Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2024, 07:21
Static task
static1
Behavioral task
behavioral1
Sample
5f4be5cdf986f7164e129e9969ded010.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5f4be5cdf986f7164e129e9969ded010.exe
Resource
win10v2004-20231222-en
General
-
Target
5f4be5cdf986f7164e129e9969ded010.exe
-
Size
171KB
-
MD5
5f4be5cdf986f7164e129e9969ded010
-
SHA1
bdc9bbfbb4418bdd0d384e731d2ec63fcc59ffa9
-
SHA256
7de3842235d0b7bf8bdb816b489adb512f4dc4d2306f37d0c4ecf57ae432794c
-
SHA512
fcac8b62d6c3665aa918c55f00adf3f188efb1c37626bd839d7b52473d4f4ecf5ce78d893724834b4b7921329ef3ebbfc09c509ae9122a92c390907b571247b4
-
SSDEEP
3072:6ii5SNA1YqWeIlEWV18JXkHRcQcgqTcLQmM17c+xeZcMzzpU25RqoMfnCj:7DeIl1WJXkHRnUTb5c+AXN5ay
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 20 IoCs
pid Process 4880 wmplayer.exe 5024 wmplayer.exe 4400 wmplayer.exe 4632 wmplayer.exe 3060 wmplayer.exe 1256 wmplayer.exe 4612 wmplayer.exe 2204 wmplayer.exe 3460 wmplayer.exe 4052 wmplayer.exe 3604 wmplayer.exe 1580 wmplayer.exe 548 wmplayer.exe 4820 wmplayer.exe 2876 wmplayer.exe 1376 wmplayer.exe 932 wmplayer.exe 3164 wmplayer.exe 3336 wmplayer.exe 1032 wmplayer.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe 5f4be5cdf986f7164e129e9969ded010.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe 5f4be5cdf986f7164e129e9969ded010.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File created C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\wmplayer.exe wmplayer.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 1896 set thread context of 4032 1896 5f4be5cdf986f7164e129e9969ded010.exe 90 PID 4880 set thread context of 5024 4880 wmplayer.exe 93 PID 4400 set thread context of 4632 4400 wmplayer.exe 103 PID 3060 set thread context of 1256 3060 wmplayer.exe 106 PID 4612 set thread context of 2204 4612 wmplayer.exe 109 PID 3460 set thread context of 4052 3460 wmplayer.exe 111 PID 3604 set thread context of 1580 3604 wmplayer.exe 114 PID 548 set thread context of 4820 548 wmplayer.exe 116 PID 2876 set thread context of 1376 2876 wmplayer.exe 125 PID 932 set thread context of 3164 932 wmplayer.exe 127 PID 3336 set thread context of 1032 3336 wmplayer.exe 132 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1896 wrote to memory of 4032 1896 5f4be5cdf986f7164e129e9969ded010.exe 90 PID 1896 wrote to memory of 4032 1896 5f4be5cdf986f7164e129e9969ded010.exe 90 PID 1896 wrote to memory of 4032 1896 5f4be5cdf986f7164e129e9969ded010.exe 90 PID 1896 wrote to memory of 4032 1896 5f4be5cdf986f7164e129e9969ded010.exe 90 PID 1896 wrote to memory of 4032 1896 5f4be5cdf986f7164e129e9969ded010.exe 90 PID 4032 wrote to memory of 4880 4032 5f4be5cdf986f7164e129e9969ded010.exe 92 PID 4032 wrote to memory of 4880 4032 5f4be5cdf986f7164e129e9969ded010.exe 92 PID 4032 wrote to memory of 4880 4032 5f4be5cdf986f7164e129e9969ded010.exe 92 PID 4880 wrote to memory of 5024 4880 wmplayer.exe 93 PID 4880 wrote to memory of 5024 4880 wmplayer.exe 93 PID 4880 wrote to memory of 5024 4880 wmplayer.exe 93 PID 4880 wrote to memory of 5024 4880 wmplayer.exe 93 PID 4880 wrote to memory of 5024 4880 wmplayer.exe 93 PID 5024 wrote to memory of 4400 5024 wmplayer.exe 102 PID 5024 wrote to memory of 4400 5024 wmplayer.exe 102 PID 5024 wrote to memory of 4400 5024 wmplayer.exe 102 PID 4400 wrote to memory of 4632 4400 wmplayer.exe 103 PID 4400 wrote to memory of 4632 4400 wmplayer.exe 103 PID 4400 wrote to memory of 4632 4400 wmplayer.exe 103 PID 4400 wrote to memory of 4632 4400 wmplayer.exe 103 PID 4400 wrote to memory of 4632 4400 wmplayer.exe 103 PID 4632 wrote to memory of 3060 4632 wmplayer.exe 105 PID 4632 wrote to memory of 3060 4632 wmplayer.exe 105 PID 4632 wrote to memory of 3060 4632 wmplayer.exe 105 PID 3060 wrote to memory of 1256 3060 wmplayer.exe 106 PID 3060 wrote to memory of 1256 3060 wmplayer.exe 106 PID 3060 wrote to memory of 1256 3060 wmplayer.exe 