Overview

overview

10

Static

static

5c10afa23f...39.msi

windows7_x64

10

5c10afa23f...39.msi

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-11-2020 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c10afa23f689af55e3479480f13836b05f64dc2f3edf47b7084f297c5894539.msi

  • Size

    3.1MB

  • MD5

    56f97661a171b446d89733cb499082e4

  • SHA1

    feb03f3d2a29d27b56685954fb6b4a253e3da87f

  • SHA256

    5c10afa23f689af55e3479480f13836b05f64dc2f3edf47b7084f297c5894539

  • SHA512

    21b4ceb6ab24477722ba1d214903755eb7fdc5dfe527d690072e56a4b0e308f99e861f13f0b4c7d78fb194a58d428713bce360cb23b853f7646d87c52711107b

Score
10/10
metasploitbackdoorpersistencetrojanvmprotect

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://47.91.237.42:8443/blIF

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 7 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 149 IoCs
    persistence
  • Drops file in Windows directory 10 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5c10afa23f689af55e3479480f13836b05f64dc2f3edf47b7084f297c5894539.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2036
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Modifies service
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F3631727B624C4DDC20EDCB2A1032789
      2⤵
      • Loads dropped DLL
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Windows\SysWOW64\expand.exe
        "C:\Windows\System32\expand.exe" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:1172
      • C:\Users\Admin\AppData\Local\Temp\MW-d3d555eb-560c-4b43-b171-ce5c0f87d0ff\files\svchcst.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-d3d555eb-560c-4b43-b171-ce5c0f87d0ff\files\svchcst.exe"
        3⤵
        • Executes dropped EXE
        PID:1492
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1976
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005B0" "00000000000005A8"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-d3d555eb-560c-4b43-b171-ce5c0f87d0ff\files.cab
    MD5

    b653e1dc68612a271aee9b0b3930293f

    SHA1

    fbf5da87659a05e1011eeb521eb25538f59eb406

    SHA256

    122350f455ebd60647f862ae34e15d8424517b97bd94eb12b89c2593834c601f

    SHA512

    dd1f6b5982399516d44fa0ad183ff3a40c40eec4f460054fc62a829138845633673aabb9be2c6498b61a671ce2936e9466ffa24784d5f3fcb6cee6c3f8462315

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MW-d3d555eb-560c-4b43-b171-ce5c0f87d0ff\files\svchcst.exe
    MD5

    8c0c79a1d225b583724e6d6cb97d2640

    SHA1

    d86f98b0f4c965a2f5e41ebdeb54388890967450

    SHA256

    9b5063189c2dd0550c422662883b23b243a72d97a8d55e80236328aed1625a3c

    SHA512

    6029b4df1048897d941682bc1379d27017f5d0cc2b6724ee5a46c5b54f2f41cb8c2d10e7beca56ec214c77a51a2364dbf5341ef4279af707767659a95671ce18

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MW-d3d555eb-560c-4b43-b171-ce5c0f87d0ff\files\svchcst.exe
    MD5

    8c0c79a1d225b583724e6d6cb97d2640

    SHA1

    d86f98b0f4c965a2f5e41ebdeb54388890967450

    SHA256

    9b5063189c2dd0550c422662883b23b243a72d97a8d55e80236328aed1625a3c

    SHA512

    6029b4df1048897d941682bc1379d27017f5d0cc2b6724ee5a46c5b54f2f41cb8c2d10e7beca56ec214c77a51a2364dbf5341ef4279af707767659a95671ce18

    Download Submit
  • C:\Windows\Installer\MSI21F2.tmp
    MD5

    3e9d2974fd83d2c22b647d36a2ba7861

    SHA1

    3b1d50d42235439d456444f7d3b573f93ecdbe5f

    SHA256

    339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a

    SHA512

    e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MW-d3d555eb-560c-4b43-b171-ce5c0f87d0ff\files\svchcst.exe
    MD5

    8c0c79a1d225b583724e6d6cb97d2640

    SHA1

    d86f98b0f4c965a2f5e41ebdeb54388890967450

    SHA256

    9b5063189c2dd0550c422662883b23b243a72d97a8d55e80236328aed1625a3c

    SHA512

    6029b4df1048897d941682bc1379d27017f5d0cc2b6724ee5a46c5b54f2f41cb8c2d10e7beca56ec214c77a51a2364dbf5341ef4279af707767659a95671ce18

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MW-d3d555eb-560c-4b43-b171-ce5c0f87d0ff\files\svchcst.exe
    MD5

    8c0c79a1d225b583724e6d6cb97d2640

    SHA1

    d86f98b0f4c965a2f5e41ebdeb54388890967450

    SHA256

    9b5063189c2dd0550c422662883b23b243a72d97a8d55e80236328aed1625a3c

    SHA512

    6029b4df1048897d941682bc1379d27017f5d0cc2b6724ee5a46c5b54f2f41cb8c2d10e7beca56ec214c77a51a2364dbf5341ef4279af707767659a95671ce18

    Download Submit
  • \Windows\Installer\MSI21F2.tmp
    MD5

    3e9d2974fd83d2c22b647d36a2ba7861

    SHA1

    3b1d50d42235439d456444f7d3b573f93ecdbe5f

    SHA256

    339ad75878735d68ccf46bd6f2a73908e4b97be2b947b913e3472dda2c35135a

    SHA512

    e97fdb1d0053d20e7d869d664662f3a845a8b64103e1876513793adff5a190b110d7c221b81102e7e1f6c902dcf0ade18ade2299d3083917d3673aa3ba4ebb9f

    Download Submit
  • memory/288-22-0x000007FEF6B90000-0x000007FEF6E0A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1172-10-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-19-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1492-21-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1492-17-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-20-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1584-6-0x0000000001020000-0x0000000001024000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1584-5-0x00000000017D0000-0x00000000017D4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1604-7-0x0000000000000000-mapping.dmp
    Download
  • memory/2036-1-0x0000000004030000-0x0000000004034000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2036-0-0x00000000032B0000-0x00000000032B4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2036-4-0x0000000004030000-0x0000000004034000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2036-3-0x0000000004030000-0x0000000004034000-memory.dmp
    Filesize

    16KB

    Download