Analysis
-
max time kernel
71s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exe
Resource
win10v2004-20220414-en
General
-
Target
255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exe
-
Size
43KB
-
MD5
e3fe697e069d3bcaca7c54add58a0325
-
SHA1
c45c937ae0dd3809742fe8cc618ea05fcf32a1c1
-
SHA256
255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22
-
SHA512
5ccd44dd515351f2827fa513ebd3c97b7b879ef2682631dc163273ef1c2ddedd81085e33e04b56d73326a390cb44ada697cd90358782564c1e6998891f266289
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Processes:
resource yara_rule behavioral2/memory/2324-130-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/2324-132-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exe -
Drops file in System32 directory 2 IoCs
Processes:
255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exedescription ioc process File created C:\Windows\SysWOW64\dllcache\svchost.exe 255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exe File opened for modification C:\Windows\SysWOW64\dllcache\svchost.exe 255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exedescription pid process target process PID 2324 wrote to memory of 3136 2324 255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exe cmd.exe PID 2324 wrote to memory of 3136 2324 255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exe cmd.exe PID 2324 wrote to memory of 3136 2324 255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exe"C:\Users\Admin\AppData\Local\Temp\255efe4670bbd6239d372d2fe68057d4a4f5fdf7a147e0ae0a694777b18cbe22.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\255EFE~1.EXE >> NUL2⤵