Overview

overview

10

Static

static

036758a755...6.dotm

windows7_x64

10

036758a755...6.dotm

windows10-2004_x64

10

Analysis

  • max time kernel
    113s
  • max time network
    87s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-05-2022 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    036758a7559851fa28c9d93224ffde645a46b735c7c582e055c5f3316f43fea6.dotm

  • Size

    34KB

  • MD5

    4d12df4ec5f2f0ce59d5d9ffd12feda7

  • SHA1

    c6da737b88b43b4f3d67ddbb5db2cfb9fb79c49e

  • SHA256

    036758a7559851fa28c9d93224ffde645a46b735c7c582e055c5f3316f43fea6

  • SHA512

    29f6c6e0963f76c831b31d22bbe761a066b3ebf927dc34d97edf153782c2e29c4e49242bb394499b10073c5dfa275977afc4f576b2b046b602244ba042e5abe8

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://shop.redlist.cyou:443/QXpC

http://fangfuzi.flashdiaoyu.pw:2053/x3fK

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\036758a7559851fa28c9d93224ffde645a46b735c7c582e055c5f3316f43fea6.dotm"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Process spawned unexpected child process
      PID:2044
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Process spawned unexpected child process
      PID:1712
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1808

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/760-54-0x0000000073071000-0x0000000073074000-memory.dmp

      Filesize

      12KB

      Download

    • memory/760-55-0x0000000070AF1000-0x0000000070AF3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/760-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/760-57-0x0000000076851000-0x0000000076853000-memory.dmp

      Filesize

      8KB

      Download

    • memory/760-58-0x0000000071ADD000-0x0000000071AE8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/760-64-0x000000006B840000-0x000000006BDEB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/760-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1712-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1808-63-0x0000000000000000-mapping.dmp

      Download

    • memory/1808-65-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2044-59-0x0000000000000000-mapping.dmp

      Download