Overview

overview

10

Static

static

1421260042...47.exe

windows7_x64

10

1421260042...47.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    44s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-05-2022 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe

  • Size

    255KB

  • MD5

    05dfc0a684be42b4dcd524f238744869

  • SHA1

    16cd0520e989d386708b5c561f20b0867917d3d6

  • SHA256

    1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47

  • SHA512

    47f7fb910d4b3c8be5c922371bed2e18961d610b5a6504fe70cbb773cb5ed2e92e9a33f9b63b9fc8c306dc7fcee6880eacf355e6765eb4993967f857bd049617

Score
10/10
metasploitbackdoorbootkitpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe
    "C:\Users\Admin\AppData\Local\Temp\1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Users\Admin\AppData\Roaming\{8b9269b6-a890-46d8-92fe-38e3bdce9719}\notepad.exe
      "C:\Users\Admin\AppData\Roaming\{8b9269b6-a890-46d8-92fe-38e3bdce9719}\notepad.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of AdjustPrivilegeToken
      PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\{8b9269b6-a890-46d8-92fe-38e3bdce9719}\notepad.exe
    Filesize

    255KB

    MD5

    d45c73ccb17930f86c8fad9697c94be0

    SHA1

    f0dbf2f7e1067a36e2e4c4ea37099f41367126a0

    SHA256

    acac68f386f03193e255da66230fed165e44878b9fccc34f2a3ffe3f70be0378

    SHA512

    1753c693bafe4b3264804a2f8ab0d7fa88f46f7502234a33ed6de080bbed9fde36334d281e790e954b2bb260fbccccb1be15609d53733c7a8e5ea606fe6b8681

    Download Submit
  • \Users\Admin\AppData\Roaming\{8b9269b6-a890-46d8-92fe-38e3bdce9719}\notepad.exe
    Filesize

    255KB

    MD5

    d45c73ccb17930f86c8fad9697c94be0

    SHA1

    f0dbf2f7e1067a36e2e4c4ea37099f41367126a0

    SHA256

    acac68f386f03193e255da66230fed165e44878b9fccc34f2a3ffe3f70be0378

    SHA512

    1753c693bafe4b3264804a2f8ab0d7fa88f46f7502234a33ed6de080bbed9fde36334d281e790e954b2bb260fbccccb1be15609d53733c7a8e5ea606fe6b8681

    Download Submit
  • memory/900-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/900-58-0x0000000000230000-0x0000000000246000-memory.dmp
    Filesize

    88KB

    Download
  • memory/900-60-0x0000000000250000-0x000000000026A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1632-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1632-61-0x0000000000260000-0x000000000027A000-memory.dmp
    Filesize

    104KB

    Download