Overview

overview

10

Static

static

395c92e5ce...a3.exe

windows7_x64

10

395c92e5ce...a3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe

  • Size

    144KB

  • MD5

    71b87a615077fbe383a4632b0eb8f14d

  • SHA1

    8da9f51e455a93c154a44ea63b29ccde657ec5a7

  • SHA256

    395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3

  • SHA512

    c8d218822bbf76014e7fcb233622f2665ff2606613f93e09ad64194ea662cea2f63c24951be784a31789bcd38ed76f7e4dbf9f8ecd1c86ca6f41150418c4b50a

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe
    "C:\Users\Admin\AppData\Local\Temp\395c92e5ce1c277a8fc8506e3dca15664db664eb68682990d1c0d47d38d15ea3.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\395C92~1.EXE >> NUL
      2⤵
        PID:4448

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3484-130-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/3484-131-0x0000000000600000-0x0000000000630000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3484-133-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/3484-134-0x0000000000600000-0x0000000000630000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4448-132-0x0000000000000000-mapping.dmp
      Download