Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 20:28
Static task
static1
Behavioral task
behavioral1
Sample
6df35106a5121ee64d3370bd1dd46a07.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6df35106a5121ee64d3370bd1dd46a07.exe
Resource
win10v2004-20231215-en
General
-
Target
6df35106a5121ee64d3370bd1dd46a07.exe
-
Size
212KB
-
MD5
6df35106a5121ee64d3370bd1dd46a07
-
SHA1
1959c6a4498a0c5077b110c60203e0be7765385e
-
SHA256
7164576ca3aecdb5b7a9bd5bf069079aae229501261379332c9d3264d7e4aa57
-
SHA512
5ee65fe6bf87d678a389d543874798b8c0c3ba0d1cfb70f99118992f205f9131724657beca914e473434a3e44565657e68c14962cb6cf93879fea4f68180fef7
-
SSDEEP
6144:YZg3SzUUc897bKohiFBottttttttttttDtQSmaO38dlttttttttttttttttttwDm:bSzUUJ9nri7ottttttttttttDteazdlD
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 6df35106a5121ee64d3370bd1dd46a07.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2652 set thread context of 2880 2652 6df35106a5121ee64d3370bd1dd46a07.exe 28 PID 2880 set thread context of 2116 2880 6df35106a5121ee64d3370bd1dd46a07.exe 29 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2652 6df35106a5121ee64d3370bd1dd46a07.exe 2880 6df35106a5121ee64d3370bd1dd46a07.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2880 2652 6df35106a5121ee64d3370bd1dd46a07.exe 28 PID 2652 wrote to memory of 2880 2652 6df35106a5121ee64d3370bd1dd46a07.exe 28 PID 2652 wrote to memory of 2880 2652 6df35106a5121ee64d3370bd1dd46a07.exe 28 PID 2652 wrote to memory of 2880 2652 6df35106a5121ee64d3370bd1dd46a07.exe 28 PID 2652 wrote to memory of 2880 2652 6df35106a5121ee64d3370bd1dd46a07.exe 28 PID 2652 wrote to memory of 2880 2652 6df35106a5121ee64d3370bd1dd46a07.exe 28 PID 2652 wrote to memory of 2880 2652 6df35106a5121ee64d3370bd1dd46a07.exe 28 PID 2652 wrote to memory of 2880 2652 6df35106a5121ee64d3370bd1dd46a07.exe 28 PID 2652 wrote to memory of 2880 2652 6df35106a5121ee64d3370bd1dd46a07.exe 28 PID 2880 wrote to memory of 2116 2880 6df35106a5121ee64d3370bd1dd46a07.exe 29 PID 2880 wrote to memory of 2116 2880 6df35106a5121ee64d3370bd1dd46a07.exe 29 PID 2880 wrote to memory of 2116 2880 6df35106a5121ee64d3370bd1dd46a07.exe 29 PID 2880 wrote to memory of 2116 2880 6df35106a5121ee64d3370bd1dd46a07.exe 29 PID 2880 wrote to memory of 2116 2880 6df35106a5121ee64d3370bd1dd46a07.exe 29 PID 2880 wrote to memory of 2116 2880 6df35106a5121ee64d3370bd1dd46a07.exe 29 PID 2880 wrote to memory of 2116 2880 6df35106a5121ee64d3370bd1dd46a07.exe 29 PID 2880 wrote to memory of 2116 2880 6df35106a5121ee64d3370bd1dd46a07.exe 29 PID 2880 wrote to memory of 2116 2880 6df35106a5121ee64d3370bd1dd46a07.exe 29 PID 2880 wrote to memory of 2116 2880 6df35106a5121ee64d3370bd1dd46a07.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"3⤵PID:2116
-
-