Analysis
-
max time kernel
285s -
max time network
297s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 12:57
Static task
static1
Behavioral task
behavioral1
Sample
nDqOiSmU.vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
nDqOiSmU.vbs
Resource
win10v2004-20240611-en
General
-
Target
nDqOiSmU.vbs
-
Size
10KB
-
MD5
161b4e988b395a2942c84f127f36a274
-
SHA1
2d43c412b6939557de9770944eae7bd87c9dc363
-
SHA256
aaebe94f90f33e30b24bbce26899e6c5d6dfb63abd91d32e45d42abc5933755a
-
SHA512
dec2fba3fc3ebe45dac3fe80921eaae39044efa5ba37ee19d8838c5eaab2c779ddda57c58df77b44eace700c902eac440f0cf64158ab2bf54c26cdf044e8bc48
-
SSDEEP
48:ZHG0n6qtcQaryowcGDDuJ22GZSo2ke5ETurr5WeXDatEAc7Aum:Y2KryowcGDDuJ23Te5ETusemQXm
Malware Config
Extracted
metasploit
metasploit_stager
51.75.140.195:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 2 IoCs
Processes:
HYIZFiFx.exeHYIZFiFx.exepid process 2348 HYIZFiFx.exe 2388 HYIZFiFx.exe -
Loads dropped DLL 4 IoCs
Processes:
WScript.exepid process 1232 WScript.exe 1232 WScript.exe 1232 WScript.exe 1232 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exedescription pid process target process PID 1232 wrote to memory of 2348 1232 WScript.exe HYIZFiFx.exe PID 1232 wrote to memory of 2348 1232 WScript.exe HYIZFiFx.exe PID 1232 wrote to memory of 2348 1232 WScript.exe HYIZFiFx.exe PID 1232 wrote to memory of 2388 1232 WScript.exe HYIZFiFx.exe PID 1232 wrote to memory of 2388 1232 WScript.exe HYIZFiFx.exe PID 1232 wrote to memory of 2388 1232 WScript.exe HYIZFiFx.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nDqOiSmU.vbs"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\radF51D8.tmp\HYIZFiFx.exe"C:\Users\Admin\AppData\Local\Temp\radF51D8.tmp\HYIZFiFx.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\rad0CB7C.tmp\HYIZFiFx.exe"C:\Users\Admin\AppData\Local\Temp\rad0CB7C.tmp\HYIZFiFx.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\radF51D8.tmp\HYIZFiFx.exeFilesize
7KB
MD5d63f891159c2acc02c59d0585ed9df3f
SHA1d7d752250189198e88279b8917f4e24973d55c0a
SHA256ff3b6d8bd5f018c067bfded4c20729487eda1897e01c78a5731252100eb9a569
SHA5121b0e043bc33e634844dae94cf8e27f0b351a347e148b4fb4c3f2d0f47256e071ec77d9b697b6c1a72d4c2667852b0f8589d9610cc0147c51b4b9f8f7b4816dbb
-
memory/1232-9-0x0000000140000000-0x0000000140005000-memory.dmpFilesize
20KB
-
memory/1232-8-0x0000000140000000-0x0000000140005000-memory.dmpFilesize
20KB
-
memory/1232-12-0x0000000140000000-0x0000000140005000-memory.dmpFilesize
20KB
-
memory/1232-11-0x0000000140000000-0x0000000140005000-memory.dmpFilesize
20KB
-
memory/1232-23-0x0000000140000000-0x0000000140005000-memory.dmpFilesize
20KB
-
memory/1232-22-0x0000000140000000-0x0000000140005000-memory.dmpFilesize
20KB
-
memory/1232-26-0x0000000140000000-0x0000000140005000-memory.dmpFilesize
20KB
-
memory/1232-25-0x0000000140000000-0x0000000140005000-memory.dmpFilesize
20KB
-
memory/2348-10-0x0000000140000000-0x0000000140004240-memory.dmpFilesize
16KB
-
memory/2388-24-0x0000000140000000-0x0000000140004240-memory.dmpFilesize
16KB