General
-
Target
db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
-
Size
185KB
-
Sample
220516-x33hvsdca6
-
MD5
15717cd327a723820d71900611545917
-
SHA1
99184ec149d329e98cd3e600cfaba22a2f9a0156
-
SHA256
db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
-
SHA512
a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49
Static task
static1
Behavioral task
behavioral1
Sample
db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Targets
-
-
Target
db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
-
Size
185KB
-
MD5
15717cd327a723820d71900611545917
-
SHA1
99184ec149d329e98cd3e600cfaba22a2f9a0156
-
SHA256
db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
-
SHA512
a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
suricata: ET MALWARE IRC Nick change on non-standard port
suricata: ET MALWARE IRC Nick change on non-standard port
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Deletes itself
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
3Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
7Disabling Security Tools
2Virtualization/Sandbox Evasion
1