Analysis
-
max time kernel
4s -
max time network
3s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 20:03
Static task
static1
Behavioral task
behavioral1
Sample
328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75.exe
-
Size
255KB
-
MD5
31264aee72db89daba8014e491e3e8c9
-
SHA1
8a301f56d5952e8504ac955385a572bc34d0987f
-
SHA256
328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75
-
SHA512
11a688aa66a36fefd7054efbb3a95a7b38dc601f48214b87a1aa83d88d61578b3a938c97c2150352f2834bde6a1cddaf4a70609c3ce84d405f05abac90aef857
-
SSDEEP
3072:fTAjnioLO7WpLyLNZ45OlTZHiKb8ljJ3ijAviJcfM698RyOiy12KJ3qi4YgTl:f6nrD0ZvRcjcOiJ+98X2sfXg
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Auto-generated rule 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{15b033e6-318d-42a1-b3be-70f3288ccebe}\OposHost.exe GoldenEyeRansomware_Dropper_MalformedZoomit -
Detects Reflective DLL injection artifacts 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4940-1-0x0000000000620000-0x000000000063A000-memory.dmp INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral2/memory/1160-12-0x00000000020A0000-0x00000000020BA000-memory.dmp INDICATOR_SUSPICIOUS_ReflectiveLoader -
Executes dropped EXE 1 IoCs
Processes:
OposHost.exepid process 1160 OposHost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
OposHost.exedescription ioc process File opened for modification \??\PhysicalDrive0 OposHost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
OposHost.exedescription pid process Token: SeShutdownPrivilege 1160 OposHost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75.exedescription pid process target process PID 4940 wrote to memory of 1160 4940 328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75.exe OposHost.exe PID 4940 wrote to memory of 1160 4940 328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75.exe OposHost.exe PID 4940 wrote to memory of 1160 4940 328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75.exe OposHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75.exe"C:\Users\Admin\AppData\Local\Temp\328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{15b033e6-318d-42a1-b3be-70f3288ccebe}\OposHost.exe"C:\Users\Admin\AppData\Roaming\{15b033e6-318d-42a1-b3be-70f3288ccebe}\OposHost.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\{15b033e6-318d-42a1-b3be-70f3288ccebe}\OposHost.exeFilesize
255KB
MD531264aee72db89daba8014e491e3e8c9
SHA18a301f56d5952e8504ac955385a572bc34d0987f
SHA256328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75
SHA51211a688aa66a36fefd7054efbb3a95a7b38dc601f48214b87a1aa83d88d61578b3a938c97c2150352f2834bde6a1cddaf4a70609c3ce84d405f05abac90aef857
-
memory/1160-12-0x00000000020A0000-0x00000000020BA000-memory.dmpFilesize
104KB
-
memory/4940-1-0x0000000000620000-0x000000000063A000-memory.dmpFilesize
104KB
-
memory/4940-0-0x0000000000600000-0x0000000000616000-memory.dmpFilesize
88KB