Analysis
-
max time kernel
147s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 00:38
Static task
static1
Behavioral task
behavioral1
Sample
b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe
Resource
win10v2004-20220812-en
General
-
Target
b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe
-
Size
304KB
-
MD5
835d904ac7ea20217958ddbeaa87b7c9
-
SHA1
b9af85cc71b37a3e4e32f086b566d7cc1357dd71
-
SHA256
b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544
-
SHA512
8d694798062e1ca55d056dc4e8a31a25fa367330e24f2957d218f0779c3d62d0bf294f654aa9897209945f8a4043eea6da9fbcbaa8a5352e39199d1b9c28124f
-
SSDEEP
6144:dMIasDkaLPlgnMDHr96BjnLi7k2kqD5XJH8pVaQKH:tPl5gnLx2kqxF8y
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mitnick2 = "C:\\WINDOWS\\system32\\microsoftNS.exe" b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe -
Executes dropped EXE 2 IoCs
Processes:
microsoftNS.exemicrosoftNS.exepid process 864 microsoftNS.exe 1884 microsoftNS.exe -
Loads dropped DLL 2 IoCs
Processes:
b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exepid process 1220 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe 1220 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\billgates = "C:\\WINDOWS\\system32\\microsoftNS.exe" b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exemicrosoftNS.exedescription ioc process File opened for modification \??\PhysicalDrive0 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe File opened for modification \??\PhysicalDrive0 microsoftNS.exe -
Drops file in System32 directory 4 IoCs
Processes:
microsoftNS.exeb708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exedescription ioc process File created C:\WINDOWS\SysWOW64\microsoftNS.exe microsoftNS.exe File created C:\WINDOWS\SysWOW64\microsoftNS.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe File opened for modification C:\WINDOWS\SysWOW64\microsoftNS.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe File opened for modification C:\WINDOWS\SysWOW64\microsoftNS.exe microsoftNS.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exemicrosoftNS.exedescription pid process target process PID 1516 set thread context of 1220 1516 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe PID 864 set thread context of 1884 864 microsoftNS.exe microsoftNS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exemicrosoftNS.exepid process 1516 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe 864 microsoftNS.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exeb708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exemicrosoftNS.exedescription pid process target process PID 1516 wrote to memory of 1220 1516 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe PID 1516 wrote to memory of 1220 1516 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe PID 1516 wrote to memory of 1220 1516 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe PID 1516 wrote to memory of 1220 1516 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe PID 1516 wrote to memory of 1220 1516 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe PID 1516 wrote to memory of 1220 1516 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe PID 1516 wrote to memory of 1220 1516 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe PID 1516 wrote to memory of 1220 1516 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe PID 1516 wrote to memory of 1220 1516 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe PID 1220 wrote to memory of 864 1220 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe microsoftNS.exe PID 1220 wrote to memory of 864 1220 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe microsoftNS.exe PID 1220 wrote to memory of 864 1220 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe microsoftNS.exe PID 1220 wrote to memory of 864 1220 b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe microsoftNS.exe PID 864 wrote to memory of 1884 864 microsoftNS.exe microsoftNS.exe PID 864 wrote to memory of 1884 864 microsoftNS.exe microsoftNS.exe PID 864 wrote to memory of 1884 864 microsoftNS.exe microsoftNS.exe PID 864 wrote to memory of 1884 864 microsoftNS.exe microsoftNS.exe PID 864 wrote to memory of 1884 864 microsoftNS.exe microsoftNS.exe PID 864 wrote to memory of 1884 864 microsoftNS.exe microsoftNS.exe PID 864 wrote to memory of 1884 864 microsoftNS.exe microsoftNS.exe PID 864 wrote to memory of 1884 864 microsoftNS.exe microsoftNS.exe PID 864 wrote to memory of 1884 864 microsoftNS.exe microsoftNS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe"C:\Users\Admin\AppData\Local\Temp\b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe"C:\Users\Admin\AppData\Local\Temp\b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544.exe" c:\users\admin\appdata\local\temp\Program.exe2⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\microsoftNS.exe"C:\WINDOWS\system32\microsoftNS.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\microsoftNS.exe"C:\WINDOWS\SysWOW64\microsoftNS.exe" c:\users\admin\appdata\local\temp\Program.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\SysWOW64\microsoftNS.exeFilesize
304KB
MD5835d904ac7ea20217958ddbeaa87b7c9
SHA1b9af85cc71b37a3e4e32f086b566d7cc1357dd71
SHA256b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544
SHA5128d694798062e1ca55d056dc4e8a31a25fa367330e24f2957d218f0779c3d62d0bf294f654aa9897209945f8a4043eea6da9fbcbaa8a5352e39199d1b9c28124f
-
C:\Windows\SysWOW64\microsoftNS.exeFilesize
304KB
MD5835d904ac7ea20217958ddbeaa87b7c9
SHA1b9af85cc71b37a3e4e32f086b566d7cc1357dd71
SHA256b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544
SHA5128d694798062e1ca55d056dc4e8a31a25fa367330e24f2957d218f0779c3d62d0bf294f654aa9897209945f8a4043eea6da9fbcbaa8a5352e39199d1b9c28124f
-
C:\Windows\SysWOW64\microsoftNS.exeFilesize
304KB
MD5835d904ac7ea20217958ddbeaa87b7c9
SHA1b9af85cc71b37a3e4e32f086b566d7cc1357dd71
SHA256b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544
SHA5128d694798062e1ca55d056dc4e8a31a25fa367330e24f2957d218f0779c3d62d0bf294f654aa9897209945f8a4043eea6da9fbcbaa8a5352e39199d1b9c28124f
-
\Windows\SysWOW64\microsoftNS.exeFilesize
304KB
MD5835d904ac7ea20217958ddbeaa87b7c9
SHA1b9af85cc71b37a3e4e32f086b566d7cc1357dd71
SHA256b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544
SHA5128d694798062e1ca55d056dc4e8a31a25fa367330e24f2957d218f0779c3d62d0bf294f654aa9897209945f8a4043eea6da9fbcbaa8a5352e39199d1b9c28124f
-
\Windows\SysWOW64\microsoftNS.exeFilesize
304KB
MD5835d904ac7ea20217958ddbeaa87b7c9
SHA1b9af85cc71b37a3e4e32f086b566d7cc1357dd71
SHA256b708a5985eb5315a18bada34e80304fdc33f2a13640e650ee4bc651451f77544
SHA5128d694798062e1ca55d056dc4e8a31a25fa367330e24f2957d218f0779c3d62d0bf294f654aa9897209945f8a4043eea6da9fbcbaa8a5352e39199d1b9c28124f
-
memory/864-92-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/864-78-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/864-74-0x0000000000000000-mapping.dmp
-
memory/1220-64-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1220-58-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1220-71-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1220-72-0x0000000002170000-0x00000000021CD000-memory.dmpFilesize
372KB
-
memory/1220-57-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1220-65-0x000000000040EC78-mapping.dmp
-
memory/1220-69-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1220-62-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1220-60-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1516-56-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB
-
memory/1516-67-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1884-89-0x000000000040EC78-mapping.dmp
-
memory/1884-94-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1884-95-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB