Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2024, 10:41
Behavioral task
behavioral1
Sample
5fb1da1d27e51c036e788d171e641819.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5fb1da1d27e51c036e788d171e641819.exe
Resource
win10v2004-20231215-en
General
-
Target
5fb1da1d27e51c036e788d171e641819.exe
-
Size
49KB
-
MD5
5fb1da1d27e51c036e788d171e641819
-
SHA1
a2250f189da33775857e5c78a88a9f4e2b30f8e0
-
SHA256
00b99ea9c4a00742c356b29dee039c17891eb9cef040aec7842b7c38899622b6
-
SHA512
c264528584cf841c2a6088875b34863c5a76b035b6a22ac74fa744141afe22ddadf218ede7f579394a3192113c57a4ca4923df584023c41dbc2193a977bb6845
-
SSDEEP
768:3i5bXB5eA37KrHaqEgd0l9Ad11TYp9OeejptTLhSRlrlBI:S5d5eM7K7hEh83S/rue
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 5fb1da1d27e51c036e788d171e641819.exe -
Executes dropped EXE 1 IoCs
pid Process 5056 msdlli.exe -
resource yara_rule behavioral2/memory/2940-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/files/0x0003000000022764-4.dat upx behavioral2/files/0x0003000000022764-3.dat upx behavioral2/memory/2940-5-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/5056-8-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/5056-10-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/5056-14-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/5056-16-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/5056-18-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/5056-20-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS DLL IN = "C:\\Windows\\SysWOW64\\msdlli.exe" msdlli.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\msdlli.exe 5fb1da1d27e51c036e788d171e641819.exe File opened for modification C:\Windows\SysWOW64\msdlli.exe 5fb1da1d27e51c036e788d171e641819.exe File opened for modification C:\Windows\SysWOW64\msdlli.exe msdlli.exe File created C:\Windows\SysWOW64\svchost.dll msdlli.exe File opened for modification C:\Windows\SysWOW64\svchost.dll msdlli.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2940 5fb1da1d27e51c036e788d171e641819.exe Token: SeShutdownPrivilege 2940 5fb1da1d27e51c036e788d171e641819.exe Token: SeDebugPrivilege 5056 msdlli.exe Token: SeShutdownPrivilege 5056 msdlli.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2940 wrote to memory of 3508 2940 5fb1da1d27e51c036e788d171e641819.exe 94 PID 2940 wrote to memory of 3508 2940 5fb1da1d27e51c036e788d171e641819.exe 94 PID 2940 wrote to memory of 3508 2940 5fb1da1d27e51c036e788d171e641819.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fb1da1d27e51c036e788d171e641819.exe"C:\Users\Admin\AppData\Local\Temp\5fb1da1d27e51c036e788d171e641819.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\5FB1DA~1.EXE" >> NUL2⤵PID:3508
-
-
C:\Windows\SysWOW64\msdlli.exeC:\Windows\SysWOW64\msdlli.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD55fb1da1d27e51c036e788d171e641819
SHA1a2250f189da33775857e5c78a88a9f4e2b30f8e0
SHA25600b99ea9c4a00742c356b29dee039c17891eb9cef040aec7842b7c38899622b6
SHA512c264528584cf841c2a6088875b34863c5a76b035b6a22ac74fa744141afe22ddadf218ede7f579394a3192113c57a4ca4923df584023c41dbc2193a977bb6845
-
Filesize
22KB
MD569f51b1cbbeeae722b1b602abf871092
SHA1aa1f31ab17b0c46bb9ad81b526bfa9c45d0cba61
SHA25603ae7910ce0c02dea3cf3cf5c5885c77d52fc0a87c9bc625cb742fecc787ac6f
SHA512ac78c7d8e3d481ac791fd59d8d701c527d9adc07e14f03e0dad4d3cb3d9e9bf2a3fcbcce0bf695728a7cc1f229cb1fe9151e6ef174d013b5bc63b8bf7820f3f6