Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16/01/2024, 07:21
Static task
static1
Behavioral task
behavioral1
Sample
5f4be5cdf986f7164e129e9969ded010.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5f4be5cdf986f7164e129e9969ded010.exe
Resource
win10v2004-20231222-en
General
-
Target
5f4be5cdf986f7164e129e9969ded010.exe
-
Size
171KB
-
MD5
5f4be5cdf986f7164e129e9969ded010
-
SHA1
bdc9bbfbb4418bdd0d384e731d2ec63fcc59ffa9
-
SHA256
7de3842235d0b7bf8bdb816b489adb512f4dc4d2306f37d0c4ecf57ae432794c
-
SHA512
fcac8b62d6c3665aa918c55f00adf3f188efb1c37626bd839d7b52473d4f4ecf5ce78d893724834b4b7921329ef3ebbfc09c509ae9122a92c390907b571247b4
-
SSDEEP
3072:6ii5SNA1YqWeIlEWV18JXkHRcQcgqTcLQmM17c+xeZcMzzpU25RqoMfnCj:7DeIl1WJXkHRnUTb5c+AXN5ay
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 20 IoCs
pid Process 2316 wmplayer.exe 2784 wmplayer.exe 2660 wmplayer.exe 2580 wmplayer.exe 640 wmplayer.exe 580 wmplayer.exe 2920 wmplayer.exe 2944 wmplayer.exe 1784 wmplayer.exe 572 wmplayer.exe 2264 wmplayer.exe 2312 wmplayer.exe 1292 wmplayer.exe 292 wmplayer.exe 1788 wmplayer.exe 2844 wmplayer.exe 2840 wmplayer.exe 3036 wmplayer.exe 548 wmplayer.exe 2040 wmplayer.exe -
Loads dropped DLL 21 IoCs
pid Process 2848 5f4be5cdf986f7164e129e9969ded010.exe 2848 5f4be5cdf986f7164e129e9969ded010.exe 2316 wmplayer.exe 2784 wmplayer.exe 2784 wmplayer.exe 2580 wmplayer.exe 2580 wmplayer.exe 580 wmplayer.exe 580 wmplayer.exe 2944 wmplayer.exe 2944 wmplayer.exe 572 wmplayer.exe 572 wmplayer.exe 2312 wmplayer.exe 2312 wmplayer.exe 292 wmplayer.exe 292 wmplayer.exe 2844 wmplayer.exe 2844 wmplayer.exe 3036 wmplayer.exe 3036 wmplayer.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe 5f4be5cdf986f7164e129e9969ded010.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe 5f4be5cdf986f7164e129e9969ded010.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 2060 set thread context of 2848 2060 5f4be5cdf986f7164e129e9969ded010.exe 28 PID 2316 set thread context of 2784 2316 wmplayer.exe 30 PID 2660 set thread context of 2580 2660 wmplayer.exe 32 PID 640 set thread context of 580 640 wmplayer.exe 36 PID 2920 set thread context of 2944 2920 wmplayer.exe 38 PID 1784 set thread context of 572 1784 wmplayer.exe 40 PID 2264 set thread context of 2312 2264 wmplayer.exe 42 PID 1292 set thread context of 292 1292 wmplayer.exe 44 PID 1788 set thread context of 2844 1788 wmplayer.exe 46 PID 2840 set thread context of 3036 2840 wmplayer.exe 48 PID 548 set thread context of 2040 548 wmplayer.exe 50 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2848 2060 5f4be5cdf986f7164e129e9969ded010.exe 28 PID 2060 wrote to memory of 2848 2060 5f4be5cdf986f7164e129e9969ded010.exe 28 PID 2060 wrote to memory of 2848 2060 5f4be5cdf986f7164e129e9969ded010.exe 28 PID 2060 wrote to memory of 2848 2060 5f4be5cdf986f7164e129e9969ded010.exe 28 PID 2060 wrote to memory of 2848 2060 5f4be5cdf986f7164e129e9969ded010.exe 28 PID 2060 wrote to memory of 2848 2060 5f4be5cdf986f7164e129e9969ded010.exe 28 PID 2848 wrote to memory of 2316 2848 5f4be5cdf986f7164e129e9969ded010.exe 29 PID 2848 wrote to memory of 2316 2848 5f4be5cdf986f7164e129e9969ded010.exe 29 PID 2848 wrote to memory of 2316 2848 5f4be5cdf986f7164e129e9969ded010.exe 29 PID 2848 wrote to memory of 2316 2848 5f4be5cdf986f7164e129e9969ded010.exe 29 PID 2316 wrote to memory of 2784 2316 wmplayer.exe 30 PID 2316 wrote to memory of 2784 2316 wmplayer.exe 30 PID 2316 wrote to memory of 2784 2316 wmplayer.exe 30 PID 2316 wrote to memory of 2784 2316 wmplayer.exe 30 PID 2316 wrote to memory of 2784 2316 wmplayer.exe 30 PID 2316 wrote to memory of 2784 2316 wmplayer.exe 30 PID 2784 wrote to memory of 2660 2784 wmplayer.exe 31 PID 2784 wrote to memory of 2660 2784 wmplayer.exe 31 PID 2784 wrote to memory of 2660 2784 wmplayer.exe 31 PID 2784 wrote to memory of 2660 2784 wmplayer.exe 31 PID 2660 wrote to memory of 2580 2660 wmplayer.exe 32 PID 2660 wrote to memory of 2580 2660 wmplayer.exe 32 PID 2660 wrote to memory of 2580 2660 wmplayer.exe 32 PID 2660 wrote to memory of 2580 2660 wmplayer.exe 32 PID 2660 wrote to memory of 2580 2660 wmplayer.exe 32 PID 2660 wrote