Overview

overview

10

Static

static

10

6d0aece3_b...is.msi

windows7_x64

10

6d0aece3_b...is.msi

windows10_x64

10

Analysis

  • max time kernel
    44s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    09-05-2021 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d0aece3_by_Libranalysis.msi

  • Size

    156KB

  • MD5

    6d0aece3c6c497e5c95f5211391eeb5a

  • SHA1

    27fe022501362ce3d8aad3d8d0ecf0b869580ba0

  • SHA256

    9dc9fec6cfd0f7e565d2bcc58cc487f720d1b25bb650cb34431372d89c515fb5

  • SHA512

    59e6e29a37d37e54ac1c75820f35fa5a4c0fccbe6a7962addd6e929bcd75e8e8465a5c6b59f28b22d14e54a76bc619440bbc5374265072b2bf9145cf100eb7f0

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

3.22.53.161:10939

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6d0aece3_by_Libranalysis.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:792
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A7C15E17B6B1F1DCD703C28152E17453
      2⤵
        PID:1864
      • C:\Windows\Installer\MSIECF0.tmp
        "C:\Windows\Installer\MSIECF0.tmp"
        2⤵
        • Executes dropped EXE
        PID:1596
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1172
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005B4" "00000000000005A0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:328

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSIECF0.tmp
      MD5

      8445acade2bf19b86c80f5c757c854e3

      SHA1

      b919247aef9c63c2746778f112d99da3640336f3

      SHA256

      1da82af2407ee52355bf097d086eaff78732fe5f647be6650d52e579eef96984

      SHA512

      aae2d7b513c0e12085e3f45e15d9240f07002660151ab90c5bc4292a27ee47e6f94b50a07a5c6ff2eaafc074a1cf4d4d8a07355cc52643163486e2171997580d

      Download Submit
    • memory/792-60-0x000007FEFB561000-0x000007FEFB563000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1596-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1596-66-0x0000000000020000-0x0000000000021000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1864-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1864-65-0x0000000075041000-0x0000000075043000-memory.dmp
      Filesize

      8KB

      Download