metasploit | 77c5ebd88db1c4b793ea6b35e13e5578298c4f94ba88c6d2ed1e9018f7707f61

Analysis

max time kernel
35s
max time network
163s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 10:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

60fe411b88b9d8ff7fdcc7d1c2bcb79b.exe
Size

719KB
MD5

60fe411b88b9d8ff7fdcc7d1c2bcb79b
SHA1

b78a3cbd008f9fc0a2369d46f5fc6da9b5aa46ca
SHA256

77c5ebd88db1c4b793ea6b35e13e5578298c4f94ba88c6d2ed1e9018f7707f61
SHA512

35e1119e34d180e48054347b3bb080ab07cdcf2e237f53246506c7fd6ca2a8144617afb04197299ca3aa1cb963454d8a4a9bc1c31dc0a2194bb93f2ecfa87228
SSDEEP

12288:ICx1kJpmp7HMYjTcvWVez4zqDvYRIQnIfHjAXd5eqBFtJTcXPca0amUVRFtSn9ou:ZKJpu7sJHA4g1IrAN5htJg/zfFIn9b

Score

10^/10

metasploit backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sysdrv32.sys	wmibusn.exe

Deletes itself 1 IoCs

pid	Process
2864	wmibusn.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	wmibusn.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine	60fe411b88b9d8ff7fdcc7d1c2bcb79b.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wmibusn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1080	60fe411b88b9d8ff7fdcc7d1c2bcb79b.exe
2864	wmibusn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\wmibusn.exe	60fe411b88b9d8ff7fdcc7d1c2bcb79b.exe
File opened for modification	C:\Windows\system\wmibusn.exe	60fe411b88b9d8ff7fdcc7d1c2bcb79b.exe

Gathers network information 2 TTPs 19 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1396	ipconfig.exe
1576	ipconfig.exe
2288	ipconfig.exe
2060	ipconfig.exe
2972	ipconfig.exe
688	ipconfig.exe
2348	ipconfig.exe
944	ipconfig.exe
2044	ipconfig.exe
2876	ipconfig.exe
1296	ipconfig.exe
2372	ipconfig.exe
1884	ipconfig.exe
684	ipconfig.exe
2484	ipconfig.exe
1700	ipconfig.exe
1832	ipconfig.exe
2068	ipconfig.exe
2360	ipconfig.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wmibusn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wmibusn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wmibusn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wmibusn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wmibusn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wmibusn.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1080	60fe411b88b9d8ff7fdcc7d1c2bcb79b.exe
2864	wmibusn.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	wmibusn.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2972	2864	wmibusn.exe	30
PID 2864 wrote to memory of 2972	2864	wmibusn.exe	30
PID 2864 wrote to memory of 2972	2864	wmibusn.exe	30
PID 2864 wrote to memory of 2972	2864	wmibusn.exe	30
PID 2864 wrote to memory of 688	2864	wmibusn.exe	31
PID 2864 wrote to memory of 688	2864	wmibusn.exe	31
PID 2864 wrote to memory of 688	2864	wmibusn.exe	31
PID 2864 wrote to memory of 688	2864	wmibusn.exe	31
PID 2864 wrote to memory of 1396	2864	wmibusn.exe	34
PID 2864 wrote to memory of 1396	2864	wmibusn.exe	34
PID 2864 wrote to memory of 1396	2864	wmibusn.exe	34
PID 2864 wrote to memory of 1396	2864	wmibusn.exe	34
PID 2864 wrote to memory of 1576	2864	wmibusn.exe	37
PID 2864 wrote to memory of 1576	2864	wmibusn.exe	37
PID 2864 wrote to memory of 1576	2864	wmibusn.exe	37
PID 2864 wrote to memory of 1576	2864	wmibusn.exe	37

C:\Users\Admin\AppData\Local\Temp\60fe411b88b9d8ff7fdcc7d1c2bcb79b.exe
"C:\Users\Admin\AppData\Local\Temp\60fe411b88b9d8ff7fdcc7d1c2bcb79b.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\system\wmibusn.exe
"C:\Windows\system\wmibusn.exe"
1⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2972
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:688
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:1396
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:1576
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:1296
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2372
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2348
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2288
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:1884
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:944
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:1832
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:684
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2060
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2484
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2068
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:1700
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2044
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2360
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\wmibusn.exe

Filesize
2KB

MD5
f283878e5f16d0f591d5a873957ea05e

SHA1
0bd728ad7b7bd247b8311e485c8b09bc21b71b5b

SHA256
421e43e4ae280ada3c85ba6e6f8dc9b40678654bb3e345891f2f9774c54873a8

SHA512
7c611b13be2391cb13f8cc8773bb6fde24497337d6839d87f88737197045fc7d70c50735106b3418f8e43142276dacdf9cac67e7a773ef6bef1493fd3170d924

Download Submit
C:\Windows\system\wmibusn.exe

Filesize
95KB

MD5
d1f0e7539ab42959c6d5a08349cd0de1

SHA1
764add458695c6c7835c94d2078e59bacedac9ad

SHA256
15bf34c373f891d476e405db8dfcb6a21543cfee30553aeb700be7eee11b15d5

SHA512
25303840c3a06262660dc4da56c4f153421c0a3e28d5c07a6eac0be7c8e2465e229f36c0c983e42bb19c4679b6098b9eecf59a5164c3b3fddacdb3c8ba817fb8

Download Submit
memory/1080-10-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/1080-14-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1080-9-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/1080-8-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/1080-4-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download
memory/1080-3-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/1080-2-0x0000000003FB0000-0x0000000003FB2000-memory.dmp

Filesize
8KB

Download
memory/1080-11-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/1080-5-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/1080-1-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1080-0-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-23-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/2864-26-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/2864-20-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/2864-19-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/2864-18-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2864-17-0x0000000004060000-0x0000000004061000-memory.dmp

Filesize
4KB

Download
memory/2864-15-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-22-0x0000000004070000-0x0000000004071000-memory.dmp

Filesize
4KB

Download
memory/2864-24-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2864-16-0x0000000003FF0000-0x0000000003FF2000-memory.dmp

Filesize
8KB

Download
memory/2864-13-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-31-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/2864-30-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/2864-28-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/2864-27-0x0000000003FA0000-0x0000000003FA2000-memory.dmp

Filesize
8KB

Download
memory/2864-21-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/2864-32-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-33-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-34-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/2864-35-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-36-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-37-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-38-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-39-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-40-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-41-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-42-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-43-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-44-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-45-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2864-46-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download