Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2024, 10:41

General

  • Target

    5fb1da1d27e51c036e788d171e641819.exe

  • Size

    49KB

  • MD5

    5fb1da1d27e51c036e788d171e641819

  • SHA1

    a2250f189da33775857e5c78a88a9f4e2b30f8e0

  • SHA256

    00b99ea9c4a00742c356b29dee039c17891eb9cef040aec7842b7c38899622b6

  • SHA512

    c264528584cf841c2a6088875b34863c5a76b035b6a22ac74fa744141afe22ddadf218ede7f579394a3192113c57a4ca4923df584023c41dbc2193a977bb6845

  • SSDEEP

    768:3i5bXB5eA37KrHaqEgd0l9Ad11TYp9OeejptTLhSRlrlBI:S5d5eM7K7hEh83S/rue

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fb1da1d27e51c036e788d171e641819.exe
    "C:\Users\Admin\AppData\Local\Temp\5fb1da1d27e51c036e788d171e641819.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\5FB1DA~1.EXE" >> NUL
      2⤵
        PID:3508
    • C:\Windows\SysWOW64\msdlli.exe
      C:\Windows\SysWOW64\msdlli.exe
      1⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:5056

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\msdlli.exe

            Filesize

            49KB

            MD5

            5fb1da1d27e51c036e788d171e641819

            SHA1

            a2250f189da33775857e5c78a88a9f4e2b30f8e0

            SHA256

            00b99ea9c4a00742c356b29dee039c17891eb9cef040aec7842b7c38899622b6

            SHA512

            c264528584cf841c2a6088875b34863c5a76b035b6a22ac74fa744141afe22ddadf218ede7f579394a3192113c57a4ca4923df584023c41dbc2193a977bb6845

          • C:\Windows\SysWOW64\msdlli.exe

            Filesize

            22KB

            MD5

            69f51b1cbbeeae722b1b602abf871092

            SHA1

            aa1f31ab17b0c46bb9ad81b526bfa9c45d0cba61

            SHA256

            03ae7910ce0c02dea3cf3cf5c5885c77d52fc0a87c9bc625cb742fecc787ac6f

            SHA512

            ac78c7d8e3d481ac791fd59d8d701c527d9adc07e14f03e0dad4d3cb3d9e9bf2a3fcbcce0bf695728a7cc1f229cb1fe9151e6ef174d013b5bc63b8bf7820f3f6

          • memory/2940-0-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

          • memory/2940-5-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

          • memory/5056-8-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

          • memory/5056-10-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

          • memory/5056-14-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

          • memory/5056-16-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

          • memory/5056-18-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

          • memory/5056-20-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB