Analysis
-
max time kernel
129s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220414-en -
resource tags
arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system -
submitted
18-07-2022 06:51
Static task
static1
Behavioral task
behavioral1
Sample
b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
Resource
win10v2004-20220414-en
General
-
Target
b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
-
Size
235KB
-
MD5
1f7f6928534ff002dbe843380d619e45
-
SHA1
5712a3cd5c72e2cfb648135a97850637ac9c4681
-
SHA256
b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6
-
SHA512
8ec6d3bd9d30f9b659bcf22d23e6985e5e88b7ef5b719f7e23250a18b267218bc0b62d5cf07b057fe5f3105228313385d33b3a63d75107ec44d7f519caf9a3b9
Malware Config
Extracted
metasploit
windows/reverse_tcp
10.30.4.18:5555
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 2 IoCs
Processes:
drm.exedrm.exepid process 1100 drm.exe 964 drm.exe -
Drops startup file 1 IoCs
Processes:
drm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceSync.lnk drm.exe -
Loads dropped DLL 4 IoCs
Processes:
b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exedrm.exepid process 1048 b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe 1048 b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe 1100 drm.exe 1100 drm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
drm.exedescription pid process target process PID 1100 set thread context of 964 1100 drm.exe drm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exedrm.exepid process 1048 b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe 1048 b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe 1100 drm.exe 1100 drm.exe 1100 drm.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
drm.exedescription pid process Token: SeDebugPrivilege 1100 drm.exe Token: SeDebugPrivilege 1100 drm.exe Token: SeDebugPrivilege 1100 drm.exe Token: SeDebugPrivilege 1100 drm.exe Token: SeDebugPrivilege 1100 drm.exe Token: SeDebugPrivilege 1100 drm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exedrm.exedescription pid process target process PID 1048 wrote to memory of 1100 1048 b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe drm.exe PID 1048 wrote to memory of 1100 1048 b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe drm.exe PID 1048 wrote to memory of 1100 1048 b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe drm.exe PID 1048 wrote to memory of 1100 1048 b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe drm.exe PID 1100 wrote to memory of 964 1100 drm.exe drm.exe PID 1100 wrote to memory of 964 1100 drm.exe drm.exe PID 1100 wrote to memory of 964 1100 drm.exe drm.exe PID 1100 wrote to memory of 964 1100 drm.exe drm.exe PID 1100 wrote to memory of 964 1100 drm.exe drm.exe PID 1100 wrote to memory of 964 1100 drm.exe drm.exe PID 1100 wrote to memory of 964 1100 drm.exe drm.exe PID 1100 wrote to memory of 964 1100 drm.exe drm.exe PID 1100 wrote to memory of 964 1100 drm.exe drm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe"C:\Users\Admin\AppData\Local\Temp\b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\drm.exe"C:\Users\Admin\AppData\Local\Temp\drm.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\drm.exeC:\Users\Admin\AppData\Local\Temp\drm.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\drm.exeFilesize
38KB
MD5103f7c56772b5463a51c4992d1a1289f
SHA15f533c02737904d12eea0e9f6042da1ed6691c27
SHA2561787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc
SHA5125e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33
-
C:\Users\Admin\AppData\Local\Temp\drm.exeFilesize
38KB
MD5103f7c56772b5463a51c4992d1a1289f
SHA15f533c02737904d12eea0e9f6042da1ed6691c27
SHA2561787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc
SHA5125e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33
-
C:\Users\Admin\AppData\Local\Temp\drm.exeFilesize
38KB
MD5103f7c56772b5463a51c4992d1a1289f
SHA15f533c02737904d12eea0e9f6042da1ed6691c27
SHA2561787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc
SHA5125e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33
-
\Users\Admin\AppData\Local\Temp\drm.exeFilesize
38KB
MD5103f7c56772b5463a51c4992d1a1289f
SHA15f533c02737904d12eea0e9f6042da1ed6691c27
SHA2561787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc
SHA5125e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33
-
\Users\Admin\AppData\Local\Temp\drm.exeFilesize
38KB
MD5103f7c56772b5463a51c4992d1a1289f
SHA15f533c02737904d12eea0e9f6042da1ed6691c27
SHA2561787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc
SHA5125e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33
-
\Users\Admin\AppData\Local\Temp\drm.exeFilesize
38KB
MD5103f7c56772b5463a51c4992d1a1289f
SHA15f533c02737904d12eea0e9f6042da1ed6691c27
SHA2561787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc
SHA5125e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33
-
\Users\Admin\AppData\Local\Temp\drm.exeFilesize
38KB
MD5103f7c56772b5463a51c4992d1a1289f
SHA15f533c02737904d12eea0e9f6042da1ed6691c27
SHA2561787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc
SHA5125e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33
-
memory/964-73-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/964-70-0x000000000040A4A1-mapping.dmp
-
memory/964-69-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1048-54-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1100-57-0x0000000000000000-mapping.dmp
-
memory/1100-64-0x0000000077090000-0x0000000077130000-memory.dmpFilesize
640KB
-
memory/1100-59-0x00000000757E0000-0x000000007588C000-memory.dmpFilesize
688KB