Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 20:28
Static task
static1
Behavioral task
behavioral1
Sample
a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exe
Resource
win10v2004-20240508-en
General
-
Target
a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exe
-
Size
3.6MB
-
MD5
c6d93d22769ff79b5bce433c959cceb5
-
SHA1
cbf8a4e2d5cc261dde9e6c639346f590c7139e87
-
SHA256
a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333
-
SHA512
5fbbce3989bf5b22a1027cc4844766b09c633892dd5c02f9d084b204cc48e6226457c19685199b5bcefb678ce41428674d2fba3ae3392fcb5fc39441974069c0
-
SSDEEP
49152:o08shxtUg9OUi82w6aQp9dgS1GUL38XhCOYc3iJXe9emEPGKfPkQThMYRMnm7LBX:o08ddsGaQNgS1C6eVngKpq
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
192.168.1.175:2523
212.154.6.128:2523
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Loads dropped DLL 1 IoCs
Processes:
a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exepid process 4232 a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exedescription ioc process File opened (read-only) \??\F: a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exedescription ioc process File opened for modification \??\PhysicalDrive0 a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exepid process 4232 a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exe 4232 a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exe"C:\Users\Admin\AppData\Local\Temp\a8b1650fa5f73eaaccf9a3406c9c9d9a024e2c8ebae1d63d97dfb5da9466e333.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dllFilesize
74KB
MD52814acbd607ba47bdbcdf6ac3076ee95
SHA150ab892071bed2bb2365ca1d4bf5594e71c6b13b
SHA2565904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67
SHA51234c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498
-
memory/4232-1-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/4232-0-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/4232-3-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/4232-2-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB