Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 17:21
Behavioral task
behavioral1
Sample
sample-20240221.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
sample-20240221.exe
Resource
win10v2004-20240226-en
General
-
Target
sample-20240221.exe
-
Size
141KB
-
MD5
948fe924100ae457c1b1b9095a7fca6b
-
SHA1
67a664311ed0c4b5f1daf68c9d898909e77274c7
-
SHA256
81b281cb9dbf824635fb99b59977d3114cccd014db605d2f3f693383ed6b4ef3
-
SHA512
a5c0edda2d2226cd2439195c31a0c83fe46dcfa0a2f93ad0861ae96247cdc9a324030dfd34a0034e5e460ebedea382c76adf8820c6b71edc8a398bf32c094ee1
-
SSDEEP
3072:aCH7vIoTjjzwItUJXVLkJRqCpWf/xaIloI8pH1bui5N8:Rk2UJXiRvpGOpj5N8
Malware Config
Extracted
metasploit
windows/shell_bind_tcp
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Processes:
resource yara_rule behavioral2/memory/1492-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1492-3-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sample-20240221.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\KopperDroid = "C:\\Users\\Admin\\Pictures\\sorbet.exe" sample-20240221.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
WMIC.exemsiexec.exedescription pid process Token: SeIncreaseQuotaPrivilege 3156 WMIC.exe Token: SeSecurityPrivilege 3156 WMIC.exe Token: SeTakeOwnershipPrivilege 3156 WMIC.exe Token: SeLoadDriverPrivilege 3156 WMIC.exe Token: SeSystemProfilePrivilege 3156 WMIC.exe Token: SeSystemtimePrivilege 3156 WMIC.exe Token: SeProfSingleProcessPrivilege 3156 WMIC.exe Token: SeIncBasePriorityPrivilege 3156 WMIC.exe Token: SeCreatePagefilePrivilege 3156 WMIC.exe Token: SeBackupPrivilege 3156 WMIC.exe Token: SeRestorePrivilege 3156 WMIC.exe Token: SeShutdownPrivilege 3156 WMIC.exe Token: SeDebugPrivilege 3156 WMIC.exe Token: SeSystemEnvironmentPrivilege 3156 WMIC.exe Token: SeRemoteShutdownPrivilege 3156 WMIC.exe Token: SeUndockPrivilege 3156 WMIC.exe Token: SeManageVolumePrivilege 3156 WMIC.exe Token: 33 3156 WMIC.exe Token: 34 3156 WMIC.exe Token: 35 3156 WMIC.exe Token: 36 3156 WMIC.exe Token: SeIncreaseQuotaPrivilege 3156 WMIC.exe Token: SeSecurityPrivilege 3156 WMIC.exe Token: SeTakeOwnershipPrivilege 3156 WMIC.exe Token: SeLoadDriverPrivilege 3156 WMIC.exe Token: SeSystemProfilePrivilege 3156 WMIC.exe Token: SeSystemtimePrivilege 3156 WMIC.exe Token: SeProfSingleProcessPrivilege 3156 WMIC.exe Token: SeIncBasePriorityPrivilege 3156 WMIC.exe Token: SeCreatePagefilePrivilege 3156 WMIC.exe Token: SeBackupPrivilege 3156 WMIC.exe Token: SeRestorePrivilege 3156 WMIC.exe Token: SeShutdownPrivilege 3156 WMIC.exe Token: SeDebugPrivilege 3156 WMIC.exe Token: SeSystemEnvironmentPrivilege 3156 WMIC.exe Token: SeRemoteShutdownPrivilege 3156 WMIC.exe Token: SeUndockPrivilege 3156 WMIC.exe Token: SeManageVolumePrivilege 3156 WMIC.exe Token: 33 3156 WMIC.exe Token: 34 3156 WMIC.exe Token: 35 3156 WMIC.exe Token: 36 3156 WMIC.exe Token: SeSecurityPrivilege 3580 msiexec.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
sample-20240221.execmd.exedescription pid process target process PID 1492 wrote to memory of 1660 1492 sample-20240221.exe cmd.exe PID 1492 wrote to memory of 1660 1492 sample-20240221.exe cmd.exe PID 1492 wrote to memory of 1660 1492 sample-20240221.exe cmd.exe PID 1660 wrote to memory of 3156 1660 cmd.exe WMIC.exe PID 1660 wrote to memory of 3156 1660 cmd.exe WMIC.exe PID 1660 wrote to memory of 3156 1660 cmd.exe WMIC.exe PID 1492 wrote to memory of 4832 1492 sample-20240221.exe colorcpl.exe PID 1492 wrote to memory of 4832 1492 sample-20240221.exe colorcpl.exe PID 1492 wrote to memory of 4832 1492 sample-20240221.exe colorcpl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample-20240221.exe"C:\Users\Admin\AppData\Local\Temp\sample-20240221.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic.exe product get Name2⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe product get Name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3156 -
C:\Windows\SysWOW64\colorcpl.execolorcpl.exe2⤵PID:4832
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580