metasploit | 7bf404fe1bb92df0c7ae61277bc6f64d8762ee12f7ad548eb3162e98af912c2d

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 00:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1dabe1d6365a69240cc665e70cda4725.exe
Size

1.0MB
MD5

1dabe1d6365a69240cc665e70cda4725
SHA1

442c421432cb782e4286c310c184707fa9efbf22
SHA256

7bf404fe1bb92df0c7ae61277bc6f64d8762ee12f7ad548eb3162e98af912c2d
SHA512

048931d2cb3dc0cf18196ef1c326ddcb4d4ff43f210570ef5977ba259fd2885de01ce434b80b259410642eb79967648235c570d97ba42a2571274e5b6df3cbf0
SSDEEP

24576:ElgtHhqdaSb8wQaAfiz+uo6hsE2FwzOQyOXHYrh5z5O71PEbHO:E6tHodaYiaQPuoPGU3IRPEa

Score

10^/10

metasploit backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\DegCs.exe	1dabe1d6365a69240cc665e70cda4725.exe
File opened for modification	C:\Windows\SysWOW64\drivers\DegCs.exe	1dabe1d6365a69240cc665e70cda4725.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1dabe1d6365a69240cc665e70cda4725.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine	1dabe1d6365a69240cc665e70cda4725.exe

C:\Users\Admin\AppData\Local\Temp\1dabe1d6365a69240cc665e70cda4725.exe
"C:\Users\Admin\AppData\Local\Temp\1dabe1d6365a69240cc665e70cda4725.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Identifies Wine through registry keys
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3016-0-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/3016-4-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/3016-3-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/3016-2-0x0000000004140000-0x0000000004142000-memory.dmp

Filesize
8KB

Download
memory/3016-1-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/3016-9-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/3016-10-0x0000000004250000-0x0000000004252000-memory.dmp

Filesize
8KB

Download
memory/3016-8-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/3016-5-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/3016-11-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads