General

  • Target

    6cac3edade1c563284d2150566b3c7dc

  • Size

    198KB

  • Sample

    240121-hx5npsghf3

  • MD5

    6cac3edade1c563284d2150566b3c7dc

  • SHA1

    1e0d2eee80c6373a761d6f9eb4a0c39f81b657ee

  • SHA256

    d0ffb52eec8194c4676fcfa3c4b1e3fc62180f937dbb2ad2226585bd4923c200

  • SHA512

    3554ac78c93a901f6a472315940b07e71d9a49e5e58aeecff56bca8e518829395294d48d4b32ea1ef083e4892c4a3fd82c166b006da48118d8f45916ad1ed640

  • SSDEEP

    3072:IUo1ZKwtFw6ZI/DT2+W8LqYiLX4l+z2e4598y+6ddiw4:5o1ZXZIO+XulLX4l+zT459d+6dkh

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      6cac3edade1c563284d2150566b3c7dc

    • Size

      198KB

    • MD5

      6cac3edade1c563284d2150566b3c7dc

    • SHA1

      1e0d2eee80c6373a761d6f9eb4a0c39f81b657ee

    • SHA256

      d0ffb52eec8194c4676fcfa3c4b1e3fc62180f937dbb2ad2226585bd4923c200

    • SHA512

      3554ac78c93a901f6a472315940b07e71d9a49e5e58aeecff56bca8e518829395294d48d4b32ea1ef083e4892c4a3fd82c166b006da48118d8f45916ad1ed640

    • SSDEEP

      3072:IUo1ZKwtFw6ZI/DT2+W8LqYiLX4l+z2e4598y+6ddiw4:5o1ZXZIO+XulLX4l+zT459d+6dkh

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks