Analysis
-
max time kernel
153s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 01:12
Static task
static1
Behavioral task
behavioral1
Sample
0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exe
Resource
win10-en-20211208
General
-
Target
0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exe
-
Size
164KB
-
MD5
6175a802e7275e74c2b218ba64bb15d5
-
SHA1
5a5c1271bd57a93bcec90c6009745dcf063214b5
-
SHA256
0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
-
SHA512
93c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 10 IoCs
Processes:
svshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exepid process 3692 svshost.exe 396 svshost.exe 2924 svshost.exe 4076 svshost.exe 2872 svshost.exe 1136 svshost.exe 704 svshost.exe 1280 svshost.exe 1128 svshost.exe 2320 svshost.exe -
Drops file in System32 directory 22 IoCs
Processes:
0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exedescription ioc process File created C:\Windows\SysWOW64\svshost.exe 0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exe File opened for modification C:\Windows\SysWOW64\svshost.exe svshost.exe File created C:\Windows\SysWOW64\svshost.exe svshost.exe File created C:\Windows\SysWOW64\svshost.exe svshost.exe File opened for modification C:\Windows\SysWOW64\svshost.exe svshost.exe File created C:\Windows\SysWOW64\svshost.exe svshost.exe File created C:\Windows\SysWOW64\svshost.exe svshost.exe File created C:\Windows\SysWOW64\svshost.exe svshost.exe File opened for modification C:\Windows\SysWOW64\svshost.exe svshost.exe File opened for modification C:\Windows\SysWOW64\svshost.exe svshost.exe File created C:\Windows\SysWOW64\svshost.exe svshost.exe File opened for modification C:\Windows\SysWOW64\svshost.exe svshost.exe File opened for modification C:\Windows\SysWOW64\svshost.exe svshost.exe File opened for modification C:\Windows\SysWOW64\svshost.exe svshost.exe File opened for modification C:\Windows\SysWOW64\svshost.exe svshost.exe File created C:\Windows\SysWOW64\svshost.exe svshost.exe File created C:\Windows\SysWOW64\svshost.exe svshost.exe File opened for modification C:\Windows\SysWOW64\svshost.exe 0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exe File created C:\Windows\SysWOW64\svshost.exe svshost.exe File opened for modification C:\Windows\SysWOW64\svshost.exe svshost.exe File opened for modification C:\Windows\SysWOW64\svshost.exe svshost.exe File created C:\Windows\SysWOW64\svshost.exe svshost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exesvshost.exedescription pid process target process PID 2680 wrote to memory of 3692 2680 0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exe svshost.exe PID 2680 wrote to memory of 3692 2680 0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exe svshost.exe PID 2680 wrote to memory of 3692 2680 0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exe svshost.exe PID 3692 wrote to memory of 396 3692 svshost.exe svshost.exe PID 3692 wrote to memory of 396 3692 svshost.exe svshost.exe PID 3692 wrote to memory of 396 3692 svshost.exe svshost.exe PID 396 wrote to memory of 2924 396 svshost.exe svshost.exe PID 396 wrote to memory of 2924 396 svshost.exe svshost.exe PID 396 wrote to memory of 2924 396 svshost.exe svshost.exe PID 2924 wrote to memory of 4076 2924 svshost.exe svshost.exe PID 2924 wrote to memory of 4076 2924 svshost.exe svshost.exe PID 2924 wrote to memory of 4076 2924 svshost.exe svshost.exe PID 4076 wrote to memory of 2872 4076 svshost.exe svshost.exe PID 4076 wrote to memory of 2872 4076 svshost.exe svshost.exe PID 4076 wrote to memory of 2872 4076 svshost.exe svshost.exe PID 2872 wrote to memory of 1136 2872 svshost.exe svshost.exe PID 2872 wrote to memory of 1136 2872 svshost.exe svshost.exe PID 2872 wrote to memory of 1136 2872 svshost.exe svshost.exe PID 1136 wrote to memory of 704 1136 svshost.exe svshost.exe PID 1136 wrote to memory of 704 1136 svshost.exe svshost.exe PID 1136 wrote to memory of 704 1136 svshost.exe svshost.exe PID 704 wrote to memory of 1280 704 svshost.exe svshost.exe PID 704 wrote to memory of 1280 704 svshost.exe svshost.exe PID 704 wrote to memory of 1280 704 svshost.exe svshost.exe PID 1280 wrote to memory of 1128 1280 svshost.exe svshost.exe PID 1280 wrote to memory of 1128 1280 svshost.exe svshost.exe PID 1280 wrote to memory of 1128 1280 svshost.exe svshost.exe PID 1128 wrote to memory of 2320 1128 svshost.exe svshost.exe PID 1128 wrote to memory of 2320 1128 svshost.exe svshost.exe PID 1128 wrote to memory of 2320 1128 svshost.exe svshost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exe"C:\Users\Admin\AppData\Local\Temp\0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svshost.exeC:\Windows\system32\svshost.exe 888 "C:\Users\Admin\AppData\Local\Temp\0a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svshost.exeC:\Windows\system32\svshost.exe 904 "C:\Windows\SysWOW64\svshost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svshost.exeC:\Windows\system32\svshost.exe 864 "C:\Windows\SysWOW64\svshost.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svshost.exeC:\Windows\system32\svshost.exe 868 "C:\Windows\SysWOW64\svshost.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svshost.exeC:\Windows\system32\svshost.exe 872 "C:\Windows\SysWOW64\svshost.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svshost.exeC:\Windows\system32\svshost.exe 876 "C:\Windows\SysWOW64\svshost.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svshost.exeC:\Windows\system32\svshost.exe 880 "C:\Windows\SysWOW64\svshost.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svshost.exeC:\Windows\system32\svshost.exe 884 "C:\Windows\SysWOW64\svshost.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svshost.exeC:\Windows\system32\svshost.exe 892 "C:\Windows\SysWOW64\svshost.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svshost.exeC:\Windows\system32\svshost.exe 896 "C:\Windows\SysWOW64\svshost.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\svshost.exeMD5
6175a802e7275e74c2b218ba64bb15d5
SHA15a5c1271bd57a93bcec90c6009745dcf063214b5
SHA2560a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
SHA51293c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f
-
C:\Windows\SysWOW64\svshost.exeMD5
6175a802e7275e74c2b218ba64bb15d5
SHA15a5c1271bd57a93bcec90c6009745dcf063214b5
SHA2560a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
SHA51293c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f
-
C:\Windows\SysWOW64\svshost.exeMD5
6175a802e7275e74c2b218ba64bb15d5
SHA15a5c1271bd57a93bcec90c6009745dcf063214b5
SHA2560a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
SHA51293c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f
-
C:\Windows\SysWOW64\svshost.exeMD5
6175a802e7275e74c2b218ba64bb15d5
SHA15a5c1271bd57a93bcec90c6009745dcf063214b5
SHA2560a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
SHA51293c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f
-
C:\Windows\SysWOW64\svshost.exeMD5
6175a802e7275e74c2b218ba64bb15d5
SHA15a5c1271bd57a93bcec90c6009745dcf063214b5
SHA2560a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
SHA51293c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f
-
C:\Windows\SysWOW64\svshost.exeMD5
6175a802e7275e74c2b218ba64bb15d5
SHA15a5c1271bd57a93bcec90c6009745dcf063214b5
SHA2560a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
SHA51293c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f
-
C:\Windows\SysWOW64\svshost.exeMD5
6175a802e7275e74c2b218ba64bb15d5
SHA15a5c1271bd57a93bcec90c6009745dcf063214b5
SHA2560a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
SHA51293c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f
-
C:\Windows\SysWOW64\svshost.exeMD5
6175a802e7275e74c2b218ba64bb15d5
SHA15a5c1271bd57a93bcec90c6009745dcf063214b5
SHA2560a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
SHA51293c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f
-
C:\Windows\SysWOW64\svshost.exeMD5
6175a802e7275e74c2b218ba64bb15d5
SHA15a5c1271bd57a93bcec90c6009745dcf063214b5
SHA2560a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
SHA51293c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f
-
C:\Windows\SysWOW64\svshost.exeMD5
6175a802e7275e74c2b218ba64bb15d5
SHA15a5c1271bd57a93bcec90c6009745dcf063214b5
SHA2560a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
SHA51293c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f
-
C:\Windows\SysWOW64\svshost.exeMD5
6175a802e7275e74c2b218ba64bb15d5
SHA15a5c1271bd57a93bcec90c6009745dcf063214b5
SHA2560a7a752149d1c68462bf83499608cbb8e08ff88fc8031a092f1ceeb836e007b7
SHA51293c120857fa5b78cb639fa4910d96c2468b5dd4dd7ae955ed0b6d3b91737cbf29939b5e1287c0467fbb34e58950f4c5205f3a708971d06fd8d5d888d9ed97f0f