Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
6d47b57641c1a77dfee5936f57acd3a5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6d47b57641c1a77dfee5936f57acd3a5.exe
Resource
win10v2004-20231215-en
General
-
Target
6d47b57641c1a77dfee5936f57acd3a5.exe
-
Size
192KB
-
MD5
6d47b57641c1a77dfee5936f57acd3a5
-
SHA1
0b18c34470f2bf4a842682d6ed4b8842e275b89f
-
SHA256
85057d4de7a020aa015e2ffec53288027ce475e3df426e462bb7beffbab91ca6
-
SHA512
d593236dcab8d2e38c20c05621f12374ec7033108778f687a46204630bf92ebccd320d8cab27cbb1dab8c281ff5b675f14500345289178a5f7bb2182d0d6d485
-
SSDEEP
3072:JpLBJINfkw8GlYsWJYmi1uUF0HprVtWKBMR7PlPB2:JZ812WOph/MRT58
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wmpdb32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpdb32.exe = "C:\\Windows\\SysWOW64\\wmpdb32.exe:*:Enabled:Windows Database Service" wmpdb32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List wmpdb32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpdb32.exe = "C:\\Windows\\SysWOW64\\wmpdb32.exe:*:Enabled:Windows Database Service" wmpdb32.exe -
Deletes itself 1 IoCs
pid Process 2668 wmpdb32.exe -
Executes dropped EXE 2 IoCs
pid Process 2752 wmpdb32.exe 2668 wmpdb32.exe -
Loads dropped DLL 3 IoCs
pid Process 2472 6d47b57641c1a77dfee5936f57acd3a5.exe 2472 6d47b57641c1a77dfee5936f57acd3a5.exe 2752 wmpdb32.exe -
resource yara_rule behavioral1/memory/2472-2-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2472-3-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2472-4-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2472-7-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2472-6-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2472-9-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2472-8-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2472-20-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2668-32-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2668-34-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2668-33-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2668-38-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2668-57-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2668-67-0x0000000000400000-0x0000000000458000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Database Service = "C:\\Windows\\SysWOW64\\wmpdb32.exe" wmpdb32.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6d47b57641c1a77dfee5936f57acd3a5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 6d47b57641c1a77dfee5936f57acd3a5.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ 6d47b57641c1a77dfee5936f57acd3a5.exe File opened for modification C:\Windows\SysWOW64\wmpdb32.exe 6d47b57641c1a77dfee5936f57acd3a5.exe File created C:\Windows\SysWOW64\wmpdb32.exe 6d47b57641c1a77dfee5936f57acd3a5.exe File opened for modification C:\Windows\SysWOW64\ wmpdb32.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2168 set thread context of 2472 2168 6d47b57641c1a77dfee5936f57acd3a5.exe 29 PID 2752 set thread context of 2668 2752 wmpdb32.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2472 6d47b57641c1a77dfee5936f57acd3a5.exe 2472 6d47b57641c1a77dfee5936f57acd3a5.exe 2668 wmpdb32.exe 2668 wmpdb32.exe 2668 wmpdb32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2668 wmpdb32.