Analysis
-
max time kernel
176s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-05-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe
Resource
win10v2004-20220414-en
General
-
Target
0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe
-
Size
1.7MB
-
MD5
e248655f3697df3fdce96ad5e2af3520
-
SHA1
193dcd419cb4ac481f29525c854ba8729d87426d
-
SHA256
0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea
-
SHA512
dcbec146716196a86168407bbb9b3258daea0d71e517dbb99891f6a47f1af8dc74d1e674c038109f26ffeba576572b2a5cd6dd822dd5e5ac24f19f08705e6ed7
Malware Config
Extracted
metasploit
windows/reverse_tcp
45.76.96.233:80
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Processes:
resource yara_rule behavioral2/memory/2688-130-0x0000000000400000-0x0000000000811000-memory.dmp upx behavioral2/memory/2688-134-0x0000000000400000-0x0000000000811000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
Processes:
0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exedescription ioc process File created C:\Windows\SysWOW64\GroupPolicy\gpt.ini 0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe File created C:\Windows\SysWOW64\GroupPolicy\Machine\Scripts\scripts.ini 0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe File created C:\Windows\SysWOW64\GroupPolicy\Machine\Scripts\Startup\update.exe 0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe File created C:\Windows\SysWOW64\update.exe 0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe -
Drops file in Windows directory 1 IoCs
Processes:
0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exedescription ioc process File created C:\Windows\WBEM\msupdate.mof 0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mofcomp.exewhoami.exedescription pid process Token: SeSecurityPrivilege 4488 mofcomp.exe Token: SeDebugPrivilege 2568 whoami.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.execmd.execmd.exedescription pid process target process PID 2688 wrote to memory of 4504 2688 0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe cmd.exe PID 2688 wrote to memory of 4504 2688 0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe cmd.exe PID 2688 wrote to memory of 4504 2688 0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe cmd.exe PID 4504 wrote to memory of 4488 4504 cmd.exe mofcomp.exe PID 4504 wrote to memory of 4488 4504 cmd.exe mofcomp.exe PID 4504 wrote to memory of 4488 4504 cmd.exe mofcomp.exe PID 2688 wrote to memory of 1800 2688 0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe cmd.exe PID 2688 wrote to memory of 1800 2688 0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe cmd.exe PID 2688 wrote to memory of 1800 2688 0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe cmd.exe PID 1800 wrote to memory of 2568 1800 cmd.exe whoami.exe PID 1800 wrote to memory of 2568 1800 cmd.exe whoami.exe PID 1800 wrote to memory of 2568 1800 cmd.exe whoami.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe"C:\Users\Admin\AppData\Local\Temp\0271d754dcca50dbd6fc635b3bc62cff481e413e7f7e3b2d65d8adfe9ba331ea.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "mofcomp C:\Windows\WBEM\msupdate.mof"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Windows\WBEM\msupdate.mof3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c whoami2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\WBEM\msupdate.mofFilesize
660B
MD5b70ae3f71fade0488b8b0f3779179dcb
SHA1bf54be0517821042c9137925e411f5522be7f7f9
SHA256459304c4f49ea4b4bc798bb9cc9b1722fa1ffe47ac887e8d2666fddfcdb6030c
SHA512f851d870e0d9d8639ca76e4eac3638f9bd1050186c1708583751eaefcaa6777e5eae8163b5c7fb2eb46944e365bdfc1e0abfbc9ab98858131b126e1488900ad6
-
memory/1800-135-0x0000000000000000-mapping.dmp
-
memory/2568-136-0x0000000000000000-mapping.dmp
-
memory/2688-130-0x0000000000400000-0x0000000000811000-memory.dmpFilesize
4.1MB
-
memory/2688-134-0x0000000000400000-0x0000000000811000-memory.dmpFilesize
4.1MB
-
memory/4488-132-0x0000000000000000-mapping.dmp
-
memory/4504-131-0x0000000000000000-mapping.dmp