Analysis

  • max time kernel
    139s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2024, 00:00

General

  • Target

    6e2ee4f2fb68cc5169594dc840eaa398.exe

  • Size

    387KB

  • MD5

    6e2ee4f2fb68cc5169594dc840eaa398

  • SHA1

    46ca1fa3d3305a71f45ab9811c333d7da804beb8

  • SHA256

    121a71d2d2e648797d46e361bc5c6d9a791f768ae9296d7152f055373f318742

  • SHA512

    84ae5e753c0f6f334d388547e916b87653f34763cda9c6c3614d66b9bc8efc536d0fac745ff1c11a092fbccc22b6a717e933c7327ac720a416ab109a583811d5

  • SSDEEP

    12288:9X20TpWzHwqTfxZs0BFB7/gjQNIEDlFvtt+stn:9X20VWzwKfxe2FG/WlNtbn

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Modifies security service 2 TTPs 20 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 26 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs .reg file with regedit 10 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe
    "C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe
        C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\a.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • Runs .reg file with regedit
            PID:3016
        • C:\Windows\SysWOW64\logs.exe
          C:\Windows\system32\logs.exe 492 "C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\a.bat
            5⤵
              PID:2028
            • C:\Windows\SysWOW64\logs.exe
              C:\Windows\system32\logs.exe 536 "C:\Windows\SysWOW64\logs.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2116
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c c:\a.bat
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2500
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  7⤵
                  • Modifies security service
                  • Runs .reg file with regedit
                  PID:2388
              • C:\Windows\SysWOW64\logs.exe
                C:\Windows\system32\logs.exe 540 "C:\Windows\SysWOW64\logs.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:3000
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c c:\a.bat
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1612
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    8⤵
                    • Modifies security service
                    • Runs .reg file with regedit
                    PID:576
                • C:\Windows\SysWOW64\logs.exe
                  C:\Windows\system32\logs.exe 548 "C:\Windows\SysWOW64\logs.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:2716
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c c:\a.bat
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2896
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      9⤵
                      • Modifies security service
                      • Runs .reg file with regedit
                      PID:2980
                  • C:\Windows\SysWOW64\logs.exe
                    C:\Windows\system32\logs.exe 544 "C:\Windows\SysWOW64\logs.exe"
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    PID:516
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c c:\a.bat
                      9⤵
                        PID:824
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          10⤵
                          • Modifies security service
                          • Runs .reg file with regedit
                          PID:2780
                      • C:\Windows\SysWOW64\logs.exe
                        C:\Windows\system32\logs.exe 552 "C:\Windows\SysWOW64\logs.exe"
                        9⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        PID:2784
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c c:\a.bat
                          10⤵
                            PID:2580
                            • C:\Windows\SysWOW64\regedit.exe
                              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                              11⤵
                              • Modifies security service
                              • Runs .reg file with regedit
                              PID:1824
                          • C:\Windows\SysWOW64\logs.exe
                            C:\Windows\system32\logs.exe 556 "C:\Windows\SysWOW64\logs.exe"
                            10⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            PID:1868
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c c:\a.bat
                              11⤵
                                PID:2884
                                • C:\Windows\SysWOW64\regedit.exe
                                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                  12⤵
                                  • Modifies security service
                                  • Runs .reg file with regedit
                                  PID:2272
                              • C:\Windows\SysWOW64\logs.exe
                                C:\Windows\system32\logs.exe 560 "C:\Windows\SysWOW64\logs.exe"
                                11⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in System32 directory
                                PID:2836
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c c:\a.bat
                                  12⤵
                                    PID:892
                                    • C:\Windows\SysWOW64\regedit.exe
                                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                      13⤵
                                      • Modifies security service
                                      • Runs .reg file with regedit
                                      PID:2564
                                  • C:\Windows\SysWOW64\logs.exe
                                    C:\Windows\system32\logs.exe 564 "C:\Windows\SysWOW64\logs.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    PID:652
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c c:\a.bat
                                      13⤵
                                        PID:2036
                                        • C:\Windows\SysWOW64\regedit.exe
                                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                          14⤵
                                          • Modifies security service
                                          • Runs .reg file with regedit
                                          PID:2384
                                      • C:\Windows\SysWOW64\logs.exe
                                        C:\Windows\system32\logs.exe 568 "C:\Windows\SysWOW64\logs.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        PID:2216
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c c:\a.bat
                                          14⤵
                                            PID:1300
                                            • C:\Windows\SysWOW64\regedit.exe
                                              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                              15⤵
                                              • Modifies security service
                                              • Runs .reg file with regedit
                                              PID:1740
                    • C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe
                      C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:1820

