Analysis
-
max time kernel
105s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 06:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-27_a3fdda6699341de4b5d9baa69d4128f9_avoslocker_magniber.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-27_a3fdda6699341de4b5d9baa69d4128f9_avoslocker_magniber.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-27_a3fdda6699341de4b5d9baa69d4128f9_avoslocker_magniber.exe
-
Size
11.8MB
-
MD5
a3fdda6699341de4b5d9baa69d4128f9
-
SHA1
be119f2349951146c8ee697cb556a2fd373a2772
-
SHA256
bf341af967eb41cec554c11507086e20a0313190c2543f73917f2ffbe38724a1
-
SHA512
e8410c8e03711445ffc23b79a96f3f379d94b7507a1d42280a703282b61599489d71a0655ccfb6f8f131e5f0c57b5ee84e5cd2b70597060a2dd8c2ca08c2fd0f
-
SSDEEP
196608:t19Ki8a/Qa4vHdlounj1SHNURgXjZFuGhNIMPSvoTk91HJd2OhZ9se8pF8w/wobr:t3Ki5IDvHd+ujFOXjbNIMYCI1WOhY/wc
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
192.168.56.110:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 15 2816 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2816 msiexec.exe Token: SeIncreaseQuotaPrivilege 2816 msiexec.exe Token: SeSecurityPrivilege 4280 msiexec.exe Token: SeCreateTokenPrivilege 2816 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2816 msiexec.exe Token: SeLockMemoryPrivilege 2816 msiexec.exe Token: SeIncreaseQuotaPrivilege 2816 msiexec.exe Token: SeMachineAccountPrivilege 2816 msiexec.exe Token: SeTcbPrivilege 2816 msiexec.exe Token: SeSecurityPrivilege 2816 msiexec.exe Token: SeTakeOwnershipPrivilege 2816 msiexec.exe Token: SeLoadDriverPrivilege 2816 msiexec.exe Token: SeSystemProfilePrivilege 2816 msiexec.exe Token: SeSystemtimePrivilege 2816 msiexec.exe Token: SeProfSingleProcessPrivilege 2816 msiexec.exe Token: SeIncBasePriorityPrivilege 2816 msiexec.exe Token: SeCreatePagefilePrivilege 2816 msiexec.exe Token: SeCreatePermanentPrivilege 2816 msiexec.exe Token: SeBackupPrivilege 2816 msiexec.exe Token: SeRestorePrivilege 2816 msiexec.exe Token: SeShutdownPrivilege 2816 msiexec.exe Token: SeDebugPrivilege 2816 msiexec.exe Token: SeAuditPrivilege 2816 msiexec.exe Token: SeSystemEnvironmentPrivilege 2816 msiexec.exe Token: SeChangeNotifyPrivilege 2816 msiexec.exe Token: SeRemoteShutdownPrivilege 2816 msiexec.exe Token: SeUndockPrivilege 2816 msiexec.exe Token: SeSyncAgentPrivilege 2816 msiexec.exe Token: SeEnableDelegationPrivilege 2816 msiexec.exe Token: SeManageVolumePrivilege 2816 msiexec.exe Token: SeImpersonatePrivilege 2816 msiexec.exe Token: SeCreateGlobalPrivilege 2816 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 2816 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-05-27_a3fdda6699341de4b5d9baa69d4128f9_avoslocker_magniber.exedescription pid process target process PID 2856 wrote to memory of 2816 2856 2024-05-27_a3fdda6699341de4b5d9baa69d4128f9_avoslocker_magniber.exe msiexec.exe PID 2856 wrote to memory of 2816 2856 2024-05-27_a3fdda6699341de4b5d9baa69d4128f9_avoslocker_magniber.exe msiexec.exe PID 2856 wrote to memory of 2816 2856 2024-05-27_a3fdda6699341de4b5d9baa69d4128f9_avoslocker_magniber.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_a3fdda6699341de4b5d9baa69d4128f9_avoslocker_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_a3fdda6699341de4b5d9baa69d4128f9_avoslocker_magniber.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\vnc64.msi ProductLanguage=10332⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vnc64.msiFilesize
5.5MB
MD544cfd2654bb131ad0a21dac08f63e4dc
SHA1031988f54e2bfe3b240b18d7c187fe4bed1e489c
SHA256c5ed8a534c4f9cc9ce44295b5741fb4ceafb70404b2f82db074bdbb9072db0d0
SHA5120e6e67a3ab0a13ab21c45953753128fb554ae307f06d61c3c0902e9e3728f96a7e21fa016d1f988b6e61665600887e182d9e3a92ecadf5837b9387576b53e4d1
-
memory/2856-0-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB
-
memory/2856-1-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB