General

  • Target

    8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b

  • Size

    1.9MB

  • Sample

    201113-q9e1esscqs

  • MD5

    fc0bc692d4d678a8df9d7f7cde8b9293

  • SHA1

    ef9477be4488dbd52e165c4c1936b454647e23d2

  • SHA256

    8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b

  • SHA512

    39a1bf1d9a7b58ba22177cd72547af7af56cd1068dda6fa591106ed8f222eb593bfe8ba63570017439bbea4e7db1dd2138da9992268d500e6c6950e39c89e7e4

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    31.44.184.108
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://31.44.184.48:80/tv99

Attributes
  • headers User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; InfoPath.2)

Targets

    • Target

      8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b

    • Size

      1.9MB

    • MD5

      fc0bc692d4d678a8df9d7f7cde8b9293

    • SHA1

      ef9477be4488dbd52e165c4c1936b454647e23d2

    • SHA256

      8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b

    • SHA512

      39a1bf1d9a7b58ba22177cd72547af7af56cd1068dda6fa591106ed8f222eb593bfe8ba63570017439bbea4e7db1dd2138da9992268d500e6c6950e39c89e7e4

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies visiblity of hidden/system files in Explorer

    • UAC bypass

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Executes dropped EXE

    • Stops running service(s)

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

2
T1031

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Winlogon Helper DLL

1
T1004

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

3
T1089

Hidden Files and Directories

1
T1158

Bypass User Account Control

1
T1088

Install Root Certificate

1
T1130

Discovery

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks