Overview

overview

10

Static

static

3

aa52d2b35d...e1.exe

windows7-x64

10

aa52d2b35d...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    aa52d2b35d0a5669a54193a76d9fe9e1.exe

  • Size

    1.7MB

  • MD5

    aa52d2b35d0a5669a54193a76d9fe9e1

  • SHA1

    0ba13b228b47c078f172bcac4355aa72a43a80e5

  • SHA256

    f00978e8456694b3548f25dde8b524ce6e4b0975494849cc35b88ada3f461111

  • SHA512

    ec8f8f98dd34605c5a9bfa1ba6413531fa7d21f9136da1687581adfd8c839ae12dd077867efde4e5d89ab8687eeca345ad72701567fc9f79a1daca9ff920cc80

  • SSDEEP

    49152:IdYddVDK5hUOMQKk1Er1E8dYdQTEdYdknvKZvB4VJZreDVJZre2:NVDQgFOPnvip4VzAVzx

Score
10/10
metasploitbackdoorevasionpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa52d2b35d0a5669a54193a76d9fe9e1.exe
    "C:\Users\Admin\AppData\Local\Temp\aa52d2b35d0a5669a54193a76d9fe9e1.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\WinInet.exe
      "C:\Windows\WinInet.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\WinInet.exe
        C:\Windows\WinInet.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Program Files (x86)\Common Files\System\msn_kilo.exe
          "C:\Program Files (x86)\Common Files\System\msn_kilo.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Program Files (x86)\Common Files\System\msn_kilo.exe
            "C:\Program Files (x86)\Common Files\System\msn_kilo.exe"
            5⤵
            • Modifies firewall policy service
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Program Files directory
            PID:2564
    • C:\Windows\em.exe
      "C:\Windows\em.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\em.exe
        C:\Windows\em.exe
        3⤵
        • Executes dropped EXE
        PID:2732
    • C:\Windows\emo.exe
      "C:\Windows\emo.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2548
      • C:\Windows\emo.exe
        C:\Windows\emo.exe
        3⤵
        • Executes dropped EXE
        PID:584
    • C:\Windows\l33t.exe
      "C:\Windows\l33t.exe"
      2⤵
      • Executes dropped EXE
      PID:2952
      • C:\Users\Admin\AppData\Local\Temp\explorer.exe
        "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1716
    • C:\Windows\gf.exe
      "C:\Windows\gf.exe"
      2⤵
      • Executes dropped EXE
      PID:1732
      • C:\Users\Admin\AppData\Local\Temp\explorer.exe
        "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2820

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Common Files\System\msn_kilo.exe
          Filesize

          256KB

          MD5

          560a17c1d3e033a9a01cf79fef827b31

          SHA1

          663746cb9d666363b9dc40ec957b661e75a3e8fc

          SHA256

          47680c4485395910114f637617098a7ed373d380c0c8c2764629281d97bd1f43

          SHA512

          496b5f120c91ca15d056bb1202e2eff1ca1acf25e2098e9731a9d09e6621c9b669eb3d069a6d00769f1702bea6672a4e6aff2486ab01967009e8a64b3a039550

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\explorer.exe
          Filesize

          74KB

          MD5

          8b07e4eb224a264790f2f51513d4810a

          SHA1

          2109ed97528af5c069a42ca42c0ccf1c3b4ffde7

          SHA256

          274273225883f642a2fca3c10b2df968c4c407569a08ec9c6d36519db5beedee

          SHA512

          bd76efebc5724d5b9ffdb919da73795de05818005c7e31b66c2d7a3e846704d3366d78762f9c8b67d10acd192a55c501314b819360dc56ac3f2202d10133ff84

          Download Submit

        • C:\Windows\WinInet.exe
          Filesize

          711KB

          MD5

          26bfa7affd98f30665ee1f40a3dfb1c8

          SHA1

          7ad71a62989a45c3bd31daa4561fa1280b85ca12

          SHA256

          13e702af9f89c03357ec3b51a553d48a7b428703a629a82c123b1c0f620861a6

          SHA512

          8e54677d026f025fa514010ee65faa7ec0f7e1d4306c75d2b66a752720e1a6d0f03b981289d599479f8d0c82f535808eafba31e537b25e16dff54a5753395ae9

          Download Submit

        • C:\Windows\em.exe
          Filesize

          185KB

          MD5

          aaff4eff1db9b53232319a1d59e50ad8

          SHA1

          fe139d84265927460c99a3c85b5aa1307e96522e

          SHA256

          2b29b3be908a0e588e2c3d79806dc92ef29c0b3f6a81393a6b202786bde0317d

          SHA512

          38a1a800af6e43a99eea829e91ce95dc73062f2655cf8dccb7e358f198d5fcf89c8993209375491e4c422e09ae0679b1322864483e70bc9f095111478944c2dc

