Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21/01/2024, 12:45

General

  • Target

    Golove.exe

  • Size

    31KB

  • MD5

    e9dc029457e9d23c8db988c4c0585bfa

  • SHA1

    3d670aa59c97d831e5097b69734b994bf4144cbb

  • SHA256

    18ba6cd59749904247bade4b75429e2ac2c4ee2a6fe206ebd114e89283f8f5db

  • SHA512

    3a6138fd199b3cd0a12f4a1ca193823b32afa557a3d7af5e279cc96edb3fcab31fcf6bbff357d089331f47a295e83222f17a45be3dd4254de88b06bf98f379a9

  • SSDEEP

    192:+np66k5gQDVAU3l6+eKdv3Zn4TJrJfsQ5XfDcyLwaBg1+Cfs2LzwYDK7UlVSq7j4:GO/5AwJtZ4RFskLt

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

124.221.70.199:8983

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\Golove.exe
      "C:\Users\Admin\AppData\Local\Temp\Golove.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2396

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1248-0-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1248-1-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/1248-2-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB