Analysis
-
max time kernel
145s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-06-2022 10:29
Static task
static1
Behavioral task
behavioral1
Sample
11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe
Resource
win10v2004-20220414-en
General
-
Target
11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe
-
Size
58KB
-
MD5
9329985551d50c0a858d50668f714774
-
SHA1
b0346c80e1343c9060ad52360fe57ada0860ea9f
-
SHA256
11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa
-
SHA512
30d06dd4badbe5c44829a8b64e772637d852e2d933781f6bf06705186d3e430b994e674746969b36b18e8fcba3bfed8705c3f7ce7cfff61219a0f169a068bf31
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 2 IoCs
Processes:
11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe:*:Enabled:Windows Live Messenging" 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe -
Executes dropped EXE 1 IoCs
Processes:
svhosts.exepid process 1124 svhosts.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenging = "svhosts.exe" 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe -
Drops file in Windows directory 2 IoCs
Processes:
11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exedescription ioc process File created C:\Windows\svhosts.exe 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe File opened for modification C:\Windows\svhosts.exe 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exedescription pid process target process PID 2024 wrote to memory of 1064 2024 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe netsh.exe PID 2024 wrote to memory of 1064 2024 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe netsh.exe PID 2024 wrote to memory of 1064 2024 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe netsh.exe PID 2024 wrote to memory of 1064 2024 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe netsh.exe PID 2024 wrote to memory of 1124 2024 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe svhosts.exe PID 2024 wrote to memory of 1124 2024 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe svhosts.exe PID 2024 wrote to memory of 1124 2024 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe svhosts.exe PID 2024 wrote to memory of 1124 2024 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe svhosts.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe"C:\Users\Admin\AppData\Local\Temp\11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe"1⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram svhost.exe 1 ENABLE2⤵
- Modifies Windows Firewall
-
C:\Windows\svhosts.exe"C:\Windows\svhosts.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\svhosts.exeFilesize
58KB
MD59329985551d50c0a858d50668f714774
SHA1b0346c80e1343c9060ad52360fe57ada0860ea9f
SHA25611023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa
SHA51230d06dd4badbe5c44829a8b64e772637d852e2d933781f6bf06705186d3e430b994e674746969b36b18e8fcba3bfed8705c3f7ce7cfff61219a0f169a068bf31
-
memory/1064-55-0x0000000000000000-mapping.dmp
-
memory/1124-56-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x0000000074DD1000-0x0000000074DD3000-memory.dmpFilesize
8KB