Overview

overview

10

Static

static

7

5688a22c88...7a.exe

windows7-x64

10

5688a22c88...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2024 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5688a22c882e60b2cd2f2cc72601757a.exe

  • Size

    145KB

  • MD5

    5688a22c882e60b2cd2f2cc72601757a

  • SHA1

    444f49bf79dcdaa9a92dc62a9fe6ae3b0fe3b4fd

  • SHA256

    6083316ee01a2fee563a39e1dbc12b9042ec2c0ac87ddf0b2215e33fda2e1875

  • SHA512

    b709400c7f79b09a3da2f6969c4b7256cfb49dc3e42763506cf0a4ac81500d04e4fac70ad16b75ee50767ae645b97d2c39e1b591eab5df5d7c4db6a20811fc3e

  • SSDEEP

    3072:f7nTa+mRUBCVIFedDNG/A88pN4s/OwEx1AK6lb9Qt:Ha+mOBCVI8dZcQqNzAr9Q

Score
10/10
metasploitbackdoorpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe
    "C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe
      "C:\Users\Admin\AppData\Local\Temp\5688a22c882e60b2cd2f2cc72601757a.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\x.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\net.exe
          net stop "Security Center"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2864
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Security Center"
            5⤵
              PID:3036
        • C:\Windows\csrss.exe
          "C:\Windows\csrss.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\csrss.exe
            "C:\Windows\csrss.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\x.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1888
              • C:\Windows\SysWOW64\net.exe
                net stop "Security Center"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3016
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Security Center"
                  7⤵
                    PID:3032

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\csrss.exe
        Filesize

        145KB

        MD5

        5688a22c882e60b2cd2f2cc72601757a

        SHA1

        444f49bf79dcdaa9a92dc62a9fe6ae3b0fe3b4fd

        SHA256

        6083316ee01a2fee563a39e1dbc12b9042ec2c0ac87ddf0b2215e33fda2e1875

        SHA512

        b709400c7f79b09a3da2f6969c4b7256cfb49dc3e42763506cf0a4ac81500d04e4fac70ad16b75ee50767ae645b97d2c39e1b591eab5df5d7c4db6a20811fc3e

        Download Submit

      • C:\x.bat
        Filesize

        53B

        MD5

        e6ed7be2b9572503f07663ca6e53759f

        SHA1

        7ad80bd38f2a27e06c111b551c76ad0a0585c194

        SHA256

        b1a6c027d18eb5766129a059f68201e6fb8c68d095f3932983009fe5ae2e4df9

        SHA512

        e0010782b4fe567290536743375112db3107f8390d4c5cbb97f1bf1a8c83825399e1fe2fe9793d351896bb704f3bdec583fa7241b853b136fa9440a927d94227

        Download Submit

      • memory/1188-14-0x0000000000400000-0x0000000000426000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1188-3-0x0000000000240000-0x0000000000266000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1188-0-0x0000000000400000-0x0000000000426000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2464-48-0x0000000000400000-0x0000000000426000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2464-30-0x0000000000400000-0x0000000000426000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2568-8-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2568-32-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2568-15-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2568-16-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2568-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2568-6-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2568-4-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2568-12-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2568-1-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-58-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-60-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-63-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-66-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-69-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2860-71-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download