Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 14:21
Behavioral task
behavioral1
Sample
92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe
Resource
win10v2004-20240426-en
General
-
Target
92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe
-
Size
4.6MB
-
MD5
8504b5cd851e7bc6e40689123d1b63dc
-
SHA1
b5429076b22ac0ba859dd838cc3474413b3b601e
-
SHA256
92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362
-
SHA512
80b0f74bb108a8676af7f777a2026dce92652e1a541617a578aeb28855a969ae004c82b089fa6e502b6381fcda64e0448c0d407a2cedc22a834f067e07f511a1
-
SSDEEP
98304:/sYHQcsibw8SPLeTtSQo5Z8DERxrfExYzxc960OTbJd6ufJLF:kYwcXMHLKy6tx4c9WnJ5L
Malware Config
Extracted
metasploit
windows/reverse_tcp
192.168.188.128:5577
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Loads dropped DLL 4 IoCs
Processes:
92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exepid process 3152 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe 3152 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe 3152 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe 3152 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exedescription pid process Token: 35 3152 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exedescription pid process target process PID 624 wrote to memory of 3152 624 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe PID 624 wrote to memory of 3152 624 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe PID 624 wrote to memory of 3152 624 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI6242\1.exe.manifestFilesize
1KB
MD50438cd033a562d3185f556f430fe722a
SHA1aa2b55ac2476df339f8d3136f20a5709bde0f69c
SHA256b49026e09006b519c4168f37c6311a92738592d5ba6451975c183caaa150f0e5
SHA512f80657ed9481c38505fe1358fabb6b54e9b29cac28bf3219e0124420e30bec28a5c3e50e883d8465f6d7437a433b0ce730f1b37e8890acaded9f5bda4a817b43
-
C:\Users\Admin\AppData\Local\Temp\_MEI6242\Crypto.Cipher._AES.pydFilesize
29KB
MD53c4ab2e06feb6e4ca1b7a1244055671a
SHA1a4c3c44b45248b7cf53881e6d8efa8d557e100a9
SHA256c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23
SHA5127531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c
-
C:\Users\Admin\AppData\Local\Temp\_MEI6242\MSVCR100.dllFilesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
C:\Users\Admin\AppData\Local\Temp\_MEI6242\_ctypes.pydFilesize
83KB
MD55d1bc1be2f02b4a2890e921af15190d2
SHA1057c88438b40cd8e73554274171341244f107139
SHA25697c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da
SHA5129751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9
-
C:\Users\Admin\AppData\Local\Temp\_MEI6242\base_library.zipFilesize
717KB
MD5cdf57168a1995b187681efea85b33500
SHA11e852b89fbd1adf4abc5135dbf7fbba53d3f38ec
SHA25618a0fa1644ac09334dae491a5be7973b927a95ab7fcc8e8828ccbb249a5ed369
SHA5129082951c3889d94e271f564893781f697ed2de5edfa9a033f7531a172d6349c14d23666f1b1857c09979d5518f19d7096bd7c3719d7e3302aa9eb92374c63e1e
-
C:\Users\Admin\AppData\Local\Temp\_MEI6242\python34.dllFilesize
2.6MB
MD54ee1ea91b7263bed66ff01bc80649e90
SHA1a93b548933b291c13bb2e7cbc0c17409d2f875a4
SHA2560f14047ea66eae192a9750f7b0e329873e8b554de58ca332c9acbdc4d63e10e3
SHA512ef52f934aa39b5d6c6f152a9b5a159957e68471d117bd002330ee18d9143987d79dd7bce9208ce0ffb0699acb05169a15ed75d2ce4128e52e31b7f60f3ee51a4
-
memory/624-27-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3152-25-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/3152-28-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB