Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 04:15
Static task
static1
Behavioral task
behavioral1
Sample
268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe
Resource
win10v2004-20240412-en
General
-
Target
268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe
-
Size
1.7MB
-
MD5
eb9cabcd94a20538086b9f481f3264ab
-
SHA1
e648e52e26f6484784b8c2c0c7ddd7d6c417110b
-
SHA256
268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d
-
SHA512
cbdd8cade72760da4f7c817c6e23ed9b4ef8f9abaee0a92000ee9766ccb0ceb922a66bc351390f64f96d8dca8a0dd405b74591641a6ed5fba28fc1e8ebe473a4
-
SSDEEP
24576:eDOZAx3kzexuUsmPmRk6zj6FQxo5444Je:pA6ze/snOr5P4M
Malware Config
Extracted
metasploit
metasploit_stager
192.168.4.126:3333
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.execmd.exedescription pid process target process PID 1780 wrote to memory of 3840 1780 268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe cmd.exe PID 1780 wrote to memory of 3840 1780 268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe cmd.exe PID 1780 wrote to memory of 3608 1780 268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe cmd.exe PID 1780 wrote to memory of 3608 1780 268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe cmd.exe PID 1780 wrote to memory of 4372 1780 268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe cmd.exe PID 1780 wrote to memory of 4372 1780 268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe cmd.exe PID 4372 wrote to memory of 1772 4372 cmd.exe curl.exe PID 4372 wrote to memory of 1772 4372 cmd.exe curl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe"C:\Users\Admin\AppData\Local\Temp\268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C echo "hello world"2⤵
-
C:\Windows\system32\cmd.execmd /C echo "The operation completed successfully"2⤵
-
C:\Windows\system32\cmd.execmd /C curl http://192.168.4.702⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl http://192.168.4.703⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1780-0-0x000001B4E8980000-0x000001B4E8981000-memory.dmpFilesize
4KB