Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-06-2022 04:36

General

  • Target

    1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe

  • Size

    60KB

  • MD5

    42893adbc36605ec79b5bd610759947e

  • SHA1

    b4e581f173f782a2f1da5d29c95946ee500eb2d0

  • SHA256

    1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b

  • SHA512

    725ff9ba2ce45438983ca5d3596119cb59a9bfe9e661cb9cd8daf42185c4166de34951ac92560d4e129ba9bccb7db0114b15844c660e49fd902001265eb51702

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe
    "C:\Users\Admin\AppData\Local\Temp\1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Roaming\NvSmart.exe
      "C:\Users\Admin\AppData\Roaming\NvSmart.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A
        3⤵
          PID:1020
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe"
        2⤵
          PID:1212

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\NvSmart.exe
        Filesize

        46KB

        MD5

        09b8b54f78a10c435cd319070aa13c28

        SHA1

        6474d0369f97e72e01e4971128d1062f5c2b3656

        SHA256

        523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

        SHA512

        c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

      • C:\Users\Admin\AppData\Roaming\NvSmart.exe
        Filesize

        46KB

        MD5

        09b8b54f78a10c435cd319070aa13c28

        SHA1

        6474d0369f97e72e01e4971128d1062f5c2b3656

        SHA256

        523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

        SHA512

        c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

      • C:\Users\Admin\AppData\Roaming\NvSmartMax.dll
        Filesize

        4KB

        MD5

        2d8fb1f82724cf542cd2e3a5e041fb52

        SHA1

        4e14894860034fefbab41cfe9a763d8061d19ef9

        SHA256

        ece29e4af4b33c02dafac24748a9c125b057e39455acf3c45464db36bfe74881

        SHA512

        6694a6719bd726c8302240e13e9f75bd6dd9611eec61b2a509392802d36470c09969b9dc11ef13612eff283f06d36b2586a46a7b4d84a6a8e4dd2f3825fd7aa4

      • C:\Users\Admin\AppData\Roaming\NvSmartMax.dll
        Filesize

        4KB

        MD5

        2d8fb1f82724cf542cd2e3a5e041fb52

        SHA1

        4e14894860034fefbab41cfe9a763d8061d19ef9

        SHA256

        ece29e4af4b33c02dafac24748a9c125b057e39455acf3c45464db36bfe74881

        SHA512

        6694a6719bd726c8302240e13e9f75bd6dd9611eec61b2a509392802d36470c09969b9dc11ef13612eff283f06d36b2586a46a7b4d84a6a8e4dd2f3825fd7aa4

      • C:\Users\Admin\AppData\Roaming\NvSmartMax.dll.url
        Filesize

        9KB

        MD5

        7aefbad9367ab56db1f6f20dcfcd38a0

        SHA1

        a639e0fe6800012c7ff1256e2875771342194b96

        SHA256

        d8a59fd0ab8e06439c4eb98c39b24cdcfbb3c93ab4cc57d366cf527f6d88c973

        SHA512

        5a79c5e3b23df51ba4f8054990c690b6641d28bfade41323cc29bf6f2c2cb98b48190dfb2843e513b293ac77f350815da111a535412f3a44cab376294b096b13

      • memory/1020-140-0x0000000000000000-mapping.dmp
      • memory/1212-136-0x0000000000000000-mapping.dmp
      • memory/2760-130-0x0000000000000000-mapping.dmp
      • memory/2760-137-0x0000000010000000-0x0000000010006000-memory.dmp
        Filesize

        24KB

      • memory/2760-141-0x0000000000510000-0x0000000000513000-memory.dmp
        Filesize

        12KB