Overview

overview

10

Static

static

8

b18d3fb4e7...23.exe

windows7-x64

10

b18d3fb4e7...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    331s
  • max time network
    376s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b18d3fb4e7419b74a13d34262d432e6f37b19c816c017d1484138edd1c8a1923.exe

  • Size

    66KB

  • MD5

    723f9c7ccfb3de84ff4fd44f6be15637

  • SHA1

    bd89e34502e0a002bd9a0273636789e9a0d07502

  • SHA256

    b18d3fb4e7419b74a13d34262d432e6f37b19c816c017d1484138edd1c8a1923

  • SHA512

    dce994555bbb19f3d38e21e9a2c0b966cf0106281ed67b2f294f5f898bc2a37b121c189010f60d42b8e42b1c8198dafb3119168eb2a7daeeb3f6dd5eff944d1e

  • SSDEEP

    1536:5jtkNsAAQrNNVjABaqoiSUwiI4/WNPdDbzReJ2/:5j2SQr6BIbUwpvY2

Score
10/10
metasploitbackdoorpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b18d3fb4e7419b74a13d34262d432e6f37b19c816c017d1484138edd1c8a1923.exe
    "C:\Users\Admin\AppData\Local\Temp\b18d3fb4e7419b74a13d34262d432e6f37b19c816c017d1484138edd1c8a1923.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Users\Admin\AppData\Local\Temp\b18d3fb4e7419b74a13d34262d432e6f37b19c816c017d1484138edd1c8a1923.exe
      "C:\Users\Admin\AppData\Local\Temp\b18d3fb4e7419b74a13d34262d432e6f37b19c816c017d1484138edd1c8a1923.exe"
      2⤵
      • Adds policy Run key to start application
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\SysWOW64\fvrgmt.exe
        "C:\Windows\system32\fvrgmt.exe"
        3⤵
        • Executes dropped EXE
        • Modifies Installed Components in the registry
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Windows\SysWOW64\fvrgmt.exe
          "C:\Windows\SysWOW64\fvrgmt.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1956
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M7CUEXgwIIKYW.bat" "
          4⤵
            PID:1360
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M7CUEXgwIIKYW.bat" "
        2⤵
          PID:2028

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\LGDjl.exe
        Filesize

        66KB

        MD5

        723f9c7ccfb3de84ff4fd44f6be15637

        SHA1

        bd89e34502e0a002bd9a0273636789e9a0d07502

        SHA256

        b18d3fb4e7419b74a13d34262d432e6f37b19c816c017d1484138edd1c8a1923

        SHA512

        dce994555bbb19f3d38e21e9a2c0b966cf0106281ed67b2f294f5f898bc2a37b121c189010f60d42b8e42b1c8198dafb3119168eb2a7daeeb3f6dd5eff944d1e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\M7CUEXgwIIKYW.bat
        Filesize

        216B

        MD5

        ddbfe06b21646828b249e956e044ddb0

        SHA1

        f74c02d51ccec3df762343c82ff7f5f5958fe219

        SHA256

        af11c648aa4dcd9c759c746ccb5c766badc9bab10e8f13dbb70af45c84a18cb4

        SHA512

        a16377d082c26e475fd21e11d0056e128d8d12c99445a4f108af20880e0da5fc90f6fcf3416c5366e012df8e69b45eea868123eacad979bb3b222e9f44863a0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\M7CUEXgwIIKYW.bat
        Filesize

        216B

        MD5

        ddbfe06b21646828b249e956e044ddb0

        SHA1

        f74c02d51ccec3df762343c82ff7f5f5958fe219

        SHA256

        af11c648aa4dcd9c759c746ccb5c766badc9bab10e8f13dbb70af45c84a18cb4

        SHA512

        a16377d082c26e475fd21e11d0056e128d8d12c99445a4f108af20880e0da5fc90f6fcf3416c5366e012df8e69b45eea868123eacad979bb3b222e9f44863a0a

        Download Submit

      • C:\Windows\SysWOW64\fvrgmt.exe
        Filesize

        66KB

        MD5

        723f9c7ccfb3de84ff4fd44f6be15637

        SHA1

        bd89e34502e0a002bd9a0273636789e9a0d07502

        SHA256

        b18d3fb4e7419b74a13d34262d432e6f37b19c816c017d1484138edd1c8a1923

        SHA512

        dce994555bbb19f3d38e21e9a2c0b966cf0106281ed67b2f294f5f898bc2a37b121c189010f60d42b8e42b1c8198dafb3119168eb2a7daeeb3f6dd5eff944d1e

        Download Submit

      • C:\Windows\SysWOW64\fvrgmt.exe
        Filesize

        66KB

        MD5

        723f9c7ccfb3de84ff4fd44f6be15637

        SHA1

        bd89e34502e0a002bd9a0273636789e9a0d07502

        SHA256

        b18d3fb4e7419b74a13d34262d432e6f37b19c816c017d1484138edd1c8a1923

        SHA512

        dce994555bbb19f3d38e21e9a2c0b966cf0106281ed67b2f294f5f898bc2a37b121c189010f60d42b8e42b1c8198dafb3119168eb2a7daeeb3f6dd5eff944d1e

        Download Submit

      • C:\Windows\SysWOW64\fvrgmt.exe
        Filesize

        66KB

        MD5

        723f9c7ccfb3de84ff4fd44f6be15637

        SHA1

        bd89e34502e0a002bd9a0273636789e9a0d07502

        SHA256

        b18d3fb4e7419b74a13d34262d432e6f37b19c816c017d1484138edd1c8a1923

        SHA512

        dce994555bbb19f3d38e21e9a2c0b966cf0106281ed67b2f294f5f898bc2a37b121c189010f60d42b8e42b1c8198dafb3119168eb2a7daeeb3f6dd5eff944d1e

        Download Submit

      • memory/404-132-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1360-156-0x0000000000000000-mapping.dmp

        Download

      • memory/1956-147-0x0000000000000000-mapping.dmp

        Download

      • memory/1956-153-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2028-145-0x0000000000000000-mapping.dmp

        Download

      • memory/2564-139-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2564-154-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2564-138-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2564-136-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2564-135-0x0000000000000000-mapping.dmp

        Download

      • memory/3956-146-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/3956-140-0x0000000000000000-mapping.dmp

        Download

      • memory/3956-155-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download