Analysis
-
max time kernel
98s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
01/12/2022, 01:49
General
-
Target
8a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b.exe
-
Size
250KB
-
MD5
bf80b02a63eff8ff6222d97be469c9b3
-
SHA1
e2d5e673f47e07f9278ea88e9a47271be3aba62b
-
SHA256
8a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b
-
SHA512
8a7a6115683fe9d466875ea2bbd0e57339ee116bf0afb876efc343bd23ce4f64e98736a47ec895a0420f0f7425acdaa4b6ade4c21e6aea4ac7d6385686e879c2
-
SSDEEP
3072:Xj99StNd3rZWTOwoIP/o7kTePQkwrzHqqL5BSbg1NEjYLg3qkbqC:z9atWS1IPkIePQlrzHqw6j1aBC
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\8a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b.exe"C:\Users\Admin\AppData\Local\Temp\8a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b.exe"C:\Users\Admin\AppData\Local\Temp\8a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b.exe"3⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxvl32.exe"C:\Windows\SysWOW64\igfxvl32.exe" C:\Users\Admin\AppData\Local\Temp\8A1588~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxvl32.exe"C:\Windows\SysWOW64\igfxvl32.exe" C:\Users\Admin\AppData\Local\Temp\8A1588~1.EXE5⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 7286⤵
- Loads dropped DLL
- Program crash
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
250KB
MD5bf80b02a63eff8ff6222d97be469c9b3
SHA1e2d5e673f47e07f9278ea88e9a47271be3aba62b
SHA2568a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b
SHA5128a7a6115683fe9d466875ea2bbd0e57339ee116bf0afb876efc343bd23ce4f64e98736a47ec895a0420f0f7425acdaa4b6ade4c21e6aea4ac7d6385686e879c2
-
Filesize
250KB
MD5bf80b02a63eff8ff6222d97be469c9b3
SHA1e2d5e673f47e07f9278ea88e9a47271be3aba62b
SHA2568a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b
SHA5128a7a6115683fe9d466875ea2bbd0e57339ee116bf0afb876efc343bd23ce4f64e98736a47ec895a0420f0f7425acdaa4b6ade4c21e6aea4ac7d6385686e879c2
-
Filesize
250KB
MD5bf80b02a63eff8ff6222d97be469c9b3
SHA1e2d5e673f47e07f9278ea88e9a47271be3aba62b
SHA2568a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b
SHA5128a7a6115683fe9d466875ea2bbd0e57339ee116bf0afb876efc343bd23ce4f64e98736a47ec895a0420f0f7425acdaa4b6ade4c21e6aea4ac7d6385686e879c2
-
Filesize
250KB
MD5bf80b02a63eff8ff6222d97be469c9b3
SHA1e2d5e673f47e07f9278ea88e9a47271be3aba62b
SHA2568a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b
SHA5128a7a6115683fe9d466875ea2bbd0e57339ee116bf0afb876efc343bd23ce4f64e98736a47ec895a0420f0f7425acdaa4b6ade4c21e6aea4ac7d6385686e879c2
-
Filesize
250KB
MD5bf80b02a63eff8ff6222d97be469c9b3
SHA1e2d5e673f47e07f9278ea88e9a47271be3aba62b
SHA2568a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b
SHA5128a7a6115683fe9d466875ea2bbd0e57339ee116bf0afb876efc343bd23ce4f64e98736a47ec895a0420f0f7425acdaa4b6ade4c21e6aea4ac7d6385686e879c2
-
Filesize
250KB
MD5bf80b02a63eff8ff6222d97be469c9b3
SHA1e2d5e673f47e07f9278ea88e9a47271be3aba62b
SHA2568a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b
SHA5128a7a6115683fe9d466875ea2bbd0e57339ee116bf0afb876efc343bd23ce4f64e98736a47ec895a0420f0f7425acdaa4b6ade4c21e6aea4ac7d6385686e879c2
-
Filesize
250KB
MD5bf80b02a63eff8ff6222d97be469c9b3
SHA1e2d5e673f47e07f9278ea88e9a47271be3aba62b
SHA2568a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b
SHA5128a7a6115683fe9d466875ea2bbd0e57339ee116bf0afb876efc343bd23ce4f64e98736a47ec895a0420f0f7425acdaa4b6ade4c21e6aea4ac7d6385686e879c2
-
Filesize
250KB
MD5bf80b02a63eff8ff6222d97be469c9b3
SHA1e2d5e673f47e07f9278ea88e9a47271be3aba62b
SHA2568a1588400910c0c05beb3b4f59c0392ad541bbca9aad50e9fbf4d220e1af115b
SHA5128a7a6115683fe9d466875ea2bbd0e57339ee116bf0afb876efc343bd23ce4f64e98736a47ec895a0420f0f7425acdaa4b6ade4c21e6aea4ac7d6385686e879c2
-
Filesize
8KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
120KB
-
Filesize
412KB
-
Filesize
412KB