Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Resource
win10v2004-20220414-en
General
-
Target
a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
-
Size
313KB
-
MD5
ab99d86641bc4e215cd5c5cb7901f296
-
SHA1
60ae30ec44ee3eb2d057717ccaf7ad2b0b5cdb81
-
SHA256
a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2
-
SHA512
23a129543a547cc147b20d55e8bd8657cc6e400bb048825220e033ed9e7e0552c6981eb4a8cfb309b78cf8ae72e3f164fc355a9c4acace4ded291c1dfcd95c7a
Malware Config
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 173.0.54.10 -
Modifies registry class 18 IoCs
Processes:
a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\print\command a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A1BC48~1.EXE /p \"%1\"" a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\ = "Serial Document" a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A1BC48~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\"" a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.srz\ = "SerializeExp.Document" a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.srz\ShellNew a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.srz\ShellNew\NullFile a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\DefaultIcon a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\open\command a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\print a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\printto\command a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\printto a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\open a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A1BC48~1.EXE \"%1\"" a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.srz a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A1BC48~1.EXE,1" a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exepid process 1988 a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe 1988 a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe