Analysis
-
max time kernel
140s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 19:55
Behavioral task
behavioral1
Sample
2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
Resource
win10v2004-20240508-en
General
-
Target
2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
-
Size
5.4MB
-
MD5
499e5b15ad0f2c512ee8225ed06103d5
-
SHA1
97cb3cebd8702b712c8f7bfb7bb27a724729a0d9
-
SHA256
2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab
-
SHA512
53eb82197556342410df21d1d701a42f47722191a03e802115948fbf6a306ea31f036b566396288f6001f268a03a3d9649cd829e578b15ce59d48bd1baba5757
-
SSDEEP
98304:LZ3l32PjR/7JNk2heNhj786Hw9oecJllmv9QxTdTtkgC9LIx4ZSCQ:Xwl585soVmEtnCWSZB
Malware Config
Extracted
metasploit
windows/download_exec
http://45.61.136.138:443/Ew8h
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Loads dropped DLL 3 IoCs
Processes:
2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exepid process 3188 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe 3188 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe 3188 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3076 3188 WerFault.exe 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exedescription pid process Token: 35 3188 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exedescription pid process target process PID 1532 wrote to memory of 3188 1532 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe PID 1532 wrote to memory of 3188 1532 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe PID 1532 wrote to memory of 3188 1532 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe"C:\Users\Admin\AppData\Local\Temp\2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe"C:\Users\Admin\AppData\Local\Temp\2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 19123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3188 -ip 31881⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI15322\VCRUNTIME140.dllFilesize
84KB
MD5ae96651cfbd18991d186a029cbecb30c
SHA118df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA2561b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA51242a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7
-
C:\Users\Admin\AppData\Local\Temp\_MEI15322\_ctypes.pydFilesize
106KB
MD5a4dbe885d83a752b7bde32bf7f447959
SHA1abdf727dbafb65fa6c153bb27f83b1248dc0dee1
SHA25657c6fc42b59f8ab7fb24c12345c56e3ffb32b7e21ab34a7c32a96fb71e7cf177
SHA512280616583576073fe0651457698ce2dc7e2a11549610d6d085790f6ad054993a2d54fa691769f2b0172dd5b474271022a9aec02483743e83e5ba08b0417859e1
-
C:\Users\Admin\AppData\Local\Temp\_MEI15322\base_library.zipFilesize
768KB
MD53b3c618ee8a07c6c5e3ca7724e949e52
SHA12278f971a1bb73c205efa63f779990e36e99d063
SHA256a8a52e2cfc1ac3f66c4fce7503f6fd99bd57aae36113ecf813f9c4d73e0f8e47
SHA512ac56ee4e7c4b1bbf8aead3d293732b69e23f2506354365a2f9f806d823df325d87bcc19a778ec3c53fc592496577af44c4e65df313f98937e663e84319ad665d
-
C:\Users\Admin\AppData\Local\Temp\_MEI15322\python37.dllFilesize
3.4MB
MD5d3773a598d5ee7000b780baeee632c89
SHA1fad27813c9363865314f170b1f9307295a1b9527
SHA256ce2fba169806999fe554031b3f65e6361d9fa3e280ed8bf886c97c96d5d623df
SHA512372b80dae1886b3fb74cf0e733487ec8d69fb72cedaac16afa6272b7d4b3201455a752ef0cb8b8843f8389bd92b149960a18d33509aa6d8c33fe9308ae927564
-
memory/3188-61-0x0000000003230000-0x0000000003231000-memory.dmpFilesize
4KB
-
memory/3188-64-0x0000000004670000-0x0000000004A70000-memory.dmpFilesize
4.0MB