Analysis
-
max time kernel
50s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-06-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe
Resource
win10v2004-20220414-en
General
-
Target
4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe
-
Size
28KB
-
MD5
b37dde09771f84691575faad7ecd3f89
-
SHA1
940bf33101e32ac140358dfa51071ffd1e96ca2a
-
SHA256
4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b
-
SHA512
952ce6dd9a61a5d993e6c9bacd400b70b223a41e774558db962fa661413a8819798899e75a3dffbb1fa7e0d6fcb23d79bb9b9c1c5163d3ea7c6a433dfbe7ac8f
Malware Config
Extracted
metasploit
windows/download_exec
http://x4k.me:50443/static-directory/admin.gif
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Processes:
resource yara_rule behavioral1/memory/1224-59-0x000000006C900000-0x000000006C925000-memory.dmp upx behavioral1/memory/1224-78-0x000000006C900000-0x000000006C925000-memory.dmp upx -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
MSBuild.exepid process 968 MSBuild.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.execmd.exeMSBuild.execsc.exedescription pid process target process PID 1224 wrote to memory of 904 1224 4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe cmd.exe PID 1224 wrote to memory of 904 1224 4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe cmd.exe PID 1224 wrote to memory of 904 1224 4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe cmd.exe PID 904 wrote to memory of 968 904 cmd.exe MSBuild.exe PID 904 wrote to memory of 968 904 cmd.exe MSBuild.exe PID 904 wrote to memory of 968 904 cmd.exe MSBuild.exe PID 904 wrote to memory of 968 904 cmd.exe MSBuild.exe PID 968 wrote to memory of 1688 968 MSBuild.exe csc.exe PID 968 wrote to memory of 1688 968 MSBuild.exe csc.exe PID 968 wrote to memory of 1688 968 MSBuild.exe csc.exe PID 968 wrote to memory of 1688 968 MSBuild.exe csc.exe PID 1688 wrote to memory of 1332 1688 csc.exe cvtres.exe PID 1688 wrote to memory of 1332 1688 csc.exe cvtres.exe PID 1688 wrote to memory of 1332 1688 csc.exe cvtres.exe PID 1688 wrote to memory of 1332 1688 csc.exe cvtres.exe PID 968 wrote to memory of 1484 968 MSBuild.exe svchost.exe PID 968 wrote to memory of 1484 968 MSBuild.exe svchost.exe PID 968 wrote to memory of 1484 968 MSBuild.exe svchost.exe PID 968 wrote to memory of 1484 968 MSBuild.exe svchost.exe PID 968 wrote to memory of 1484 968 MSBuild.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe"C:\Users\Admin\AppData\Local\Temp\4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\418712bf-userSettings.xml && move payload.exe C:\ProgramData\HDAudio.exe && reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HighDefinitionAudio /t REG_SZ /f /d "C:\ProgramData\HDAudio.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\418712bf-userSettings.xml3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bu0ksvvi\bu0ksvvi.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF799.tmp" "c:\Users\Admin\AppData\Local\Temp\bu0ksvvi\CSCEAABBE00452A48F683DF849FCBEBF41.TMP"5⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\418712bf-userSettings.xmlFilesize
8KB
MD541b236f7027b7343a64d5f577edf37d2
SHA18c35dd00d23eeb892d1076596a43dd55feeb0acd
SHA256bbb1bcaa67d14d044e63db6dbd1cf48a190c9076019383ac8ac881be59fb3e3e
SHA512d010ba4de08ff777c1cf24af84c13879f20eb8b36cb1daef5f3fe0aedddb9bb37d80dc411ddbce747d109a8bde04e801e242c3b82301080b0a7289d007adb8d7
