Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 14:21

General

  • Target

    92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe

  • Size

    4.6MB

  • MD5

    8504b5cd851e7bc6e40689123d1b63dc

  • SHA1

    b5429076b22ac0ba859dd838cc3474413b3b601e

  • SHA256

    92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362

  • SHA512

    80b0f74bb108a8676af7f777a2026dce92652e1a541617a578aeb28855a969ae004c82b089fa6e502b6381fcda64e0448c0d407a2cedc22a834f067e07f511a1

  • SSDEEP

    98304:/sYHQcsibw8SPLeTtSQo5Z8DERxrfExYzxc960OTbJd6ufJLF:kYwcXMHLKy6tx4c9WnJ5L

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.188.128:5577

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Loads dropped DLL 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe
    "C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe
      "C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI3842\1.exe.manifest
    Filesize

    1KB

    MD5

    0438cd033a562d3185f556f430fe722a

    SHA1

    aa2b55ac2476df339f8d3136f20a5709bde0f69c

    SHA256

    b49026e09006b519c4168f37c6311a92738592d5ba6451975c183caaa150f0e5

    SHA512

    f80657ed9481c38505fe1358fabb6b54e9b29cac28bf3219e0124420e30bec28a5c3e50e883d8465f6d7437a433b0ce730f1b37e8890acaded9f5bda4a817b43

  • C:\Users\Admin\AppData\Local\Temp\_MEI3842\Crypto.Cipher._AES.pyd
    Filesize

    29KB

    MD5

    3c4ab2e06feb6e4ca1b7a1244055671a

    SHA1

    a4c3c44b45248b7cf53881e6d8efa8d557e100a9

    SHA256

    c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23

    SHA512

    7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

  • C:\Users\Admin\AppData\Local\Temp\_MEI3842\MSVCR100.dll
    Filesize

    755KB

    MD5

    bf38660a9125935658cfa3e53fdc7d65

    SHA1

    0b51fb415ec89848f339f8989d323bea722bfd70

    SHA256

    60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

    SHA512

    25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

  • C:\Users\Admin\AppData\Local\Temp\_MEI3842\_ctypes.pyd
    Filesize

    83KB

    MD5

    5d1bc1be2f02b4a2890e921af15190d2

    SHA1

    057c88438b40cd8e73554274171341244f107139

    SHA256

    97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da

    SHA512

    9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

  • C:\Users\Admin\AppData\Local\Temp\_MEI3842\base_library.zip
    Filesize

    717KB

    MD5

    cdf57168a1995b187681efea85b33500

    SHA1

    1e852b89fbd1adf4abc5135dbf7fbba53d3f38ec

    SHA256

    18a0fa1644ac09334dae491a5be7973b927a95ab7fcc8e8828ccbb249a5ed369

    SHA512

    9082951c3889d94e271f564893781f697ed2de5edfa9a033f7531a172d6349c14d23666f1b1857c09979d5518f19d7096bd7c3719d7e3302aa9eb92374c63e1e

  • C:\Users\Admin\AppData\Local\Temp\_MEI3842\python34.dll
    Filesize

    2.6MB

    MD5

    4ee1ea91b7263bed66ff01bc80649e90

    SHA1

    a93b548933b291c13bb2e7cbc0c17409d2f875a4

    SHA256

    0f14047ea66eae192a9750f7b0e329873e8b554de58ca332c9acbdc4d63e10e3

    SHA512

    ef52f934aa39b5d6c6f152a9b5a159957e68471d117bd002330ee18d9143987d79dd7bce9208ce0ffb0699acb05169a15ed75d2ce4128e52e31b7f60f3ee51a4

  • memory/384-27-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

  • memory/2056-25-0x00000000003B0000-0x00000000003B1000-memory.dmp
    Filesize

    4KB

  • memory/2056-28-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB