Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-05-2022 19:10
Static task
static1
Behavioral task
behavioral1
Sample
1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe
Resource
win10v2004-20220414-en
General
-
Target
1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe
-
Size
255KB
-
MD5
05dfc0a684be42b4dcd524f238744869
-
SHA1
16cd0520e989d386708b5c561f20b0867917d3d6
-
SHA256
1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47
-
SHA512
47f7fb910d4b3c8be5c922371bed2e18961d610b5a6504fe70cbb773cb5ed2e92e9a33f9b63b9fc8c306dc7fcee6880eacf355e6765eb4993967f857bd049617
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
notepad.exepid process 1632 notepad.exe -
Loads dropped DLL 1 IoCs
Processes:
1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exepid process 900 1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
notepad.exedescription ioc process File opened for modification \??\PhysicalDrive0 notepad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
notepad.exedescription pid process Token: SeShutdownPrivilege 1632 notepad.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exedescription pid process target process PID 900 wrote to memory of 1632 900 1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe notepad.exe PID 900 wrote to memory of 1632 900 1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe notepad.exe PID 900 wrote to memory of 1632 900 1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe notepad.exe PID 900 wrote to memory of 1632 900 1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe"C:\Users\Admin\AppData\Local\Temp\1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{8b9269b6-a890-46d8-92fe-38e3bdce9719}\notepad.exe"C:\Users\Admin\AppData\Roaming\{8b9269b6-a890-46d8-92fe-38e3bdce9719}\notepad.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\{8b9269b6-a890-46d8-92fe-38e3bdce9719}\notepad.exeFilesize
255KB
MD5d45c73ccb17930f86c8fad9697c94be0
SHA1f0dbf2f7e1067a36e2e4c4ea37099f41367126a0
SHA256acac68f386f03193e255da66230fed165e44878b9fccc34f2a3ffe3f70be0378
SHA5121753c693bafe4b3264804a2f8ab0d7fa88f46f7502234a33ed6de080bbed9fde36334d281e790e954b2bb260fbccccb1be15609d53733c7a8e5ea606fe6b8681
-
\Users\Admin\AppData\Roaming\{8b9269b6-a890-46d8-92fe-38e3bdce9719}\notepad.exeFilesize
255KB
MD5d45c73ccb17930f86c8fad9697c94be0
SHA1f0dbf2f7e1067a36e2e4c4ea37099f41367126a0
SHA256acac68f386f03193e255da66230fed165e44878b9fccc34f2a3ffe3f70be0378
SHA5121753c693bafe4b3264804a2f8ab0d7fa88f46f7502234a33ed6de080bbed9fde36334d281e790e954b2bb260fbccccb1be15609d53733c7a8e5ea606fe6b8681
-
memory/900-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/900-58-0x0000000000230000-0x0000000000246000-memory.dmpFilesize
88KB
-
memory/900-60-0x0000000000250000-0x000000000026A000-memory.dmpFilesize
104KB
-
memory/1632-56-0x0000000000000000-mapping.dmp
-
memory/1632-61-0x0000000000260000-0x000000000027A000-memory.dmpFilesize
104KB