Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-04-2024 00:06
Behavioral task
behavioral1
Sample
shell.exe
Resource
win10-20240404-en
General
-
Target
shell.exe
-
Size
7KB
-
MD5
792638f04fab15fdfdd40d90de3f543a
-
SHA1
cf452a13f7b29ba2b6649540571cd3372817f4f4
-
SHA256
2ca47f7ab7e0b4da1fa3fe7ea4b4cedf431c212df06e68a85d0de372fb20e867
-
SHA512
5b9b28e5a3764af754e97a4fb6836bd3062121b5edee10900687fb5d069dde1798caf36920d179092e9731b193a097a30f6459da32507a49bf4d90a21997b8cf
-
SSDEEP
24:eFGStrJ9u0/6gSnZdkBQAVK86WYiKZqM2eNDMSCvOXpmB:is0tqkBQv8iiu2SD9C2kB
Malware Config
Extracted
metasploit
metasploit_stager
192.168.88.128:8080
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 448 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 448 taskmgr.exe Token: SeSystemProfilePrivilege 448 taskmgr.exe Token: SeCreateGlobalPrivilege 448 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe 448 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shell.exe"C:\Users\Admin\AppData\Local\Temp\shell.exe"1⤵PID:3740
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:448