Analysis
-
max time kernel
78s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
Resource
win10v2004-20221111-en
General
-
Target
df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
-
Size
564KB
-
MD5
0de094f08cdd761894f2ed9283a89db0
-
SHA1
14def521b5581a3bd10ac6c470c772e91b43e9c1
-
SHA256
df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65
-
SHA512
4d10774cfc9748c6699004cee066c744423fa56f00425a4f3c16dfe0fb8d74d883b2efc8b946031b4f7f5d6ac9faf7e51dfc48d7043633c7c96af155768f6248
-
SSDEEP
12288:03usG9pLi+twALZJZi3lDQoyazsf3bYF9kfLcTk3IW:0Up7tfZJZW5w/bKkww37
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 2 IoCs
Processes:
bestext.execmd.exepid process 1120 bestext.exe 1332 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exebestext.exepid process 960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe 1120 bestext.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exebestext.exedescription pid process Token: 33 960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe Token: SeIncBasePriorityPrivilege 960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe Token: 33 960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe Token: SeIncBasePriorityPrivilege 960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe Token: 33 960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe Token: SeIncBasePriorityPrivilege 960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe Token: 33 1120 bestext.exe Token: SeIncBasePriorityPrivilege 1120 bestext.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exebestext.exedescription pid process target process PID 960 wrote to memory of 1120 960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe bestext.exe PID 960 wrote to memory of 1120 960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe bestext.exe PID 960 wrote to memory of 1120 960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe bestext.exe PID 960 wrote to memory of 1120 960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe bestext.exe PID 1120 wrote to memory of 1332 1120 bestext.exe cmd.exe PID 1120 wrote to memory of 1332 1120 bestext.exe cmd.exe PID 1120 wrote to memory of 1332 1120 bestext.exe cmd.exe PID 1120 wrote to memory of 1332 1120 bestext.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe"C:\Users\Admin\AppData\Local\Temp\df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\bestext.exe"C:\Users\Admin\AppData\Local\Temp\bestext.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.execmd3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exeFilesize
17KB
MD5ae94a75a83cbe2307b932b3af492d5ce
SHA1a5c3d44899c3d133815c1d74a0016190f5394999
SHA256d111c6f792e77b3c81a1be1c3c95db71cd53bdd8fe5027cb8734f71315816407
SHA512feabae30331f399767d5dfecca2a4d72cbae3f1dd234e18585ea12cde683fb169814627cd32b98ccfb8824ef33b34f121ecb4824715a12fef4719033d8ca969b
-
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\bestext.exeFilesize
17KB
MD57eda08261d497c9d88bb92644e7a2cb2
SHA1886253caf7b798bb277d7b2d04a0ef36c0ea75bb
SHA2566c1b74850fec10db1c10058c4ff7cae129dd2444048b17669c129c79266e0ac1
SHA512e66cd5593689b9d31a5a5972fc6a0db997fae723058c4a65d25c5dd80239af7c7b0e9d1533f44a13eb7eb45c7ef23bf5477f586cef59800aaaad24edd344a888
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exeFilesize
17KB
MD5ae94a75a83cbe2307b932b3af492d5ce
SHA1a5c3d44899c3d133815c1d74a0016190f5394999
SHA256d111c6f792e77b3c81a1be1c3c95db71cd53bdd8fe5027cb8734f71315816407
SHA512feabae30331f399767d5dfecca2a4d72cbae3f1dd234e18585ea12cde683fb169814627cd32b98ccfb8824ef33b34f121ecb4824715a12fef4719033d8ca969b
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\bestext.exeFilesize
17KB
MD57eda08261d497c9d88bb92644e7a2cb2
SHA1886253caf7b798bb277d7b2d04a0ef36c0ea75bb
SHA2566c1b74850fec10db1c10058c4ff7cae129dd2444048b17669c129c79266e0ac1
SHA512e66cd5593689b9d31a5a5972fc6a0db997fae723058c4a65d25c5dd80239af7c7b0e9d1533f44a13eb7eb45c7ef23bf5477f586cef59800aaaad24edd344a888
-
memory/960-69-0x0000000000370000-0x00000000003E2000-memory.dmpFilesize
456KB
-
memory/960-54-0x0000000074D81000-0x0000000074D83000-memory.dmpFilesize
8KB
-
memory/960-60-0x0000000000370000-0x00000000003E2000-memory.dmpFilesize
456KB
-
memory/960-57-0x0000000010000000-0x0000000010037000-memory.dmpFilesize
220KB
-
memory/960-84-0x0000000000370000-0x00000000003E2000-memory.dmpFilesize
456KB
-
memory/960-58-0x0000000010000000-0x0000000010037000-memory.dmpFilesize
220KB
-
memory/960-55-0x0000000010000000-0x0000000010037000-memory.dmpFilesize
220KB
-
memory/960-59-0x0000000010000000-0x0000000010037000-memory.dmpFilesize
220KB
-
memory/960-56-0x0000000010000000-0x0000000010037000-memory.dmpFilesize
220KB
-
memory/1120-66-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1120-68-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1120-70-0x0000000000460000-0x00000000004D2000-memory.dmpFilesize
456KB
-
memory/1120-67-0x0000000000460000-0x00000000004D2000-memory.dmpFilesize
456KB
-
memory/1120-65-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1120-62-0x0000000000000000-mapping.dmp
-
memory/1120-83-0x0000000000460000-0x00000000004D2000-memory.dmpFilesize
456KB
-
memory/1332-76-0x000000004AD00000-0x000000004AD4C000-memory.dmpFilesize
304KB
-
memory/1332-77-0x000000004AD00000-0x000000004AD4C000-memory.dmpFilesize
304KB
-
memory/1332-79-0x000000004AD00000-0x000000004AD4C000-memory.dmpFilesize
304KB
-
memory/1332-78-0x000000004AD00000-0x000000004AD4C000-memory.dmpFilesize
304KB
-
memory/1332-80-0x000000004AD00000-0x000000004AD4C000-memory.dmpFilesize
304KB
-
memory/1332-81-0x000000004AD00000-0x000000004AD4C000-memory.dmpFilesize
304KB
-
memory/1332-82-0x0000000000230000-0x00000000002A2000-memory.dmpFilesize
456KB
-
memory/1332-75-0x000000004AD00000-0x000000004AD4C000-memory.dmpFilesize
304KB
-
memory/1332-72-0x0000000000000000-mapping.dmp