-
C:\Users\Admin\AppData\Local\Temp\RESF799.tmpFilesize
1KB
MD567ce0776c0fb8fb5a36fbf675b2db9e6
SHA11a948dba30bea7674fb634e95d1f6c4f54179da9
SHA2563fef75172b9b5c8994e470c53cbf88ae93211c8b0f78a3c33948d4e00b15ae6c
SHA5121b0196f1b8171663f35162d1a13ef1cced7e9e9c63d2222662f281d726ec6ceaa25b94d1a93c44db5dfdf4ad2fe34c9b15c7fb0174aaa5f46319decf1ac003bf
-
C:\Users\Admin\AppData\Local\Temp\bu0ksvvi\bu0ksvvi.dllFilesize
9KB
MD511fd6d2428f3af2115f7743b40eefde1
SHA1610758687991600696b242222c64aa310f00dc4e
SHA256ebc7c0bb2c0c222800f542b8d5fe679833879ed1b10d9a14b639f3e4b6718bf1
SHA512dbc13b09ff8bce3f6b021e4170ff7f25f9014e6da61d618361f5f3f8a4738419b3af472307701ac3a52de8f069603b1a31244ca7de6f1b8370517cc5863e6f7d
-
C:\Users\Admin\AppData\Local\Temp\bu0ksvvi\bu0ksvvi.pdbFilesize
11KB
MD5b66c3e66b6e6a34c98646e3623d6983c
SHA19ff7c949f7b265ce4563133dbf7c733cd0159d85
SHA2565bcb1e57510dcc6d439f83c700f27f7f56bb66db729cacf97a6f2f00aae4e406
SHA51239ce4176e228e7d7c67d332affb3cea253fbc67c5f507989614a727d8ca584754e4e01d06a7e58258583612bf6930c0c0a0ec9ef31c91829b717703cc27b2cd7
-
\??\c:\Users\Admin\AppData\Local\Temp\bu0ksvvi\CSCEAABBE00452A48F683DF849FCBEBF41.TMPFilesize
652B
MD55ba1335c21e75d3bd60b0922748694cf
SHA1de4f3a456dfde2217b3f4826cc1c98182563bce5
SHA256096e4084a3be7f357e3ea4e18efc6c8d2e45e75ea25f895f75feb0823b486751
SHA5125d456b0014ba534a934de9dfe7ea4e7442f5604fe281971e1eff8c67cb0e1665c66022180a2583ede26c70b17ad8105760755f61607dd865f38d1a88461a3618
-
\??\c:\Users\Admin\AppData\Local\Temp\bu0ksvvi\bu0ksvvi.0.csFilesize
7KB
MD56a8b1c37f1f756583e60b385e48c2b12
SHA1eb03ca238d1054c2591cc42b3e5829b0a4649782
SHA2561df927bc417dc9cf24cfd5ca5de91cd6949591f90f24c480d319e85eee03fc54
SHA512553559d629a81623d4aeed7baad20618a2c3937f9059998d077bf219544ee0399c67a359c672b19c9f40d78426733bea2fdc9f7f9b053efe484347e7bd98cc4a
-
\??\c:\Users\Admin\AppData\Local\Temp\bu0ksvvi\bu0ksvvi.cmdlineFilesize
660B
MD5d79aff5583d5a680ab73facd41fe7818
SHA1d9256bda99c4530cfee0ff0fca464e23e9afce46
SHA25617652728f69966e0bf51b39855259039d3ef05c9aadc3a4d20b387a685322d6e
SHA51238ae031ac42524663aea57da9b532043eb97175991b29baf8029d5e6ef29b7339c642ade7e041a49903967297331b5ad297079212920f54d7903ecf99c717ac5
-
memory/904-54-0x0000000000000000-mapping.dmp
-
memory/968-60-0x0000000005070000-0x0000000005192000-memory.dmpFilesize
1.1MB
-
memory/968-74-0x0000000000470000-0x0000000000478000-memory.dmpFilesize
32KB
-
memory/968-64-0x0000000005070000-0x00000000051EA000-memory.dmpFilesize
1.5MB
-
memory/968-65-0x0000000005070000-0x00000000053D4000-memory.dmpFilesize
3.4MB
-
memory/968-62-0x0000000000AD0000-0x0000000000B14000-memory.dmpFilesize
272KB
-
memory/968-61-0x00000000051A0000-0x00000000052C2000-memory.dmpFilesize
1.1MB
-
memory/968-63-0x0000000000470000-0x000000000048A000-memory.dmpFilesize
104KB
-
memory/968-57-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/968-56-0x0000000000BB0000-0x0000000000BF0000-memory.dmpFilesize
256KB
-
memory/968-55-0x0000000000000000-mapping.dmp
-
memory/1224-78-0x000000006C900000-0x000000006C925000-memory.dmpFilesize
148KB
-
memory/1224-59-0x000000006C900000-0x000000006C925000-memory.dmpFilesize
148KB
-
memory/1332-69-0x0000000000000000-mapping.dmp
-
memory/1484-75-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1484-76-0x0000000000000000-mapping.dmp
-
memory/1688-66-0x0000000000000000-mapping.dmp