Analysis
-
max time kernel
75s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 11:39
Static task
static1
Behavioral task
behavioral1
Sample
MFA_migration_patchv3.5.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
MFA_migration_patchv3.5.exe
Resource
win10v2004-20241007-en
General
-
Target
MFA_migration_patchv3.5.exe
-
Size
2.9MB
-
MD5
889b3e191a04ab49d4073595d75f588c
-
SHA1
69f26dd90da1023d642803840d8c0683ed145721
-
SHA256
75f8b70d8625cede00db1108c56ebcd577e6fc7b029b9eb2e47ffafefa669f88
-
SHA512
c4a6d14abe872af5edfc1fb90da6787271ec624d6e1639f6c19c55be7d6d0cb563609abf78288695c4b63368f33cf84344659b4ba1c07d23e01ff0a3560fc6a8
-
SSDEEP
49152:otg7ETQsdPk46ZJxwe8OGQQzqhwCdxKKTUqZIt7tTt+YsaGGCj/TeDeJQxHEExLS:mtdPRGS5maKZUga7tMFGNDtNEoJM
Malware Config
Extracted
metasploit
windows/download_exec
http://105.112.107.100:80/TncD
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Loads dropped DLL 3 IoCs
Processes:
MFA_migration_patchv3.5.exepid Process 3000 MFA_migration_patchv3.5.exe 3000 MFA_migration_patchv3.5.exe 3000 MFA_migration_patchv3.5.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MFA_migration_patchv3.5.exeMFA_migration_patchv3.5.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MFA_migration_patchv3.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MFA_migration_patchv3.5.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
MFA_migration_patchv3.5.exedescription pid Process procid_target PID 2116 wrote to memory of 3000 2116 MFA_migration_patchv3.5.exe 30 PID 2116 wrote to memory of 3000 2116 MFA_migration_patchv3.5.exe 30 PID 2116 wrote to memory of 3000 2116 MFA_migration_patchv3.5.exe 30 PID 2116 wrote to memory of 3000 2116 MFA_migration_patchv3.5.exe 30 PID 2116 wrote to memory of 3000 2116 MFA_migration_patchv3.5.exe 30 PID 2116 wrote to memory of 3000 2116 MFA_migration_patchv3.5.exe 30 PID 2116 wrote to memory of 3000 2116 MFA_migration_patchv3.5.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\MFA_migration_patchv3.5.exe"C:\Users\Admin\AppData\Local\Temp\MFA_migration_patchv3.5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\MFA_migration_patchv3.5.exe"C:\Users\Admin\AppData\Local\Temp\MFA_migration_patchv3.5.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5dd3db5480eb52e8f69d47f3b725e6bfb
SHA1cb14cda7f5e3e2b88c823e4d15643680398b361e
SHA25651054f4d28782b6698b1b6510317650e797e11f87fa29fceaf8559b6bcbf4dfe
SHA512c94216dcd0dc3000304b2b4704dd29bfeed35c9b6158d3ff1cc86084a1753060b72bd48678d5662c8e10205e1a866361f7a455f177dbf364814ee317679bff23
-
Filesize
85KB
MD5d0e6bee31c7f2b0de979562ce5f6444f
SHA19223853061b067f7af17007067d24ce746917d1d
SHA256f6fb937147342609a793a1ccb839ad504ec0e7807d072a9ac6eb51ba846e17a9
SHA5123d64a460178479eec3cd1a65421dafb78b15011fcae472873ab28fb1ecc42482d00b141426874b12beef9247ad6b4afe1bd723d398f37d44316bc1b9c4dba434
-
Filesize
2.3MB
MD5df1a706ed563fa3f0b48f427609708f4
SHA15c479ffca8a2d71023c2522f54ed3f6f36f88e79
SHA2565c4f7eb850cb4ebd35c039be7319e2ed05439418884d414001e015c4637585fc
SHA5128757e27d78291f48237a5b4b15cea26d08d03c8b9ff1ad61c50d890b3e8b62fd0db819959b9c13b3d88ebe3e54ae176fc67d02ffe62c89c577af1866cb238a73