Overview

overview

10

Static

static

8

81502a2ee9...a0.exe

windows7-x64

10

81502a2ee9...a0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    139s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81502a2ee972e833e65392ee66110eccee50301c9aab45a25965968ad529b1a0.exe

  • Size

    2.2MB

  • MD5

    2ecc4a411fea698ec1125c06003f7deb

  • SHA1

    b9d1031749f9e3587283a331bd1ed3237007173c

  • SHA256

    81502a2ee972e833e65392ee66110eccee50301c9aab45a25965968ad529b1a0

  • SHA512

    b9a284074251884ab3ebf9c4e62abae2e6b4fca6b8f71edf824c82edb23d1115423bb8479727d582852078db829cb15efcb2575247281d3747e002dfc64ef384

  • SSDEEP

    49152:L54dPdIAAgDebOqPV79fKoDyQRGH3bDcNGNd39Ie6Lw:F4hdF91qPV7JvRGH3UE19h

Score
10/10
metasploitbackdoorevasiontrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 9 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81502a2ee972e833e65392ee66110eccee50301c9aab45a25965968ad529b1a0.exe
    "C:\Users\Admin\AppData\Local\Temp\81502a2ee972e833e65392ee66110eccee50301c9aab45a25965968ad529b1a0.exe"
    1⤵
    • Looks for VMWare Tools registry key
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\b.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\SysWOW64\ftp.exe
        ftp -As:i
        3⤵
          PID:568
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\a.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Windows\SysWOW64\net.exe
          net stop "Security Center"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:900
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Security Center"
            4⤵
              PID:1380
          • C:\Windows\SysWOW64\net.exe
            net stop winvnc4
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1240
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop winvnc4
              4⤵
                PID:848
        • C:\Windows\bot.exe
          "C:\Windows\bot.exe"
          1⤵
          • Executes dropped EXE
          • Looks for VMWare Tools registry key
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\b.bat" "
            2⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1884
            • C:\Windows\SysWOW64\ftp.exe
              ftp -As:i
              3⤵
                PID:1604
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\a.bat" "
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1016
              • C:\Windows\SysWOW64\net.exe
                net stop "Security Center"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:660
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Security Center"
                  4⤵
                    PID:472
                • C:\Windows\SysWOW64\net.exe
                  net stop winvnc4
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1768
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop winvnc4
                    4⤵
                      PID:1212

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\i
                Filesize

                54B

                MD5

                e565749d661936b2dee64731bb34f3a5

                SHA1

                b9b4b4ff5616344d0d8482765ef64ffa583da679

                SHA256

                5fce898aacd4421bd29a8e4ac7cee1390b93e3d77198f220afc2dddc9062806d

                SHA512

                fde7b9f7a7dd90520943ae7af1fcdaa49c8b1478bb4ec5ef5915777a83e0361ffc0a647cb1b3dd74c255fdffcbca8488de9209e79d9020147336df4534e29823

                Download Submit

              • C:\Windows\SysWOW64\i
                Filesize

                54B

                MD5

                e565749d661936b2dee64731bb34f3a5

                SHA1

                b9b4b4ff5616344d0d8482765ef64ffa583da679

                SHA256

                5fce898aacd4421bd29a8e4ac7cee1390b93e3d77198f220afc2dddc9062806d

                SHA512

                fde7b9f7a7dd90520943ae7af1fcdaa49c8b1478bb4ec5ef5915777a83e0361ffc0a647cb1b3dd74c255fdffcbca8488de9209e79d9020147336df4534e29823

                Download Submit

              • C:\Windows\bot.exe
                Filesize

                2.2MB

                MD5

                2ecc4a411fea698ec1125c06003f7deb

                SHA1

                b9d1031749f9e3587283a331bd1ed3237007173c

                SHA256

                81502a2ee972e833e65392ee66110eccee50301c9aab45a25965968ad529b1a0

                SHA512

                b9a284074251884ab3ebf9c4e62abae2e6b4fca6b8f71edf824c82edb23d1115423bb8479727d582852078db829cb15efcb2575247281d3747e002dfc64ef384

                Download Submit

              • C:\a.bat
                Filesize

                71B

                MD5

                4db2c561024318efaf926a8e0a6ebc36

                SHA1

                8e3060152b239e7c7bc488e79030b9e3c13de066

                SHA256

                f9ea85780a059d9338c359925ec487588102ef55be4062ec4ac19efc8af59f0f

                SHA512

                df700bc9348e147ceb1db687974c567fdff052d73eb4709b718f3b3dfaf44116a5a70c0ae62438416888c0783a575e524f501da1308bbc987443ec3c852bef99

                Download Submit

              • C:\a.bat
                Filesize

                71B

                MD5

                4db2c561024318efaf926a8e0a6ebc36

                SHA1

                8e3060152b239e7c7bc488e79030b9e3c13de066

                SHA256

                f9ea85780a059d9338c359925ec487588102ef55be4062ec4ac19efc8af59f0f

                SHA512

                df700bc9348e147ceb1db687974c567fdff052d73eb4709b718f3b3dfaf44116a5a70c0ae62438416888c0783a575e524f501da1308bbc987443ec3c852bef99

                Download Submit

              • C:\b.bat
                Filesize

                119B

                MD5

                ba471466c8774e3f96da5d58fb0efdb6

                SHA1

                6c18ed4314156174186eed0471a03e69e43356f0

                SHA256

                70c08f681ca24f5dfc6655212806c460c25e4ab2c3b5e480a656253706298c3a

                SHA512

                9ad2072e87cdcd3b8a5542be6fbc64baae4e82b5323fa525a2e575b7e4123584818992131d635dac5088152cc066277f054031a4d83a1a22b2968fdffca5504c

                Download Submit

              • C:\b.bat
                Filesize

                119B

                MD5

                ba471466c8774e3f96da5d58fb0efdb6

                SHA1

                6c18ed4314156174186eed0471a03e69e43356f0

                SHA256

                70c08f681ca24f5dfc6655212806c460c25e4ab2c3b5e480a656253706298c3a

                SHA512

                9ad2072e87cdcd3b8a5542be6fbc64baae4e82b5323fa525a2e575b7e4123584818992131d635dac5088152cc066277f054031a4d83a1a22b2968fdffca5504c

                Download Submit

              • memory/960-80-0x0000000000400000-0x00000000007C7000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/960-69-0x0000000000400000-0x00000000007C7000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/960-70-0x0000000000400000-0x00000000007C7000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/960-87-0x0000000000400000-0x00000000007C7000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/960-86-0x0000000000400000-0x00000000007C7000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/2028-55-0x0000000000400000-0x00000000007C7000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/2028-56-0x0000000075A71000-0x0000000075A73000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2028-84-0x0000000000400000-0x00000000007C7000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/2028-54-0x0000000000400000-0x00000000007C7000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/2028-63-0x0000000000400000-0x00000000007C7000-memory.dmp

                Filesize

                3.8MB

                Download