Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-03-2024 17:21
Behavioral task
behavioral1
Sample
sample-20240221.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
sample-20240221.exe
Resource
win10v2004-20240226-en
General
-
Target
sample-20240221.exe
-
Size
141KB
-
MD5
948fe924100ae457c1b1b9095a7fca6b
-
SHA1
67a664311ed0c4b5f1daf68c9d898909e77274c7
-
SHA256
81b281cb9dbf824635fb99b59977d3114cccd014db605d2f3f693383ed6b4ef3
-
SHA512
a5c0edda2d2226cd2439195c31a0c83fe46dcfa0a2f93ad0861ae96247cdc9a324030dfd34a0034e5e460ebedea382c76adf8820c6b71edc8a398bf32c094ee1
-
SSDEEP
3072:aCH7vIoTjjzwItUJXVLkJRqCpWf/xaIloI8pH1bui5N8:Rk2UJXiRvpGOpj5N8
Malware Config
Extracted
metasploit
windows/shell_bind_tcp
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Processes:
resource yara_rule behavioral1/memory/320-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/320-3-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sample-20240221.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\KopperDroid = "C:\\Users\\Admin\\Desktop\\sorbet.exe" sample-20240221.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
WMIC.exemsiexec.exedescription pid process Token: SeIncreaseQuotaPrivilege 800 WMIC.exe Token: SeSecurityPrivilege 800 WMIC.exe Token: SeTakeOwnershipPrivilege 800 WMIC.exe Token: SeLoadDriverPrivilege 800 WMIC.exe Token: SeSystemProfilePrivilege 800 WMIC.exe Token: SeSystemtimePrivilege 800 WMIC.exe Token: SeProfSingleProcessPrivilege 800 WMIC.exe Token: SeIncBasePriorityPrivilege 800 WMIC.exe Token: SeCreatePagefilePrivilege 800 WMIC.exe Token: SeBackupPrivilege 800 WMIC.exe Token: SeRestorePrivilege 800 WMIC.exe Token: SeShutdownPrivilege 800 WMIC.exe Token: SeDebugPrivilege 800 WMIC.exe Token: SeSystemEnvironmentPrivilege 800 WMIC.exe Token: SeRemoteShutdownPrivilege 800 WMIC.exe Token: SeUndockPrivilege 800 WMIC.exe Token: SeManageVolumePrivilege 800 WMIC.exe Token: 33 800 WMIC.exe Token: 34 800 WMIC.exe Token: 35 800 WMIC.exe Token: SeIncreaseQuotaPrivilege 800 WMIC.exe Token: SeSecurityPrivilege 800 WMIC.exe Token: SeTakeOwnershipPrivilege 800 WMIC.exe Token: SeLoadDriverPrivilege 800 WMIC.exe Token: SeSystemProfilePrivilege 800 WMIC.exe Token: SeSystemtimePrivilege 800 WMIC.exe Token: SeProfSingleProcessPrivilege 800 WMIC.exe Token: SeIncBasePriorityPrivilege 800 WMIC.exe Token: SeCreatePagefilePrivilege 800 WMIC.exe Token: SeBackupPrivilege 800 WMIC.exe Token: SeRestorePrivilege 800 WMIC.exe Token: SeShutdownPrivilege 800 WMIC.exe Token: SeDebugPrivilege 800 WMIC.exe Token: SeSystemEnvironmentPrivilege 800 WMIC.exe Token: SeRemoteShutdownPrivilege 800 WMIC.exe Token: SeUndockPrivilege 800 WMIC.exe Token: SeManageVolumePrivilege 800 WMIC.exe Token: 33 800 WMIC.exe Token: 34 800 WMIC.exe Token: 35 800 WMIC.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeSecurityPrivilege 2348 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
sample-20240221.execmd.exedescription pid process target process PID 320 wrote to memory of 3008 320 sample-20240221.exe cmd.exe PID 320 wrote to memory of 3008 320 sample-20240221.exe cmd.exe PID 320 wrote to memory of 3008 320 sample-20240221.exe cmd.exe PID 320 wrote to memory of 3008 320 sample-20240221.exe cmd.exe PID 3008 wrote to memory of 800 3008 cmd.exe WMIC.exe PID 3008 wrote to memory of 800 3008 cmd.exe WMIC.exe PID 3008 wrote to memory of 800 3008 cmd.exe WMIC.exe PID 3008 wrote to memory of 800 3008 cmd.exe WMIC.exe PID 320 wrote to memory of 2032 320 sample-20240221.exe colorcpl.exe PID 320 wrote to memory of 2032 320 sample-20240221.exe colorcpl.exe PID 320 wrote to memory of 2032 320 sample-20240221.exe colorcpl.exe PID 320 wrote to memory of 2032 320 sample-20240221.exe colorcpl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample-20240221.exe"C:\Users\Admin\AppData\Local\Temp\sample-20240221.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic.exe product get Name2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe product get Name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:800 -
C:\Windows\SysWOW64\colorcpl.execolorcpl.exe2⤵PID:2032
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348