Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 06:46
Static task
static1
Behavioral task
behavioral1
Sample
bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe
Resource
win10v2004-20240412-en
General
-
Target
bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe
-
Size
401KB
-
MD5
afcd5cc03a3f1ad37809812677874828
-
SHA1
bd2f9c861440b5b050a9bb7cf1b7785d2bc4bbac
-
SHA256
bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461
-
SHA512
924e0d9e9b8cee9b0250fca5e3074419b253d7332b23e71920377eaf38f7e4578086303acaf141fee428f6370d0c3dc2b6380da8a0877534625877afcf8043fe
-
SSDEEP
12288:uubsNSOetfARQAPyGU2X+tZ/iU5rhd4Ws0H1o:uubsnafAPyjt/iKrJ9H1o
Malware Config
Extracted
metasploit
windows/reverse_tcp
192.168.72.128:1234
192.168.72.128:1111
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe -
Executes dropped EXE 2 IoCs
Processes:
QQ浏览器.exeroot.exepid process 5092 QQ浏览器.exe 432 root.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exedescription pid process target process PID 1124 wrote to memory of 5092 1124 bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe QQ浏览器.exe PID 1124 wrote to memory of 5092 1124 bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe QQ浏览器.exe PID 1124 wrote to memory of 5092 1124 bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe QQ浏览器.exe PID 1124 wrote to memory of 432 1124 bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe root.exe PID 1124 wrote to memory of 432 1124 bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe root.exe PID 1124 wrote to memory of 432 1124 bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe root.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe"C:\Users\Admin\AppData\Local\Temp\bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\QQ浏览器.exe"C:\QQ浏览器.exe"2⤵
- Executes dropped EXE
PID:5092 -
C:\root.exe"C:\root.exe"2⤵
- Executes dropped EXE
PID:432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\QQ浏览器.exeFilesize
72KB
MD5c1f3078e5d3382cbac8152b21eeba5cb
SHA1b106fe694e326b02039dafe1e1ed4f20aa19b05c
SHA256a84bea6cf0e2f9e36bc524fedc51e2ec39e4bd3a5aa346a24b7943eca15cbdfd
SHA5121b02ae6757986f37578860eda53ff8e433374bb6619b887432f7377d4e8cad9bc0d928c6b05d10e05eaeb0bd38f8659ec9881e836421720f4428f756ebb7bf38
-
C:\root.exeFilesize
72KB
MD5bad1f225aa7e82094d7703f361c0bae0
SHA1c15b5c91525d3ea0208933411420befccdbfbf52
SHA2568ab95f9aac9eff432e9c14c75f05392e04a312fce9f0cb4f16309acb59476bb7
SHA512cc87c5f5cf4a89b74708985faff0fbd6168af07546a1a9c49aba73abc3463d7b3392ddc033c508a8990b51680e611bb944aa9fb06842e8960228951a26171b92
-
memory/432-25-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/5092-24-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB