Overview

overview

10

Static

static

10

Windows 7 VM

windows7_x64

10

Windows 10 VM

windows10_x64

10

Analysis

  • max time kernel
    1562s
  • max time network
    1792s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    09-05-2021 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Avast-Setup-v8.56.msi

  • Size

    156KB

  • MD5

    6d0aece3c6c497e5c95f5211391eeb5a

  • SHA1

    27fe022501362ce3d8aad3d8d0ecf0b869580ba0

  • SHA256

    9dc9fec6cfd0f7e565d2bcc58cc487f720d1b25bb650cb34431372d89c515fb5

  • SHA512

    59e6e29a37d37e54ac1c75820f35fa5a4c0fccbe6a7962addd6e929bcd75e8e8465a5c6b59f28b22d14e54a76bc619440bbc5374265072b2bf9145cf100eb7f0

Score
10/10
cobaltstrikemetasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

3.22.53.161:10939

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Avast-Setup-v8.56.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1948
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7DB6BB34A412F1F5C103544EB69127C9
      2⤵
        PID:1032
      • C:\Windows\Installer\MSIC8AE.tmp
        "C:\Windows\Installer\MSIC8AE.tmp"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe
          3⤵
            PID:1148
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:516
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005B0" "00000000000005A4"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:1476

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Installer\MSIC8AE.tmp
        MD5

        8445acade2bf19b86c80f5c757c854e3

        SHA1

        b919247aef9c63c2746778f112d99da3640336f3

        SHA256

        1da82af2407ee52355bf097d086eaff78732fe5f647be6650d52e579eef96984

        SHA512

        aae2d7b513c0e12085e3f45e15d9240f07002660151ab90c5bc4292a27ee47e6f94b50a07a5c6ff2eaafc074a1cf4d4d8a07355cc52643163486e2171997580d

        Download Submit
      • memory/820-63-0x0000000000000000-mapping.dmp
        Download
      • memory/820-66-0x0000000000020000-0x0000000000021000-memory.dmp
        Filesize

        4KB

        Download
      • memory/820-67-0x00000000003C0000-0x00000000003EB000-memory.dmp
        Filesize

        172KB

        Download
      • memory/820-68-0x00000000004C0000-0x00000000004F1000-memory.dmp
        Filesize

        196KB

        Download
      • memory/820-69-0x00000000021A0000-0x00000000021FF000-memory.dmp
        Filesize

        380KB

        Download
      • memory/820-70-0x0000000000420000-0x0000000000440000-memory.dmp
        Filesize

        128KB

        Download
      • memory/1032-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1032-65-0x0000000075511000-0x0000000075513000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1148-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1948-60-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp
        Filesize

        8KB

        Download