Overview

overview

10

Static

static

7

33ee7ae472...a9.exe

windows7_x64

10

33ee7ae472...a9.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    19-06-2022 23:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe

  • Size

    8.5MB

  • MD5

    ee535a8ea4f5a528203b7fed911f0cdd

  • SHA1

    5cf4a8b0b3acab1f68df9792677a4dbd4da8dca2

  • SHA256

    33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9

  • SHA512

    e47f3a0622977eec135c3750838aa38c1ea40d7df372cebd56b19f1297fb7dd3d0beb6ddbe6cfdd54bd8d2b02ecd40081608e93f124dc6456c48679306f0a8ce

Score
10/10
metasploitbackdoorevasionthemidatrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_winhttp

C2

https://213.186.35.153:8080/Q1NSuetz0_jexd_EgquNYw_WOENe-eLtpUPsAQJFSgu

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe
    "C:\Users\Admin\AppData\Local\Temp\33ee7ae472e679c8f3b53370f9eba8fa58c923ec1831525f56524fc9963353a9.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN REV_6266 /TR "'wscript.exe' C:\Users\Admin\AppData\Roaming\{835Q-TPDQ-WI4G-5WBF-YIQX-L57Y}\\Silent.vbs C:\Users\Admin\AppData\Roaming\{835Q-TPDQ-WI4G-5WBF-YIQX-L57Y}\\REV_2807.cmd" /sc ONLOGON /RL HIGHEST /F
      2⤵
      • Creates scheduled task(s)
      PID:1056
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
      2⤵
        PID:2988
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3032

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\patch\krn.dll
      Filesize

      625KB

      MD5

      eccf28d7e5ccec24119b88edd160f8f4

      SHA1

      98509587a3d37a20b56b50fd57f823a1691a034c

      SHA256

      820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

      SHA512

      c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

      Download Submit
    • C:\patch\ntd2.dll
      Filesize

      1.6MB

      MD5

      4f3387277ccbd6d1f21ac5c07fe4ca68

      SHA1

      e16506f662dc92023bf82def1d621497c8ab5890

      SHA256

      767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

      SHA512

      9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

      Download Submit
    • memory/1056-146-0x0000000000000000-mapping.dmp
      Download
    • memory/2736-138-0x0000000000400000-0x0000000001836000-memory.dmp
      Filesize

      20.2MB

      Download
    • memory/2736-145-0x0000000066000000-0x000000006618C000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2736-137-0x0000000000400000-0x0000000001836000-memory.dmp
      Filesize

      20.2MB

      Download
    • memory/2736-139-0x0000000066000000-0x000000006618C000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2736-140-0x0000000000400000-0x0000000001836000-memory.dmp
      Filesize

      20.2MB

      Download
    • memory/2736-141-0x0000000000400000-0x0000000001836000-memory.dmp
      Filesize

      20.2MB

      Download
    • memory/2736-144-0x0000000077DF0000-0x0000000077F93000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2736-155-0x0000000077DF0000-0x0000000077F93000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2736-136-0x0000000066000000-0x000000006618C000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2736-133-0x0000000066000000-0x000000006618C000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2736-131-0x0000000077DF0000-0x0000000077F93000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2736-130-0x0000000000400000-0x0000000001836000-memory.dmp
      Filesize

      20.2MB

      Download
    • memory/2736-156-0x0000000066000000-0x000000006618C000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2736-154-0x0000000000400000-0x0000000001836000-memory.dmp
      Filesize

      20.2MB

      Download
    • memory/3032-149-0x0000000000000000-mapping.dmp
      Download
    • memory/3032-153-0x0000000001000000-0x0000000002000000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/3032-152-0x0000000001000000-0x0000000002000000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/3032-150-0x0000000001000000-0x0000000002000000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/3032-157-0x0000000077DF0000-0x0000000077F93000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3032-158-0x0000000001000000-0x0000000002000000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/3032-159-0x0000000001000000-0x0000000002000000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/3032-160-0x0000000001000000-0x0000000002000000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/3032-161-0x0000000001001000-0x0000000001005000-memory.dmp
      Filesize

      16KB

      Download
    • memory/3032-162-0x0000000001000000-0x0000000002000000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/3032-163-0x0000000077DF0000-0x0000000077F93000-memory.dmp
      Filesize

      1.6MB

      Download