Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 07:14
Static task
static1
Behavioral task
behavioral1
Sample
eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe
Resource
win10v2004-20240508-en
General
-
Target
eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe
-
Size
287KB
-
MD5
92f390f3cb3415d5a8a0288a78b28f27
-
SHA1
24112f35a3eb494dd9f3aa0f5f655e64a54c440d
-
SHA256
eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f
-
SHA512
4d97c7b06c7119b37a59513d1049b09ddfc00f8abeec14c5f741e4f50aca92294467fdaafc587e106a6564efe2325858a992e33aa8e137955ba52a8498ff9368
-
SSDEEP
6144:z5rnNHxNOCGBcJ/f4ywZfunnMARf4PZudC4z29ysAlgLdt42:dhHxNPmcJ/f4ynnMAtiKmyNk
Malware Config
Extracted
metasploit
windows/download_exec
http://45.227.253.109:3216/ZhKO
- headers User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; LBBROWSER)
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exedescription pid process target process PID 756 set thread context of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exedescription pid process target process PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe PID 756 wrote to memory of 2228 756 eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe"C:\Users\Admin\AppData\Local\Temp\eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe"C:\Users\Admin\AppData\Local\Temp\eef92884c9d53cb6c44e370704c466ace9deea5ca30ff3f87d57826b17e2559f.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-8-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/756-4-0x00000000002A0000-0x00000000002A5000-memory.dmpFilesize
20KB
-
memory/2228-9-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2228-6-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2228-3-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2228-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2228-10-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2228-17-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB