Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 21:04
Behavioral task
behavioral1
Sample
6e046129fcf71e28c3de69ff87003be6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6e046129fcf71e28c3de69ff87003be6.exe
Resource
win10v2004-20231222-en
General
-
Target
6e046129fcf71e28c3de69ff87003be6.exe
-
Size
72KB
-
MD5
6e046129fcf71e28c3de69ff87003be6
-
SHA1
ef97acd9384c24a145cd69ef58a1b85b96d7aef1
-
SHA256
f05434e002182edf17534c9902b8acba222d4d69220b4782217d7c37db5c2637
-
SHA512
5e6ff200fea7d889c5fb59f9cd047fdfbb9ea6b3c4906bfdd5960d758ab84bb88042c503bd4c1be992d5979f9243ca97ed8a5e08920036384e60cb9088f4f767
-
SSDEEP
1536:IgghBf6qbxRfmCwpoV0vKZg1MUMb+KR0Nc8QsJq39:Rgh56WxMpoVIkg1he0Nc8QsC9
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
192.168.0.12:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 3368 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e046129fcf71e28c3de69ff87003be6.exe"C:\Users\Admin\AppData\Local\Temp\6e046129fcf71e28c3de69ff87003be6.exe"1⤵PID:4884
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1596
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3368