Analysis
-
max time kernel
41s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-06-2022 15:41
Static task
static1
Behavioral task
behavioral1
Sample
KmsRNyL4oQ.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
KmsRNyL4oQ.exe
Resource
win10v2004-20220414-en
General
-
Target
KmsRNyL4oQ.exe
-
Size
6.4MB
-
MD5
d9170f66194db0d9f605edd0dc6c69ca
-
SHA1
063d5e6a67d18698baa3654a3e7771a3b1a03203
-
SHA256
d819bda110e3afa9682e7f9b741571b3015c8818e340cf01132ca632717ab178
-
SHA512
dd5622bd69f55e78ecd6c9d5e36c9972d6c773a3a3a7f8d6a958cf81869df776cc771a750dbdb98fd393ca3cf380ddd272c645c507fac5b3335e43908d5e5002
Malware Config
Extracted
metasploit
metasploit_stager
0.0.0.0:0
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
KmsRNyL4oQ.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KmsRNyL4oQ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KmsRNyL4oQ.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1148 1440 WerFault.exe KmsRNyL4oQ.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
KmsRNyL4oQ.exepid process 1440 KmsRNyL4oQ.exe 1440 KmsRNyL4oQ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
KmsRNyL4oQ.exedescription pid process Token: SeDebugPrivilege 1440 KmsRNyL4oQ.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
KmsRNyL4oQ.exedescription pid process target process PID 1440 wrote to memory of 1148 1440 KmsRNyL4oQ.exe WerFault.exe PID 1440 wrote to memory of 1148 1440 KmsRNyL4oQ.exe WerFault.exe PID 1440 wrote to memory of 1148 1440 KmsRNyL4oQ.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KmsRNyL4oQ.exe"C:\Users\Admin\AppData\Local\Temp\KmsRNyL4oQ.exe"1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1440 -s 5082⤵
- Program crash