Overview

overview

10

Static

static

d3a4aa64e9...10.exe

windows7-x64

10

d3a4aa64e9...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    176s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2022 13:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe

  • Size

    224KB

  • MD5

    0d49ab9ea970a3146b43d7a8b738387d

  • SHA1

    bf833829fa6a07af50f00fa3d66a457cf5d778ad

  • SHA256

    d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

  • SHA512

    a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

  • SSDEEP

    6144:fv8aWfVbAxePJkl6zUzMtWWuguGLDGlhHmAKMa/DLy/:MaQAxePJBz3W76IKMabU

Score
10/10
metasploitbackdoorbootkitpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
    "C:\Users\Admin\AppData\Local\Temp\d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Local\Temp\d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
      C:\Users\Admin\AppData\Local\Temp\d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
      2⤵
      • Checks computer location settings
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:512
      • C:\Windows\SysWOW64\regsrv42.exe
        "C:\Windows\system32\regsrv42.exe" C:\Users\Admin\AppData\Local\Temp\D3A4AA~1.EXE
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Windows\SysWOW64\regsrv42.exe
          C:\Windows\SysWOW64\regsrv42.exe
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4816
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\regsrv42.exe > nul
            5⤵
              PID:1732

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\drwebupdate.exe
      Filesize

      1KB

      MD5

      5343c1a8b203c162a3bf3870d9f50fd4

      SHA1

      04b5b886c20d88b57eea6d8ff882624a4ac1e51d

      SHA256

      dc1d54dab6ec8c00f70137927504e4f222c8395f10760b6beecfcfa94e08249f

      SHA512

      e0f50acb6061744e825a4051765cebf23e8c489b55b190739409d8a79bb08dac8f919247a4e5f65a015ea9c57d326bbef7ea045163915129e01f316c4958d949

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\699c4b9cdebca7aaea5193cae8a50098_e32e1c79-b88e-4709-94fb-81034ca3398e
      Filesize

      50B

      MD5

      5b63d4dd8c04c88c0e30e494ec6a609a

      SHA1

      884d5a8bdc25fe794dc22ef9518009dcf0069d09

      SHA256

      4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

      SHA512

      15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

      Download Submit

    • C:\Windows\SysWOW64\regsrv42.exe
      Filesize

      224KB

      MD5

      0d49ab9ea970a3146b43d7a8b738387d

      SHA1

      bf833829fa6a07af50f00fa3d66a457cf5d778ad

      SHA256

      d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

      SHA512

      a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

      Download Submit

    • C:\Windows\SysWOW64\regsrv42.exe
      Filesize

      224KB

      MD5

      0d49ab9ea970a3146b43d7a8b738387d

      SHA1

      bf833829fa6a07af50f00fa3d66a457cf5d778ad

      SHA256

      d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

      SHA512

      a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

      Download Submit

    • C:\Windows\SysWOW64\regsrv42.exe
      Filesize

      224KB

      MD5

      0d49ab9ea970a3146b43d7a8b738387d

      SHA1

      bf833829fa6a07af50f00fa3d66a457cf5d778ad

      SHA256

      d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

      SHA512

      a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

      Download Submit

    • memory/512-139-0x0000000000400000-0x0000000000467000-memory.dmp

      Filesize

      412KB

      Download

    • memory/512-134-0x0000000000000000-mapping.dmp

      Download

    • memory/512-138-0x0000000000400000-0x0000000000467000-memory.dmp

      Filesize

      412KB

      Download

    • memory/512-137-0x0000000000400000-0x0000000000467000-memory.dmp

      Filesize

      412KB

      Download

    • memory/512-153-0x0000000000400000-0x0000000000467000-memory.dmp

      Filesize

      412KB

      Download

    • memory/512-135-0x0000000000400000-0x0000000000467000-memory.dmp

      Filesize

      412KB

      Download

    • memory/1352-140-0x0000000000000000-mapping.dmp

      Download

    • memory/1732-155-0x0000000000000000-mapping.dmp

      Download

    • memory/4816-146-0x0000000000000000-mapping.dmp

      Download

    • memory/4816-152-0x0000000000400000-0x0000000000467000-memory.dmp

      Filesize

      412KB

      Download

    • memory/4816-154-0x0000000000400000-0x0000000000467000-memory.dmp

      Filesize

      412KB

      Download

    • memory/4816-156-0x0000000000400000-0x0000000000467000-memory.dmp

      Filesize

      412KB

      Download