Analysis
-
max time kernel
93s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
25-09-2024 05:53
General
-
Target
a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936.exe
-
Size
404KB
-
MD5
2acfaf4eb039155976d0ac9685bf4e43
-
SHA1
973e86e24d8e41db0ce2fe9a09a3bfe67ad6b140
-
SHA256
a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936
-
SHA512
bf7778bda716ac24c86e80ae65988a6f8d58e1a380b3dbf01256d38e9390f159c21f78ade0be8099b7e049d69d8134a09d34ba11506dbae460cb2256074e9a23
-
SSDEEP
6144:hDlB1Lwx1CBBvADVxM2jdakcDGKLOwC5IJIov+MBX+tWdKd6SQ:h7XCVxM2xaPDGjnI+YBX+tWEO
Malware Config
Extracted
metasploit
windows/download_exec
http://206.166.251.28:80/jLOW
- headers User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936.exe"C:\Users\Admin\AppData\Local\Temp\a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\start64X32.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\start64X32.cmd" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Users\Public\start64X32.exe exploit all4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\start64X32.exeC:\Users\Public\start64X32.exe exploit all5⤵
- Executes dropped EXE
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD59fe897aebae8f04f53fad6c9b56ef95f
SHA11767f17445e4b9f03b7088751492a47f6b0e17a9
SHA2560facc35ee9a222761102527c66f2224d7b86b1c8bff347eefd2bd0a351f53bf9
SHA5128af3277ee428ffa4d4341cdbad2c52d6e576241efacc966d357d22d06babfeca608b13265948f263577e274e4db6f978b6d3bf4e428393c2a0bb367b6c28a593
-
Filesize
23KB
MD5d3c46519321800a8c412008247fd89c1
SHA13627d8195920ea09c7e62ce94dc64c354aeba78c
SHA2569662baafc3b1796c67a884a2de426658eb2b22d7dea4da232edecc3f519308e5
SHA512793923e22bd3ed966be2b6ba7687f50070e6e937ccc3d3d192418c5698938638d4eb2473c22865ad33c12042601c440df275a076f60744dd2e2c1f37149782ad
-
Filesize
115B
MD5525366874023a8a95d5dabe50bd63371
SHA18636787caa00dfa9c06231f67da8dfb9cd58da49
SHA256b2211cfa2ecd8cec86e145b4f43333ca7e06a506ba1cf895dd31887a33cfe88e
SHA5126599082a7b51bcbef5149ef380b41d540a0ce074e49dd8b506953b860959b5f045639770b8e4cfbb008245daeaab92cbad49e3d7914791f4595fa9d7f6f5f9a7
-
Filesize
48KB