Overview

overview

10

Static

static

7

1/10月26�...��.exe

windows7-x64

7

1/10月26�...��.exe

windows10-2004-x64

7

1/2023年1...��.exe

windows7-x64

1

1/2023年1...��.exe

windows10-2004-x64

1

1/AggregatorHost.exe

windows7-x64

7

1/AggregatorHost.exe

windows10-2004-x64

7

1/PO202302...60.exe

windows7-x64

1

1/PO202302...60.exe

windows10-2004-x64

1

1/TIanagents.exe

windows7-x64

1

1/TIanagents.exe

windows10-2004-x64

1

1/c.exe

windows7-x64

10

1/c.exe

windows10-2004-x64

10

1/loader.exe

windows7-x64

1

1/loader.exe

windows10-2004-x64

1

1/【东�...10.exe

windows7-x64

10

1/【东�...10.exe

windows10-2004-x64

10

1/【企�...��.exe

windows7-x64

10

1/【企�...��.exe

windows10-2004-x64

10

1/【财�...��.exe

windows7-x64

7

1/【财�...��.exe

windows10-2004-x64

10

1/内容.exe

windows7-x64

3

1/内容.exe

windows10-2004-x64

3

1/外挂 �...xf.exe

windows7-x64

3

1/外挂 �...xf.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    129s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2023 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1/c.exe

  • Size

    479KB

  • MD5

    40269ec54ce4652fd82336a1e0920b8a

  • SHA1

    b47ab90f264f73c5b2b44588f11d6a459764c629

  • SHA256

    887a5500799685d517647285b2da937f611b364ebd0db9ea6b32010272487011

  • SHA512

    a7156a2f2e2d572075c15945756f9490023a5e603297421e0c8606720848eef76cf4e6b863ee36e39b72d2c425ecf5e48a6bf37d5a87617e5ffe6303886425ea

  • SSDEEP

    12288:E2KOYjMs4+GgTJKpiFtzfeiQ5Ki5oh1cJeOb:R8Qs4+GgTsEfeoh1c0U

Score
10/10
metasploitbackdoortrojanupx

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://47.94.43.210:8080/kRJU

Attributes
  • headers User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1\c.exe
    "C:\Users\Admin\AppData\Local\Temp\1\c.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2420

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG
    Filesize

    6KB

    MD5

    e39405e85e09f64ccde0f59392317dd3

    SHA1

    9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

    SHA256

    cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

    SHA512

    6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG
    Filesize

    27KB

    MD5

    fbbb450cbc124bac75de4b49dc2fb93d

    SHA1

    5fd7ff0648f372ac8853e18a2d4557995801932b

    SHA256

    f061b5cb931a13e8b120be759fa7faee63d3d05cb0cccb7a7321233a0301626c

    SHA512

    1bdfe93f2602db0ec8564f554d0e769e613f8c26ff1afcc6d4400d234f4026f9168a72bec7af731c03e8675a5c8bf5c2a1317608d61767bb7c2eab4611f38c7b

    Download Submit
  • memory/2420-0-0x0000000000400000-0x000000000053E000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2420-21-0x0000000000400000-0x000000000053E000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2420-29-0x0000000002070000-0x0000000002071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2420-30-0x0000000000400000-0x000000000053E000-memory.dmp
    Filesize

    1.2MB

    Download