Overview

overview

10

Static

static

431ad473a3...dc.exe

windows7_x64

10

431ad473a3...dc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-07-2022 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe

  • Size

    37KB

  • MD5

    fec69b033c89a800966467bb52a7d6ab

  • SHA1

    8823b35777fd7470fd7e789c4005151e9622610a

  • SHA256

    431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc

  • SHA512

    707bb6a06f5e469db3893c164a9077eb1c0748ef7186c6bbdf35e5a664a465a7d5b87eea698fdc94fd3d4483e8d2cb96b1a637dfdbd3e5b0e923fb999e07319b

Score
10/10
metasploitbackdoorpersistencesuricatatrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • suricata: ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24

    suricata: ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24

    suricata
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe
    "C:\Users\Admin\AppData\Local\Temp\431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc.exe"
    1⤵
    • Adds policy Run key to start application
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\csdrive32.exe
      "C:\Windows\csdrive32.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\csdrive32.exe
    Filesize

    37KB

    MD5

    fec69b033c89a800966467bb52a7d6ab

    SHA1

    8823b35777fd7470fd7e789c4005151e9622610a

    SHA256

    431ad473a3cbb1711c8d7ff70fae74dcbe5df84991bbe8b112096a967e5ba8dc

    SHA512

    707bb6a06f5e469db3893c164a9077eb1c0748ef7186c6bbdf35e5a664a465a7d5b87eea698fdc94fd3d4483e8d2cb96b1a637dfdbd3e5b0e923fb999e07319b

    Download Submit
  • memory/1716-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1716-61-0x00000000002B0000-0x00000000002B8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1716-62-0x0000000000400000-0x000000000045D000-memory.dmp
    Filesize

    372KB

    Download
  • memory/1716-63-0x0000000000400000-0x000000000045D000-memory.dmp
    Filesize

    372KB

    Download
  • memory/1732-54-0x00000000754A1000-0x00000000754A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1732-55-0x00000000002B0000-0x00000000002B8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1732-56-0x0000000000400000-0x000000000045D000-memory.dmp
    Filesize

    372KB

    Download
  • memory/1732-60-0x0000000000400000-0x000000000045D000-memory.dmp
    Filesize

    372KB

    Download