to memory of 2580 2660 wmplayer.exe 32 PID 2580 wrote to memory of 640 2580 wmplayer.exe 35 PID 2580 wrote to memory of 640 2580 wmplayer.exe 35 PID 2580 wrote to memory of 640 2580 wmplayer.exe 35 PID 2580 wrote to memory of 640 2580 wmplayer.exe 35 PID 640 wrote to memory of 580 640 wmplayer.exe 36 PID 640 wrote to memory of 580 640 wmplayer.exe 36 PID 640 wrote to memory of 580 640 wmplayer.exe 36 PID 640 wrote to memory of 580 640 wmplayer.exe 36 PID 640 wrote to memory of 580 640 wmplayer.exe 36 PID 640 wrote to memory of 580 640 wmplayer.exe 36 PID 580 wrote to memory of 2920 580 wmplayer.exe 37 PID 580 wrote to memory of 2920 580 wmplayer.exe 37 PID 580 wrote to memory of 2920 580 wmplayer.exe 37 PID 580 wrote to memory of 2920 580 wmplayer.exe 37 PID 2920 wrote to memory of 2944 2920 wmplayer.exe 38 PID 2920 wrote to memory of 2944 2920 wmplayer.exe 38 PID 2920 wrote to memory of 2944 2920 wmplayer.exe 38 PID 2920 wrote to memory of 2944 2920 wmplayer.exe 38 PID 2920 wrote to memory of 2944 2920 wmplayer.exe 38 PID 2920 wrote to memory of 2944 2920 wmplayer.exe 38 PID 2944 wrote to memory of 1784 2944 wmplayer.exe 39 PID 2944 wrote to memory of 1784 2944 wmplayer.exe 39 PID 2944 wrote to memory of 1784 2944 wmplayer.exe 39 PID 2944 wrote to memory of 1784 2944 wmplayer.exe 39 PID 1784 wrote to memory of 572 1784 wmplayer.exe 40 PID 1784 wrote to memory of 572 1784 wmplayer.exe 40 PID 1784 wrote to memory of 572 1784 wmplayer.exe 40 PID 1784 wrote to memory of 572 1784 wmplayer.exe 40 PID 1784 wrote to memory of 572 1784 wmplayer.exe 40 PID 1784 wrote to memory of 572 1784 wmplayer.exe 40 PID 572 wrote to memory of 2264 572 wmplayer.exe 41 PID 572 wrote to memory of 2264 572 wmplayer.exe 41 PID 572 wrote to memory of 2264 572 wmplayer.exe 41 PID 572 wrote to memory of 2264 572 wmplayer.exe 41 PID 2264 wrote to memory of 2312 2264 wmplayer.exe 42 PID 2264 wrote to memory of 2312 2264 wmplayer.exe 42 PID 2264 wrote to memory of 2312 2264 wmplayer.exe 42 PID 2264 wrote to memory of 2312 2264 wmplayer.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exeC:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 496 "C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 524 "C:\Windows\SysWOW64\wmplayer.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 524 "C:\Windows\SysWOW64\wmplayer.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 532 "C:\Windows\SysWOW64\wmplayer.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 524 "C:\Windows\SysWOW64\wmplayer.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 536 "C:\Windows\SysWOW64\wmplayer.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 524 "C:\Windows\SysWOW64\wmplayer.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1292 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 532 "C:\Windows\SysWOW64\wmplayer.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1788 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 524 "C:\Windows\SysWOW64\wmplayer.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2840 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 540 "C:\Windows\SysWOW64\wmplayer.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:548 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5b8dc52d7ed6a8d7d025c234466e277d1
SHA1dc16b2e49ae2ea2b9ad2614625fe04618e5105b1
SHA256404bdac97706a187e7a376b9f4095bcb53cf8d916cdbea0463660711c76258cc
SHA512942b623650d49f09ff8b251f6acff9e56dfe1d65c7864e6157a1b0601fde2fbd1f4dc360b9d3ed7644fb47112a79204b504545609ce003f24b59bf2e2a801513
-
Filesize
89KB
MD5904e4e34cc63bb5539926b45e0c30512
SHA106200ddfdffe002ba1ebadf4afe22e527c93f561
SHA256e26f837ef7c451c1f0d114eac752fd0893d797fa81ce325f7fce67680df021c2
SHA5128a7ba3d2859c7159c7ee77d23c82478f4636229932218112b80f3486c297ba67a97b21001c8ec04fb5fd99df43d69dd8bf8a657f07c1d7d21ce7d9a25bd54d64
-
Filesize
171KB
MD55f4be5cdf986f7164e129e9969ded010
SHA1bdc9bbfbb4418bdd0d384e731d2ec63fcc59ffa9
SHA2567de3842235d0b7bf8bdb816b489adb512f4dc4d2306f37d0c4ecf57ae432794c
SHA512fcac8b62d6c3665aa918c55f00adf3f188efb1c37626bd839d7b52473d4f4ecf5ce78d893724834b4b7921329ef3ebbfc09c509ae9122a92c390907b571247b4