40aec8e0efab5ecc60b0c567ccc426d3c9fea6c8
SHA512bb7758930b050dd46273a5180351b9c91a1480e095ac0d849733d776b4e3aa5211032f85d803b6ee4633668102c390a062e6855c1e9a39f4b5e90a6b9f9aaa51
-
C:\Windows\pcawhere\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
C:\Windows\pcawhere\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinhostprobedll.dllMD5
bfb71e0efe5d9208aa9cbdfd4a85a52d
SHA1ea487fbad911df1f51aa9332336847e2d5dd68bf
SHA256c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d
SHA512de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6
-
\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinprobe.exeMD5
65e6e6fffa769830d76ac4fae2433121
SHA1ced1d78304c4b4dfeb357739859587744e7530da
SHA25676d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af
SHA5128303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a
-
memory/432-70-0x0000000010000000-0x0000000010017000-memory.dmpFilesize
92KB
-
memory/432-85-0x0000000075280000-0x000000007528D000-memory.dmpFilesize
52KB
-
memory/1104-79-0x0000000000080000-0x000000000008D000-memory.dmpFilesize
52KB
-
memory/1104-86-0x0000000000080000-0x000000000008D000-memory.dmpFilesize
52KB
-
memory/1248-62-0x0000000010000000-0x0000000010017000-memory.dmpFilesize
92KB
-
memory/1248-67-0x0000000075280000-0x000000007528D000-memory.dmpFilesize
52KB
-
memory/1248-68-0x00000000003D0000-0x00000000003DD000-memory.dmpFilesize
52KB
-
memory/1612-55-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB
-
memory/1904-84-0x0000000075280000-0x000000007528D000-memory.dmpFilesize
52KB