Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 00:42
Static task
static1
Behavioral task
behavioral1
Sample
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
Resource
win10v2004-20220812-en
General
-
Target
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
-
Size
177KB
-
MD5
702419ffd5e768b22037a84c7bad88cd
-
SHA1
13b3b0dcd128f6574b7392385419ce680efce036
-
SHA256
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a
-
SHA512
363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192
-
SSDEEP
3072:rEEkpajNuqwjuwMROeSP4SY5fl2+dGYAo9RK1gz9Koc7yQOiOy2D9OlCSXzGsue8:rEDajNuJjujoeSP4SY5fl2+dGYAo9RKg
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 2 IoCs
Processes:
csrss.execsrss.exepid process 1756 csrss.exe 1988 csrss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remote Registry Service = "csrss.exe" 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.execsrss.exedescription pid process target process PID 1784 set thread context of 1624 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe PID 1756 set thread context of 1988 1756 csrss.exe csrss.exe -
Drops file in Windows directory 2 IoCs
Processes:
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exedescription ioc process File opened for modification C:\Windows\csrss.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe File created C:\Windows\csrss.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.execsrss.exepid process 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 1756 csrss.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.execsrss.exedescription pid process target process PID 1784 wrote to memory of 1624 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe PID 1784 wrote to memory of 1624 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe PID 1784 wrote to memory of 1624 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe PID 1784 wrote to memory of 1624 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe PID 1784 wrote to memory of 1624 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe PID 1784 wrote to memory of 1624 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe PID 1784 wrote to memory of 1624 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe PID 1784 wrote to memory of 1624 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe PID 1784 wrote to memory of 1624 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe PID 1784 wrote to memory of 1624 1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe PID 1624 wrote to memory of 1756 1624 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe csrss.exe PID 1624 wrote to memory of 1756 1624 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe csrss.exe PID 1624 wrote to memory of 1756 1624 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe csrss.exe PID 1624 wrote to memory of 1756 1624 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe csrss.exe PID 1756 wrote to memory of 1988 1756 csrss.exe csrss.exe PID 1756 wrote to memory of 1988 1756 csrss.exe csrss.exe PID 1756 wrote to memory of 1988 1756 csrss.exe csrss.exe PID 1756 wrote to memory of 1988 1756 csrss.exe csrss.exe PID 1756 wrote to memory of 1988 1756 csrss.exe csrss.exe PID 1756 wrote to memory of 1988 1756 csrss.exe csrss.exe PID 1756 wrote to memory of 1988 1756 csrss.exe csrss.exe PID 1756 wrote to memory of 1988 1756 csrss.exe csrss.exe PID 1756 wrote to memory of 1988 1756 csrss.exe csrss.exe PID 1756 wrote to memory of 1988 1756 csrss.exe csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe"C:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exeC:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\csrss.exe"C:\Windows\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\csrss.exeC:\Windows\csrss.exe4⤵
- Executes dropped EXE
PID:1988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5702419ffd5e768b22037a84c7bad88cd
SHA113b3b0dcd128f6574b7392385419ce680efce036
SHA25633294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a
SHA512363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192
-
Filesize
177KB
MD5702419ffd5e768b22037a84c7bad88cd
SHA113b3b0dcd128f6574b7392385419ce680efce036
SHA25633294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a
SHA512363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192
-
Filesize
177KB
MD5702419ffd5e768b22037a84c7bad88cd
SHA113b3b0dcd128f6574b7392385419ce680efce036
SHA25633294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a
SHA512363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192