Analysis
-
max time kernel
148s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03-12-2022 01:09
General
-
Target
fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020.exe
-
Size
227KB
-
MD5
1926d5d9eb5e4354f18083916de108f0
-
SHA1
f54ca406b5d189b19bdd2124c71660b921945cdb
-
SHA256
fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020
-
SHA512
32a58a5d68ac70f719f4fb86ed198171ae70c0f34e3d5b623722de7e407ed66caf2d19d37deb3d1590063f5bb1ae2911e4226739f0a33f9e5714479c8e7e3ae5
-
SSDEEP
3072:mq6zDsoY9iUeCRvRpR5RhD/HzkfVtLrNFSDg6w3x5VdO3huCFOnYit8aQ:mqKC9X/L/cVtLxthdGhvOf
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Modifies registry key 1 TTPs 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020.exe"C:\Users\Admin\AppData\Local\Temp\fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020.exe"C:\Users\Admin\AppData\Local\Temp\fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysdiag64.exe"C:\Windows\sysdiag64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\sysdiag64.exe" /t REG_SZ /d "C:\Windows\sysdiag64.exe:*:Enabled:Windows Messanger" /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\sysdiag64.exe" /t REG_SZ /d "C:\Windows\sysdiag64.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\sysdiag64.exe"C:\Windows\sysdiag64.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\sysdiag64.exeFilesize
227KB
MD51926d5d9eb5e4354f18083916de108f0
SHA1f54ca406b5d189b19bdd2124c71660b921945cdb
SHA256fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020
SHA51232a58a5d68ac70f719f4fb86ed198171ae70c0f34e3d5b623722de7e407ed66caf2d19d37deb3d1590063f5bb1ae2911e4226739f0a33f9e5714479c8e7e3ae5
-
C:\Windows\sysdiag64.exeFilesize
227KB
MD51926d5d9eb5e4354f18083916de108f0
SHA1f54ca406b5d189b19bdd2124c71660b921945cdb
SHA256fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020
SHA51232a58a5d68ac70f719f4fb86ed198171ae70c0f34e3d5b623722de7e407ed66caf2d19d37deb3d1590063f5bb1ae2911e4226739f0a33f9e5714479c8e7e3ae5
-
C:\Windows\sysdiag64.exeFilesize
227KB
MD51926d5d9eb5e4354f18083916de108f0
SHA1f54ca406b5d189b19bdd2124c71660b921945cdb
SHA256fdcf081b885009ff6ae21587989410a0c861f9f2e7acd2e11a544ccc2d899020
SHA51232a58a5d68ac70f719f4fb86ed198171ae70c0f34e3d5b623722de7e407ed66caf2d19d37deb3d1590063f5bb1ae2911e4226739f0a33f9e5714479c8e7e3ae5
-
memory/268-110-0x0000000000000000-mapping.dmp
-
memory/692-107-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/692-85-0x0000000000000000-mapping.dmp
-
memory/804-116-0x0000000000230000-0x000000000026D000-memory.dmpFilesize
244KB
-
memory/804-115-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/804-114-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/804-113-0x0000000000230000-0x000000000026D000-memory.dmpFilesize
244KB
-
memory/804-102-0x000000000040AD48-mapping.dmp
-
memory/1116-65-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1116-63-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1116-72-0x000000000040AD48-mapping.dmp
-
memory/1116-75-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1116-112-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1116-111-0x00000000001C0000-0x00000000001FD000-memory.dmpFilesize
244KB
-
memory/1116-62-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1116-69-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1116-68-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1116-71-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1116-66-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1316-60-0x0000000000000000-mapping.dmp
-
memory/1464-108-0x0000000000000000-mapping.dmp
-
memory/1504-90-0x0000000000000000-mapping.dmp
-
memory/1700-89-0x0000000000000000-mapping.dmp
-
memory/1740-81-0x0000000000000000-mapping.dmp
-
memory/1856-61-0x0000000000000000-mapping.dmp
-
memory/1964-82-0x0000000000000000-mapping.dmp
-
memory/1976-54-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1976-77-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1976-80-0x00000000001C0000-0x00000000001CD000-memory.dmpFilesize
52KB
-
memory/1976-59-0x00000000001C0000-0x00000000001FD000-memory.dmpFilesize
244KB
-
memory/1976-58-0x00000000001C0000-0x00000000001FD000-memory.dmpFilesize
244KB
-
memory/1976-55-0x00000000762B1000-0x00000000762B3000-memory.dmpFilesize
8KB