106 PID 3060 wrote to memory of 1256 3060 wmplayer.exe 106 PID 3060 wrote to memory of 1256 3060 wmplayer.exe 106 PID 1256 wrote to memory of 4612 1256 wmplayer.exe 108 PID 1256 wrote to memory of 4612 1256 wmplayer.exe 108 PID 1256 wrote to memory of 4612 1256 wmplayer.exe 108 PID 4612 wrote to memory of 2204 4612 wmplayer.exe 109 PID 4612 wrote to memory of 2204 4612 wmplayer.exe 109 PID 4612 wrote to memory of 2204 4612 wmplayer.exe 109 PID 4612 wrote to memory of 2204 4612 wmplayer.exe 109 PID 4612 wrote to memory of 2204 4612 wmplayer.exe 109 PID 2204 wrote to memory of 3460 2204 wmplayer.exe 110 PID 2204 wrote to memory of 3460 2204 wmplayer.exe 110 PID 2204 wrote to memory of 3460 2204 wmplayer.exe 110 PID 3460 wrote to memory of 4052 3460 wmplayer.exe 111 PID 3460 wrote to memory of 4052 3460 wmplayer.exe 111 PID 3460 wrote to memory of 4052 3460 wmplayer.exe 111 PID 3460 wrote to memory of 4052 3460 wmplayer.exe 111 PID 3460 wrote to memory of 4052 3460 wmplayer.exe 111 PID 4052 wrote to memory of 3604 4052 wmplayer.exe 113 PID 4052 wrote to memory of 3604 4052 wmplayer.exe 113 PID 4052 wrote to memory of 3604 4052 wmplayer.exe 113 PID 3604 wrote to memory of 1580 3604 wmplayer.exe 114 PID 3604 wrote to memory of 1580 3604 wmplayer.exe 114 PID 3604 wrote to memory of 1580 3604 wmplayer.exe 114 PID 3604 wrote to memory of 1580 3604 wmplayer.exe 114 PID 3604 wrote to memory of 1580 3604 wmplayer.exe 114 PID 1580 wrote to memory of 548 1580 wmplayer.exe 115 PID 1580 wrote to memory of 548 1580 wmplayer.exe 115 PID 1580 wrote to memory of 548 1580 wmplayer.exe 115 PID 548 wrote to memory of 4820 548 wmplayer.exe 116 PID 548 wrote to memory of 4820 548 wmplayer.exe 116 PID 548 wrote to memory of 4820 548 wmplayer.exe 116 PID 548 wrote to memory of 4820 548 wmplayer.exe 116 PID 548 wrote to memory of 4820 548 wmplayer.exe 116 PID 4820 wrote to memory of 2876 4820 wmplayer.exe 124 PID 4820 wrote to memory of 2876 4820 wmplayer.exe 124 PID 4820 wrote to memory of 2876 4820 wmplayer.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exeC:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 1000 "C:\Users\Admin\AppData\Local\Temp\5f4be5cdf986f7164e129e9969ded010.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 1160 "C:\Windows\SysWOW64\wmplayer.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 1120 "C:\Windows\SysWOW64\wmplayer.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 1124 "C:\Windows\SysWOW64\wmplayer.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 1124 "C:\Windows\SysWOW64\wmplayer.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 1124 "C:\Windows\SysWOW64\wmplayer.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 1120 "C:\Windows\SysWOW64\wmplayer.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 1120 "C:\Windows\SysWOW64\wmplayer.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2876 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 1120 "C:\Windows\SysWOW64\wmplayer.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:932 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\system32\wmplayer.exe 1120 "C:\Windows\SysWOW64\wmplayer.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3336 -
C:\Windows\SysWOW64\wmplayer.exeC:\Windows\SysWOW64\wmplayer.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD5317cc731079dba5b72b6cc95183e7eff
SHA1905c5fc402dca354115ed11e16b236efe1ba8e19
SHA2562306b6df780429f9680cd7e458a7bbd61497b8b7a985260f658aa9ef5bdb7e17
SHA51217615491a5da39e058ffcf88c71e488502a1ed886b6fcfecde23525490e96b1cd3a9567b3493782d89fa61a47f579cf863a682cf07449d9576a9590f42a94407
-
Filesize
171KB
MD55f4be5cdf986f7164e129e9969ded010
SHA1bdc9bbfbb4418bdd0d384e731d2ec63fcc59ffa9
SHA2567de3842235d0b7bf8bdb816b489adb512f4dc4d2306f37d0c4ecf57ae432794c
SHA512fcac8b62d6c3665aa918c55f00adf3f188efb1c37626bd839d7b52473d4f4ecf5ce78d893724834b4b7921329ef3ebbfc09c509ae9122a92c390907b571247b4