metasploit | efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8

Analysis

max time kernel
40s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe
Size

556KB
MD5

31f540d71dc2736cbb800cff43614e5b
SHA1

9030a350e82b54227bcacf87fe288a9e8494644a
SHA256

efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8
SHA512

66f07dce6fbf0645f6d191173d75213f321ba4a74fd148742a03965646391b21233a867be21a34b9015876d0ff1b4177900936e05b5e1da27fedf6a387ff0471
SSDEEP

12288:ecfgt23uT0QxsTPWXgFcG5jl7fwe91ngYdDsJyeqTWmhdnh:eugk3uw0sTPWQtjl7fwK1nBmyT

Score

10^/10

metasploit backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine	efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wbem\wmisvapp.exe	efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe
File created	C:\Windows\SysWOW64\wbem\wmisvapp.exe	efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
580	efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
580	efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe

C:\Users\Admin\AppData\Local\Temp\efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe
"C:\Users\Admin\AppData\Local\Temp\efae6470c5edb1cae4a29b9a2585282891a81f2fcfff1f4341b1d2d31d33bea8.exe"
1⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-54-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/580-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/580-56-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download