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        3KB

                        MD5

                        9e5db93bd3302c217b15561d8f1e299d

                        SHA1

                        95a5579b336d16213909beda75589fd0a2091f30

                        SHA256

                        f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

                        SHA512

                        b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        449B

                        MD5

                        c6b0028a6f5508ef564d624eda0e72bc

                        SHA1

                        18901c9856a9af672c2e27383c15d2da41f27b6b

                        SHA256

                        b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06

                        SHA512

                        5d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        3KB

                        MD5

                        5aa228bc61037ddaf7a22dab4a04e9a1

                        SHA1

                        b50fcd8f643ea748f989a06e38c778884b3c19f2

                        SHA256

                        65c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b

                        SHA512

                        2ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        3KB

                        MD5

                        872656500ddac1ddd91d10aba3a8df96

                        SHA1

                        ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

                        SHA256

                        d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

                        SHA512

                        e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        360B

                        MD5

                        3a1a83c2ffad464e87a2f9a502b7b9f1

                        SHA1

                        4ffa65ecdd0455499c8cd6d05947605340cbf426

                        SHA256

                        73ed949fba75a20288ac2d1e367180d4c8837fd31c66143707768d5b0e3bd8b6

                        SHA512

                        8232967faaf29b8b93b5042ba2bb1fcb6d0f0f2fa0e19573b1fe49f526ba434c5e76e932829e3c71beb0903e42c293ed202b619fee8aba93efe4a99e8aec55e2

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        683B

                        MD5

                        6fe56f6715b4c328bc5b2b35cb51c7e1

                        SHA1

                        8f4c2a2e2704c52fd6f01d9c58e4c7d843d69cc3

                        SHA256

                        0686dfa785bc9687be1a2bb42ef6c2e805a03f62b4af6c83bac7031e515189be

                        SHA512

                        8a19ba3f6e5678e92a6fd92a84f077e851a53a71a02622d87d5213a79f40540c7bbda17219f9349387e94edc75eb12fd2cb93e3b0abbcf9a85fc7d5e8bf3be0d

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        476B

                        MD5

                        a5d4cddfecf34e5391a7a3df62312327

                        SHA1

                        04a3c708bab0c15b6746cf9dbf41a71c917a98b9

                        SHA256

                        8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a

                        SHA512

                        48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        701B

                        MD5

                        e427a32326a6a806e7b7b4fdbbe0ed4c

                        SHA1

                        b10626953332aeb7c524f2a29f47ca8b0bee38b1

                        SHA256

                        b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

                        SHA512

                        6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        1KB

                        MD5

                        e2d37af73d5fe4a504db3f8c0d560e3d

                        SHA1

                        88c6bf5b485dd9c79283ccb5d2546ffbb95e563d

                        SHA256

                        e615959931f345e611ac44be7534d697c1495c641d13e50ae919a7807c8ff008

                        SHA512

                        8cb17131326361071a3ae2997cdfaa316ce10c481f48af23fa526380daffa39b2538251cbaa4cf3bd9a9c0014a9184be5a13a44cf45fb93591ba3180670ddb89

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        1KB

                        MD5

                        b99b0dc7cab4e69d365783a5c4273a83

                        SHA1

                        5fcc44aa2631c923e9961266a2e0dbeaaabe84da

                        SHA256

                        1fc967a5c8f7859ba0c410978d165085f241195fe4a31d61a127e38c30d435e4

                        SHA512

                        495474416f5eccd40829d42f050464903273d564cb862b1bd0657262485e634b5d466363cac085406c6d830f42a2f7b5648818b2efe6db1a90833a4b90a6a14d

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        1KB

                        MD5

                        82fb85e6f9058c36d57abc2350ffee7e

                        SHA1

                        f52708d066380d42924513f697ab4ed5492f78b8

                        SHA256

                        0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6

                        SHA512

                        27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        2KB

                        MD5

                        8a36f3bf3750851d8732b132fa330bb4

                        SHA1

                        1cb36be31f3d7d9439aac14af3d7a27f05a980eb

                        SHA256

                        5d88aebc1d13a61609ef057cb38dc9d7b0a04a47a7670a7591f40d1ea05b6ad9

                        SHA512

                        a822885389f3b12baed60b565646bed97aea1740e163e236ca3647fb63a9c15f6e21bc5ff92eb2d47bb6b1268c71ffb8e5e84006f3c04377d9d3a7c16434e646

