Analysis
-
max time kernel
41s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-06-2022 03:33
Static task
static1
Behavioral task
behavioral1
Sample
117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe
Resource
win10v2004-20220414-en
General
-
Target
117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe
-
Size
200KB
-
MD5
8f3dacfa466cb6d04c3aa57c1e080568
-
SHA1
e92b4b6cdf20a8b6e94fbe323ef291ab404891b9
-
SHA256
117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad
-
SHA512
93ac418a733527090e8df76078dfe62901774535d903c5e5b799139108d7b0ff75c9776106674fbc81ed46912b0dc1e52e3a4f294018ff10251eaf9ff76cd410
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exedescription pid process target process PID 700 set thread context of 1488 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exepid process 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exedescription pid process target process PID 700 wrote to memory of 1488 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe PID 700 wrote to memory of 1488 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe PID 700 wrote to memory of 1488 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe PID 700 wrote to memory of 1488 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe PID 700 wrote to memory of 1488 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe PID 700 wrote to memory of 1488 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe PID 700 wrote to memory of 1488 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe PID 700 wrote to memory of 1488 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe PID 700 wrote to memory of 1488 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe PID 700 wrote to memory of 1488 700 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe 117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe"C:\Users\Admin\AppData\Local\Temp\117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe"C:\Users\Admin\AppData\Local\Temp\117e78ac2b086f84ddb1f923d7099270d733938f49b0d600cc1d7a8d4b56e7ad.exe"2⤵