Analysis
-
max time kernel
20s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 10:47
Static task
static1
Behavioral task
behavioral1
Sample
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe
Resource
win7-20240221-en
General
-
Target
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe
-
Size
254KB
-
MD5
e3b7d39be5e821b59636d0fe7c2944cc
-
SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
-
SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
-
SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5
-
SSDEEP
3072:iTAjnioLO7WpLyLNZMcPSK7BaZ0NwAWMGc0HfmY4KsyyOiy12KJ3I4YgTl:i6nrD0ZMcPBAL7c0fTHs+2sYXg
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
pid Process 2116 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2740 389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2116 cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2116 2740 389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe 28 PID 2740 wrote to memory of 2116 2740 389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe 28 PID 2740 wrote to memory of 2116 2740 389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe 28 PID 2740 wrote to memory of 2116 2740 389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe"C:\Users\Admin\AppData\Local\Temp\389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Roaming\{bfab744a-57a0-4f60-8549-bd411868a446}\cmd.exe"C:\Users\Admin\AppData\Roaming\{bfab744a-57a0-4f60-8549-bd411868a446}\cmd.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5e3b7d39be5e821b59636d0fe7c2944cc
SHA100479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
SHA256389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
SHA5128f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5