Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
29-04-2024 22:52
Behavioral task
behavioral1
Sample
payload.exe
Resource
win10-20240404-en
General
-
Target
payload.exe
-
Size
7KB
-
MD5
26dc60e5c4449a78bf6d0b83f15fb93d
-
SHA1
574ffb99b8c5a535adf66e80108e8208e5eb249e
-
SHA256
a7ad0b33bf09c8987d026a9e9dbc04fd124ec5a61ed9c6726224c6f99a82bdb4
-
SHA512
953fc582734b20eaf8bb8269743d977e73147099fe0c8840394166982b9c46e04d0254c03914edf55a24e7d601a65d474523b52d30cc6efdd1cb42c68132b9f7
-
SSDEEP
24:eFGStrJ9u0/6N1nZdkBQAVv1YLYKZqXeNDMSCvOXpmB:is001kBQYqLY1SD9C2kB
Malware Config
Extracted
metasploit
metasploit_stager
192.168.88.128:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2784 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 2784 taskmgr.exe Token: SeSystemProfilePrivilege 2784 taskmgr.exe Token: SeCreateGlobalPrivilege 2784 taskmgr.exe Token: 33 2784 taskmgr.exe Token: SeIncBasePriorityPrivilege 2784 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe 2784 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"1⤵PID:424
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/424-0-0x0000000140000000-0x0000000140004278-memory.dmpFilesize
16KB