Overview

overview

10

Static

static

c24444be96...67.exe

windows7-x64

10

c24444be96...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe

  • Size

    246KB

  • MD5

    c7b5643e78e9a19c4a1750b751c9cd64

  • SHA1

    cdeb396a11abecd9ea9f6432cff9b1a819009a75

  • SHA256

    c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67

  • SHA512

    81781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114

  • SSDEEP

    3072:jhztMMCQizmb8f0xMABzez3XGbCsW9amzkJpr2cElHC7D5myTeRhvL4QK730381G:t0DmQGZBqHGuKC

Score
10/10
metasploitbackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe
    "C:\Users\Admin\AppData\Local\Temp\c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe
      "C:\Users\Admin\AppData\Local\Temp\c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67.exe"
      2⤵
      • Loads dropped DLL
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\SysWOW64\wmpsa64.exe
        "C:\Windows\SysWOW64\wmpsa64.exe" C:\Users\Admin\AppData\Local\Temp\C24444~1.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:584
        • C:\Windows\SysWOW64\wmpsa64.exe
          "C:\Windows\SysWOW64\wmpsa64.exe" C:\Users\Admin\AppData\Local\Temp\C24444~1.EXE
          4⤵
          • Modifies firewall policy service
          • Executes dropped EXE
          • Deletes itself
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1912
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1268

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\wmpsa64.exe
      Filesize

      246KB

      MD5

      c7b5643e78e9a19c4a1750b751c9cd64

      SHA1

      cdeb396a11abecd9ea9f6432cff9b1a819009a75

      SHA256

      c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67

      SHA512

      81781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114

      Download Submit
    • C:\Windows\SysWOW64\wmpsa64.exe
      Filesize

      246KB

      MD5

      c7b5643e78e9a19c4a1750b751c9cd64

      SHA1

      cdeb396a11abecd9ea9f6432cff9b1a819009a75

      SHA256

      c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67

      SHA512

      81781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114

      Download Submit
    • C:\Windows\SysWOW64\wmpsa64.exe
      Filesize

      246KB

      MD5

      c7b5643e78e9a19c4a1750b751c9cd64

      SHA1

      cdeb396a11abecd9ea9f6432cff9b1a819009a75

      SHA256

      c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67

      SHA512

      81781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114

      Download Submit
    • \Windows\SysWOW64\wmpsa64.exe
      Filesize

      246KB

      MD5

      c7b5643e78e9a19c4a1750b751c9cd64

      SHA1

      cdeb396a11abecd9ea9f6432cff9b1a819009a75

      SHA256

      c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67

      SHA512

      81781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114

      Download Submit
    • \Windows\SysWOW64\wmpsa64.exe
      Filesize

      246KB

      MD5

      c7b5643e78e9a19c4a1750b751c9cd64

      SHA1

      cdeb396a11abecd9ea9f6432cff9b1a819009a75

      SHA256

      c24444be96e10c7e906667197c13aabf34e1d5b86f74a56c95f4ac20f71a3c67

      SHA512

      81781ee2333a2ce0d7080ef23753ff1acff803b279242e209aefd7407d284c11138a5c295ce62fc570945948a8be8baaf8972d15cdea5ef8c877b5eebb24b114

      Download Submit
    • memory/584-71-0x0000000000000000-mapping.dmp
      Download
    • memory/864-63-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/864-58-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/864-65-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/864-66-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/864-67-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/864-68-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/864-54-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/864-60-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/864-61-0x000000000044F7C0-mapping.dmp
      Download
    • memory/864-64-0x00000000767F1000-0x00000000767F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/864-73-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/864-57-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/864-55-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1268-90-0x0000000002A80000-0x0000000002A9E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1912-82-0x000000000044F7C0-mapping.dmp
      Download
    • memory/1912-86-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1912-87-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1912-88-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1912-89-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download