          Download Submit

        • C:\Windows\emo.exe
          Filesize

          185KB

          MD5

          fde211abf58fc1def492e8c6e789ec4c

          SHA1

          f9c8bda784dd97646d12538578ebbe9a16950cb9

          SHA256

          807059b07dc1b4c903e94cd11d43f0bcff1cf4fd9e71daa6e199b57c5b8094ac

          SHA512

          b7002efe3ae5b74df006baea9d7a1236f7f6ab759f8b444979ea7fedd16df4aa469adfb802727b450610665604ccd04b6b1f2b98c5cda6e3eba02d7c9ba8981b

          Download Submit

        • C:\Windows\gf.exe
          Filesize

          258KB

          MD5

          f95e5e23ae65bcdea5cd31c24354ee22

          SHA1

          fd2b7c345dd22ca6cb3f75c560aba42b3a293bfc

          SHA256

          fdb785b01267a73d1797c50363c81b2f7e04a04a3eb096ecefec3a8ca705dcc8

          SHA512

          c871a2df4e38798289e1a517f142b7740232afc62e9a999a6bfbe8bbcf2ca1854ddda131bfc99797fc2e8b844d5a359c34563a7108becfe296437967afc947f9

          Download Submit

        • C:\Windows\l33t.exe
          Filesize

          126KB

          MD5

          332fef24a1a45a7ea97e1b12c4e7f2c9

          SHA1

          c67f823fb0ff983bf5ee16a8429fb26559ff40ea

          SHA256

          3a67c659e3709d983e4a0b5851c8e66a6d987d12ae55be63930737ccf3862ec4

          SHA512

          b3337a43bb1e496f163c9b6380cc77b387b59940bd19bae99e4c04e3738e95bdb5933c8c43c5bd7b9c620c74719a541372b8afa48dcb1318cf39cda54f518f28

          Download Submit

        • \Program Files (x86)\Common Files\System\msn_kilo.exe
          Filesize

          14KB

          MD5

          e14314396d5bfde225f2726e721c8ca0

          SHA1

          36ddcc99eafbd83065a68bd08de8f922518a6e91

          SHA256

          f39c7244a0ee32022b053c6a4382425a68be4ad6c2733fdd6a1930b659c4bd63

          SHA512

          baa0ec98785aff161650e316152982d441c2b5cf452954ae33ea7fa212209ef3e8117cfdc9b8f0fc42c83532e31ce37c0334e0fc5ede1ff920102a584f5969cb

          Download Submit

        • \Program Files (x86)\Common Files\System\msn_kilo.exe
          Filesize

          8KB

          MD5

          c6e9b0fd3a53eeb0ab92077be024b9ce

          SHA1

          3edeffdef431e15c15d4288ab6cc5b5e68a79b83

          SHA256

          8ccab1e6abe2b3dfd953fcedcaab8f6a7c3687594497a17023ff3b81374e7442

          SHA512

          2d1168909a9bc0fec82a6f17fdd288b336b582c31fc8038525df1421b2ee38c34bfdb982ee24fdba975381aeecb6510a23f45959cc0646aaae844da343578c95

          Download Submit

        • \Windows\SysWOW64\kernel23.dll
          Filesize

          320KB

          MD5

          d91de38799eb336241ac1ca208ab636e

          SHA1

          73aeadc0d107c49f76213918d8c52b4225c7042c

          SHA256

          2c70a2017064f89a34cbdc778479ee5a3af66ab961794cdb7ce89305c7b2cd82

          SHA512

          0f86809f0a2cf0169d9be8ab6d26075b08d01848bad878c90f93cb514755b56fb613c14f89f6738b020c57d551c777026a4f23a20ed13ccd8fcb6b9791253394

          Download Submit

        • \Windows\SysWOW64\kernel23.dll
          Filesize

          1.1MB

          MD5

          9b98d47916ead4f69ef51b56b0c2323c

          SHA1

          290a80b4ded0efc0fd00816f373fcea81a521330

          SHA256

          96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

          SHA512

          68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

          Download Submit

        • memory/584-115-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/1732-167-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1732-152-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1732-153-0x0000000001F00000-0x0000000001F80000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2364-34-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2364-19-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2364-15-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2364-59-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2364-38-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2364-36-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2364-17-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2364-28-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2364-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2364-25-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2364-22-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2564-170-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2732-82-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2732-86-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2732-76-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2732-71-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2732-67-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2732-64-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2952-146-0x0000000000510000-0x0000000000590000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2952-147-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2952-145-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2952-154-0x0000000000510000-0x0000000000590000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2952-168-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

          Filesize

          9.6MB

          Download