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        851B

                        MD5

                        a13ff758fc4326eaa44582bc9700aead

                        SHA1

                        a4927b4a3b84526c5c42a077ade4652ab308f83f

                        SHA256

                        c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588

                        SHA512

                        86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842

                      • C:\Users\Admin\AppData\Local\Temp\1.reg

                        Filesize

                        2KB

                        MD5

                        d8be0d42e512d922804552250f01eb90

                        SHA1

                        cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3

                        SHA256

                        901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82

                        SHA512

                        f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

                      • C:\a.bat

                        Filesize

                        5KB

                        MD5

                        0019a0451cc6b9659762c3e274bc04fb

                        SHA1

                        5259e256cc0908f2846e532161b989f1295f479b

                        SHA256

                        ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

                        SHA512

                        314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

                      • \Users\Admin\AppData\Local\Temp\Decrypted.exe

                        Filesize

                        367KB

                        MD5

                        0e246fd1dd8235f942b32e8dac657676

                        SHA1

                        e4c39e659db089023912e77b1b60c8a9ab162266

                        SHA256

                        75c1c8a97b399166ad4c8a30d62907730a271400e9e0b5e626f9f5efb049fed7

                        SHA512

                        58af1131ef7f95e9d19adedbf37e108f3047e03b35733be561adbb18a055ae114e6eb1cd7ad2acce8c1a6138d1ec96c9b2b6af093e03d6bfa4d9c70da9828c7b

                      • \Users\Admin\AppData\Local\Temp\tmpfile678.exe

                        Filesize

                        310KB

                        MD5

                        70cf71444e9d625943bb92f2229d1a3b

                        SHA1

                        ba1e719ae5f659b2e20ef9e855456eecd677d051

                        SHA256

                        0cdd4095dd78bfbf009d553190e5b46274cd63d4b7d333106c810134d90abcea

                        SHA512

                        372be4f83eb5ae17152004131ce7ec6e71b0c6ffbf2221162c86c5cee2753f02b5882617ed75ba87af70eed93f2a7dda0700ecbeafd30ab1cacb286f479ae1ee

                      • \Users\Admin\AppData\Local\Temp\tmpfile679.exe

                        Filesize

                        47KB

                        MD5

                        49808f66424aec571b9d5025f36409dd

                        SHA1

                        38db0a611bd7d7d8aceb116fbca88768e15551d7

                        SHA256

                        8dc78feef0cb0f76d179ddb6ab0eb9ed8f9267df4c0d6d0ea74dc27fc2ccf821

                        SHA512

                        da67632a16ca5354dcc4e63c8884109513a4e4d6b4b7d57e376443ed5a93fa574226c80a5738f76b4884a88cf822bfa74433e0fbea9dc3833ddf9a5ad687a099

                      • \Windows\SysWOW64\logs.exe

                        Filesize

                        256KB

                        MD5

                        851f826418a68a324f0aac5495ef4db5

                        SHA1

                        08309312661e07877fdd246a355d55fb2cce70e5

                        SHA256

                        aef724f31840ba9539a4cb9235dcb2b7bd477cf923fe4f3bbfa6ae5dfd290a37

                        SHA512

                        17432d9bf2d2951830edfdcac16d3cd3ea445fa84c2c731f8b2189ca8a0b1191da1e3f1e0ccbaa9575608b415885b9184684b6dd664db8bf856c10745b480d1c

                      • memory/1820-177-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB

                      • memory/1820-173-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB

                      • memory/2260-169-0x0000000000320000-0x0000000000325000-memory.dmp

                        Filesize

                        20KB

                      • memory/2260-176-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                      • memory/2260-14-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                      • memory/2260-171-0x0000000000320000-0x0000000000325000-memory.dmp

                        Filesize

                        20KB

                      • memory/2432-0-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB

                      • memory/2432-6-0x00000000003F0000-0x00000000003F9000-memory.dmp

                        Filesize

                        36KB

                      • memory/2432-12-0x00000000003F0000-0x00000000003F9000-memory.dmp

                        Filesize

                        36KB

                      • memory/2432-15-0x0000000000400000-0x0000000000405000-memory.dmp

                        Filesize

                        20KB