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2472 2168 6d47b57641c1a77dfee5936f57acd3a5.exe 29 PID 2168 wrote to memory of 2472 2168 6d47b57641c1a77dfee5936f57acd3a5.exe 29 PID 2168 wrote to memory of 2472 2168 6d47b57641c1a77dfee5936f57acd3a5.exe 29 PID 2168 wrote to memory of 2472 2168 6d47b57641c1a77dfee5936f57acd3a5.exe 29 PID 2168 wrote to memory of 2472 2168 6d47b57641c1a77dfee5936f57acd3a5.exe 29 PID 2168 wrote to memory of 2472 2168 6d47b57641c1a77dfee5936f57acd3a5.exe 29 PID 2168 wrote to memory of 2472 2168 6d47b57641c1a77dfee5936f57acd3a5.exe 29 PID 2472 wrote to memory of 2752 2472 6d47b57641c1a77dfee5936f57acd3a5.exe 30 PID 2472 wrote to memory of 2752 2472 6d47b57641c1a77dfee5936f57acd3a5.exe 30 PID 2472 wrote to memory of 2752 2472 6d47b57641c1a77dfee5936f57acd3a5.exe 30 PID 2472 wrote to memory of 2752 2472 6d47b57641c1a77dfee5936f57acd3a5.exe 30 PID 2752 wrote to memory of 2668 2752 wmpdb32.exe 31 PID 2752 wrote to memory of 2668 2752 wmpdb32.exe 31 PID 2752 wrote to memory of 2668 2752 wmpdb32.exe 31 PID 2752 wrote to memory of 2668 2752 wmpdb32.exe 31 PID 2752 wrote to memory of 2668 2752 wmpdb32.exe 31 PID 2752 wrote to memory of 2668 2752 wmpdb32.exe 31 PID 2752 wrote to memory of 2668 2752 wmpdb32.exe 31 PID 2668 wrote to memory of 436 2668 wmpdb32.exe 24 PID 2668 wrote to memory of 436 2668 wmpdb32.exe 24 PID 2668 wrote to memory of 260 2668 wmpdb32.exe 28 PID 2668 wrote to memory of 388 2668 wmpdb32.exe 26 PID 2668 wrote to memory of 436 2668 wmpdb32.exe 24 PID 2668 wrote to memory of 480 2668 wmpdb32.exe 23 PID 2668 wrote to memory of 504 2668 wmpdb32.exe 21 PID 2668 wrote to memory of 604 2668 wmpdb32.exe 20 PID 2668 wrote to memory of 684 2668 wmpdb32.exe 19 PID 2668 wrote to memory of 756 2668 wmpdb32.exe 18 PID 2668 wrote to memory of 824 2668 wmpdb32.exe 17 PID 2668 wrote to memory of 860 2668 wmpdb32.exe 16 PID 2668 wrote to memory of 980 2668 wmpdb32.exe 14 PID 2668 wrote to memory of 272 2668 wmpdb32.exe 13 PID 2668 wrote to memory of 1044 2668 wmpdb32.exe 12 PID 2668 wrote to memory of 1072 2668 wmpdb32.exe 11 PID 2668 wrote to memory of 1104 2668 wmpdb32.exe 10 PID 2668 wrote to memory of 1112 2668 wmpdb32.exe 9 PID 2668 wrote to memory of 1156 2668 wmpdb32.exe 8 PID 2668 wrote to memory of 1500 2668 wmpdb32.exe 5 PID 2668 wrote to memory of 2320 2668 wmpdb32.exe 3 PID 2668 wrote to memory of 1628 2668 wmpdb32.exe 2
Processes
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:1628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵PID:2320
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\6d47b57641c1a77dfee5936f57acd3a5.exe"C:\Users\Admin\AppData\Local\Temp\6d47b57641c1a77dfee5936f57acd3a5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\6d47b57641c1a77dfee5936f57acd3a5.exe"C:\Users\Admin\AppData\Local\Temp\6d47b57641c1a77dfee5936f57acd3a5.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\wmpdb32.exe"C:\Windows\SysWOW64\wmpdb32.exe" C:\Users\Admin\AppData\Local\Temp\6D47B5~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\wmpdb32.exe"C:\Windows\SysWOW64\wmpdb32.exe" C:\Users\Admin\AppData\Local\Temp\6D47B5~1.EXE4⤵
- Modifies firewall policy service
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵PID:1156
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1104
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1072
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵PID:272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:860
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵PID:824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:604
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:504
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:480
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:388
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD56d47b57641c1a77dfee5936f57acd3a5
SHA10b18c34470f2bf4a842682d6ed4b8842e275b89f
SHA25685057d4de7a020aa015e2ffec53288027ce475e3df426e462bb7beffbab91ca6
SHA512d593236dcab8d2e38c20c05621f12374ec7033108778f687a46204630bf92ebccd320d8cab27cbb1dab8c281ff5b675f14500345289178a5f7bb2182d0d6d485