Analysis
-
max time kernel
146s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16/01/2024, 10:41
Behavioral task
behavioral1
Sample
5fb1da1d27e51c036e788d171e641819.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5fb1da1d27e51c036e788d171e641819.exe
Resource
win10v2004-20231215-en
General
-
Target
5fb1da1d27e51c036e788d171e641819.exe
-
Size
49KB
-
MD5
5fb1da1d27e51c036e788d171e641819
-
SHA1
a2250f189da33775857e5c78a88a9f4e2b30f8e0
-
SHA256
00b99ea9c4a00742c356b29dee039c17891eb9cef040aec7842b7c38899622b6
-
SHA512
c264528584cf841c2a6088875b34863c5a76b035b6a22ac74fa744141afe22ddadf218ede7f579394a3192113c57a4ca4923df584023c41dbc2193a977bb6845
-
SSDEEP
768:3i5bXB5eA37KrHaqEgd0l9Ad11TYp9OeejptTLhSRlrlBI:S5d5eM7K7hEh83S/rue
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2768 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2380 msdlli.exe -
resource yara_rule behavioral1/memory/1236-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/files/0x000c000000012329-3.dat upx behavioral1/memory/2380-4-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1236-5-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/files/0x000c000000012329-6.dat upx behavioral1/memory/2380-9-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2380-11-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2380-15-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2380-17-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2380-19-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2380-22-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS DLL IN = "C:\\Windows\\SysWOW64\\msdlli.exe" msdlli.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\svchost.dll msdlli.exe File opened for modification C:\Windows\SysWOW64\svchost.dll msdlli.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat msdlli.exe File created C:\Windows\SysWOW64\msdlli.exe 5fb1da1d27e51c036e788d171e641819.exe File opened for modification C:\Windows\SysWOW64\msdlli.exe 5fb1da1d27e51c036e788d171e641819.exe File opened for modification C:\Windows\SysWOW64\msdlli.exe msdlli.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings msdlli.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections msdlli.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msdlli.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings msdlli.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" msdlli.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msdlli.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1236 5fb1da1d27e51c036e788d171e641819.exe Token: SeShutdownPrivilege 1236 5fb1da1d27e51c036e788d171e641819.exe Token: SeDebugPrivilege 2380 msdlli.exe Token: SeShutdownPrivilege 2380 msdlli.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1236 wrote to memory of 2768 1236 5fb1da1d27e51c036e788d171e641819.exe 29 PID 1236 wrote to memory of 2768 1236 5fb1da1d27e51c036e788d171e641819.exe 29 PID 1236 wrote to memory of 2768 1236 5fb1da1d27e51c036e788d171e641819.exe 29 PID 1236 wrote to memory of 2768 1236 5fb1da1d27e51c036e788d171e641819.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fb1da1d27e51c036e788d171e641819.exe"C:\Users\Admin\AppData\Local\Temp\5fb1da1d27e51c036e788d171e641819.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\5FB1DA~1.EXE" >> NUL2⤵
- Deletes itself
PID:2768
-
-
C:\Windows\SysWOW64\msdlli.exeC:\Windows\SysWOW64\msdlli.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD50473ede26a21f7bb1af7210bcd5729df
SHA19f6b1aa5ef4bcc38e9859bb36b12611b070714ed
SHA256a2384c6cd6c67fbc429d29af3a3892b7318e9adf925e5e9af7f3b9afdfcf3f7a
SHA5122d3d4c4cb1b6e4494fdd17951c3e9e24bd1db85533eef2a3f5ac1a3818de00c9d7cd3ee58020b67627192655ce24a797e6de73fc83dbbe623b637024a394ec5c