Analysis
-
max time kernel
93s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 20:28
Static task
static1
Behavioral task
behavioral1
Sample
6df35106a5121ee64d3370bd1dd46a07.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6df35106a5121ee64d3370bd1dd46a07.exe
Resource
win10v2004-20231215-en
General
-
Target
6df35106a5121ee64d3370bd1dd46a07.exe
-
Size
212KB
-
MD5
6df35106a5121ee64d3370bd1dd46a07
-
SHA1
1959c6a4498a0c5077b110c60203e0be7765385e
-
SHA256
7164576ca3aecdb5b7a9bd5bf069079aae229501261379332c9d3264d7e4aa57
-
SHA512
5ee65fe6bf87d678a389d543874798b8c0c3ba0d1cfb70f99118992f205f9131724657beca914e473434a3e44565657e68c14962cb6cf93879fea4f68180fef7
-
SSDEEP
6144:YZg3SzUUc897bKohiFBottttttttttttDtQSmaO38dlttttttttttttttttttwDm:bSzUUJ9nri7ottttttttttttDteazdlD
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 6df35106a5121ee64d3370bd1dd46a07.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1408 set thread context of 4556 1408 6df35106a5121ee64d3370bd1dd46a07.exe 87 PID 4556 set thread context of 1072 4556 6df35106a5121ee64d3370bd1dd46a07.exe 88 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1408 6df35106a5121ee64d3370bd1dd46a07.exe 4556 6df35106a5121ee64d3370bd1dd46a07.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1408 wrote to memory of 4556 1408 6df35106a5121ee64d3370bd1dd46a07.exe 87 PID 1408 wrote to memory of 4556 1408 6df35106a5121ee64d3370bd1dd46a07.exe 87 PID 1408 wrote to memory of 4556 1408 6df35106a5121ee64d3370bd1dd46a07.exe 87 PID 1408 wrote to memory of 4556 1408 6df35106a5121ee64d3370bd1dd46a07.exe 87 PID 1408 wrote to memory of 4556 1408 6df35106a5121ee64d3370bd1dd46a07.exe 87 PID 1408 wrote to memory of 4556 1408 6df35106a5121ee64d3370bd1dd46a07.exe 87 PID 1408 wrote to memory of 4556 1408 6df35106a5121ee64d3370bd1dd46a07.exe 87 PID 1408 wrote to memory of 4556 1408 6df35106a5121ee64d3370bd1dd46a07.exe 87 PID 4556 wrote to memory of 1072 4556 6df35106a5121ee64d3370bd1dd46a07.exe 88 PID 4556 wrote to memory of 1072 4556 6df35106a5121ee64d3370bd1dd46a07.exe 88 PID 4556 wrote to memory of 1072 4556 6df35106a5121ee64d3370bd1dd46a07.exe 88 PID 4556 wrote to memory of 1072 4556 6df35106a5121ee64d3370bd1dd46a07.exe 88 PID 4556 wrote to memory of 1072 4556 6df35106a5121ee64d3370bd1dd46a07.exe 88 PID 4556 wrote to memory of 1072 4556 6df35106a5121ee64d3370bd1dd46a07.exe 88 PID 4556 wrote to memory of 1072 4556 6df35106a5121ee64d3370bd1dd46a07.exe 88 PID 4556 wrote to memory of 1072 4556 6df35106a5121ee64d3370bd1dd46a07.exe 88 PID 4556 wrote to memory of 1072 4556 6df35106a5121ee64d3370bd1dd46a07.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"C:\Users\Admin\AppData\Local\Temp\6df35106a5121ee64d3370bd1dd46a07.exe"3⤵PID:1072
-
-