Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 08:17
Behavioral task
behavioral1
Sample
8597aa1db8457c9b8e2e636c55a56978.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8597aa1db8457c9b8e2e636c55a56978.exe
Resource
win10v2004-20241007-en
General
-
Target
8597aa1db8457c9b8e2e636c55a56978.exe
-
Size
72KB
-
MD5
8597aa1db8457c9b8e2e636c55a56978
-
SHA1
d6ee74a13ee56eb7556e88b5b646e1c3581bf163
-
SHA256
e1579bd0d471cdfbcadbb1b27454da080a6a5e13021033208b7592ccea607320
-
SHA512
943299ec65c1ebf0e74725648419ca76bdba72cbc39accb63305f57bba45c88227e9df80aebea9dfe47014c534e7067e7e844584356c6a39097d816c27c6a22f
-
SSDEEP
1536:IufFI9hcqd4hsUg072KIw3GbzToOMb+KR0Nc8QsJq39:ffFIIqCsl0SPw3ge0Nc8QsC9
Malware Config
Extracted
metasploit
windows/reverse_http
http://downsexv.com:8080/pptFudI4N_bZd9h2vlE2HgX6nJupnvnNvPpodtqLmxX2OC5MJtjR8Cw2hx7Jj0FM_ofkLnmJ
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1844 3900 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8597aa1db8457c9b8e2e636c55a56978.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8597aa1db8457c9b8e2e636c55a56978.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8597aa1db8457c9b8e2e636c55a56978.exe"C:\Users\Admin\AppData\Local\Temp\8597aa1db8457c9b8e2e636c55a56978.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 11562⤵
- Program crash
PID:1844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3900 -ip 39001⤵PID:2772