Overview

overview

10

Static

static

10

17b3d6656d...96.msi

windows7-x64

10

17b3d6656d...96.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 19:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17b3d6656dd5a00b260a918ea01843d9eacd99edafb7e7709082aa526d69c796.msi

  • Size

    124KB

  • MD5

    156064a8746202f13f6b1c2a7404272a

  • SHA1

    48e7636fc4ea0e3170a5de5d979961adfec8f612

  • SHA256

    17b3d6656dd5a00b260a918ea01843d9eacd99edafb7e7709082aa526d69c796

  • SHA512

    0947e62030e5ab32dcc1c87d47f3d4244722139f7d7948f9410bcf0ed545906fa1ec31563a4bb5fdc5329ce0962a97fc336631ef9d5bf397a75352033a6bf21f

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

158.69.130.136:8443

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\17b3d6656dd5a00b260a918ea01843d9eacd99edafb7e7709082aa526d69c796.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1348
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:812
    • C:\Windows\Installer\MSI3837.tmp
      "C:\Windows\Installer\MSI3837.tmp"
      2⤵
      • Executes dropped EXE
      PID:2788
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1368

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSI3837.tmp
    Filesize

    72KB

    MD5

    a6e93685659affa5251f19577ea8e897

    SHA1

    81b64460e7a183551d9801acefc8fabcf0776c69

    SHA256

    603f7930fd22e447d1b35a826632a504adb897a8a2f0e0ccd4dce40a80d4a27c

    SHA512

    1191f6bcc1f2b20c04cc89f0c961e8b4114a8679c3a4cfc6d0c7a1ffc3d984e532833bf655486633863f30f72cd9c3b08ed9f1199a595147d87cfe6b12a6e5c6

    Download Submit

  • C:\Windows\Installer\MSI3837.tmp
    Filesize

    72KB

    MD5

    a6e93685659affa5251f19577ea8e897

    SHA1

    81b64460e7a183551d9801acefc8fabcf0776c69

    SHA256

    603f7930fd22e447d1b35a826632a504adb897a8a2f0e0ccd4dce40a80d4a27c

    SHA512

    1191f6bcc1f2b20c04cc89f0c961e8b4114a8679c3a4cfc6d0c7a1ffc3d984e532833bf655486633863f30f72cd9c3b08ed9f1199a595147d87cfe6b12a6e5c6

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.0MB

    MD5

    73c0d6d0aa06188cd502d3b6c59389ad

    SHA1

    8f5787c84c728c3d6c8d8d0261467a51c06c5682

    SHA256

    871abb555581546dac56ee106b29a706bf97f6af8a7a43df747812fd8635fb0c

    SHA512

    0180ee39a303d956f3e543ff8613fff7ad6256d8b28fe077c804ee83c4214a47c6e63179cc0672f96d33a954bf49d9da0454b8e288d62a9f1bb770cef4ccf522

    Download Submit

  • \??\Volume{40beaa24-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dcc40c2b-9b99-4acf-8a45-37be81a8e5d6}_OnDiskSnapshotProp
    Filesize

    5KB

    MD5

    ff1ea99b5fb4233b4520c1e6df8e35ec

    SHA1

    6de0da695c6f99620087bed15f8638667c39f975

    SHA256

    2adddcb796f1559773633daa8f5834993df2042af940a61c21c6266cffd742d3

    SHA512

    d1823de07b0a7286a98364ca296da16495bf840be7434bdf592ad1863aa4873a79742c54ac1df99a1ffb886db6669e83678f13d23a1ad9b11d814c56057011eb

    Download Submit

  • memory/812-130-0x0000000000000000-mapping.dmp

    Download

  • memory/2788-131-0x0000000000000000-mapping.dmp

    Download