Analysis
-
max time kernel
91s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2022 14:53
Behavioral task
behavioral1
Sample
5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f.dll
Resource
win10v2004-20220414-en
General
-
Target
5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f.dll
-
Size
5.0MB
-
MD5
38c817799dc0b801b8051000baac445a
-
SHA1
6b7b2c1659ae194b6f7a5d94e40e94cacdc1bccc
-
SHA256
5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f
-
SHA512
281797346098fb0b15265e28b4fa6bd98304611878ef7b902fa0170fec8c4437f43d8d285578538e09b41973f90c522c801bb91e2b41401e68a96839d3495006
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications mssecsvc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1" mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile mssecsvc.exe -
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
-
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
-
suricata: ET MALWARE Possible WannaCry DNS Lookup 2
suricata: ET MALWARE Possible WannaCry DNS Lookup 2
-
Executes dropped EXE 1 IoCs
Processes:
mssecsvc.exepid process 5108 mssecsvc.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mssecsvc.exepid process 5108 mssecsvc.exe 5108 mssecsvc.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
mssecsvc.exepid process 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe 5108 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mssecsvc.exedescription pid process Token: SeDebugPrivilege 5108 mssecsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 968 wrote to memory of 4880 968 rundll32.exe rundll32.exe PID 968 wrote to memory of 4880 968 rundll32.exe rundll32.exe PID 968 wrote to memory of 4880 968 rundll32.exe rundll32.exe PID 4880 wrote to memory of 5108 4880 rundll32.exe mssecsvc.exe PID 4880 wrote to memory of 5108 4880 rundll32.exe mssecsvc.exe PID 4880 wrote to memory of 5108 4880 rundll32.exe mssecsvc.exe PID 5108 wrote to memory of 588 5108 mssecsvc.exe winlogon.exe PID 5108 wrote to memory of 588 5108 mssecsvc.exe winlogon.exe PID 5108 wrote to memory of 588 5108 mssecsvc.exe winlogon.exe PID 5108 wrote to memory of 588 5108 mssecsvc.exe winlogon.exe PID 5108 wrote to memory of 588 5108 mssecsvc.exe winlogon.exe PID 5108 wrote to memory of 588 5108 mssecsvc.exe winlogon.exe PID 5108 wrote to memory of 668 5108 mssecsvc.exe lsass.exe PID 5108 wrote to memory of 668 5108 mssecsvc.exe lsass.exe PID 5108 wrote to memory of 668 5108 mssecsvc.exe lsass.exe PID 5108 wrote to memory of 668 5108 mssecsvc.exe lsass.exe PID 5108 wrote to memory of 668 5108 mssecsvc.exe lsass.exe PID 5108 wrote to memory of 668 5108 mssecsvc.exe lsass.exe PID 5108 wrote to memory of 792 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 792 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 792 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 792 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 792 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 792 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 800 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 800 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 800 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 800 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 800 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 800 5108 mssecsvc.exe fontdrvhost.exe PID 5108 wrote to memory of 808 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 808 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 808 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 808 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 808 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 808 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 912 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 912 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 912 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 912 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 912 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 912 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 960 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 960 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 960 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 960 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 960 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 960 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 1020 5108 mssecsvc.exe dwm.exe PID 5108 wrote to memory of 1020 5108 mssecsvc.exe dwm.exe PID 5108 wrote to memory of 1020 5108 mssecsvc.exe dwm.exe PID 5108 wrote to memory of 1020 5108 mssecsvc.exe dwm.exe PID 5108 wrote to memory of 1020 5108 mssecsvc.exe dwm.exe PID 5108 wrote to memory of 1020 5108 mssecsvc.exe dwm.exe PID 5108 wrote to memory of 516 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 516 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 516 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 516 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 516 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 516 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 872 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 872 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 872 5108 mssecsvc.exe svchost.exe PID 5108 wrote to memory of 872 5108 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.8MB
MD5b544af75785b0448fb13b674c7a51d92
SHA17b88ce7386c7027d00e61ff512886cc11118ab7d
SHA25657288b609475cb3f1521725178e405024844a1710f9aecef14d815b77bb86d0f
SHA512e11a6b44b21ad7360655f074a02abffb406bdd2f55c11b9bfbf57b29ec8a6281ea640cd84963d7abe8a1a0310eebc349d804cee241014ad055ea7fa617236b21
-
C:\Windows\mssecsvc.exeFilesize
3.8MB
MD5b544af75785b0448fb13b674c7a51d92
SHA17b88ce7386c7027d00e61ff512886cc11118ab7d
SHA25657288b609475cb3f1521725178e405024844a1710f9aecef14d815b77bb86d0f
SHA512e11a6b44b21ad7360655f074a02abffb406bdd2f55c11b9bfbf57b29ec8a6281ea640cd84963d7abe8a1a0310eebc349d804cee241014ad055ea7fa617236b21
-
memory/4880-130-0x0000000000000000-mapping.dmp
-
memory/5108-131-0x0000000000000000-mapping.dmp
-
memory/5108-134-0x0000000000400000-0x0000000000AB2000-memory.dmpFilesize
6.7MB
-
memory/5108-135-0x0000000000400000-0x0000000000AB2000-memory.dmpFilesize
6.7MB