Overview

overview

10

Static

static

3

be5a48fc4d...e6.exe

windows7-x64

10

be5a48fc4d...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 00:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe

  • Size

    1.8MB

  • MD5

    4414d2ea457ca79b4734f4d03aa10cff

  • SHA1

    be055cc414a6559eb0b8f6c61aa643ffc3a042fb

  • SHA256

    be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6

  • SHA512

    c98808a4e483e2d2401c8dbae6cd62c321e993c85cfa406d4ddc56cef804693bcac8b8dd683f96917084f4eefa61b500c5d983b66f6b0e3c3b11585b28226172

  • SSDEEP

    24576:/3vLRdVhZBK8NogWYO09SOGi9J3YiWdCMJ5QxmjwC/hR:/3d5ZQ1exJIiW0MbQxA

Score
10/10
metasploitbackdoordiscoveryspywarestealertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

1.15.12.73:4567

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 17 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe
    "C:\Users\Admin\AppData\Local\Temp\be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe
      "C:\Users\Admin\AppData\Local\Temp\be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe" Admin
      2⤵
      • Drops file in Drivers directory
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm
        3⤵
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3444
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2b6d46f8,0x7ffe2b6d4708,0x7ffe2b6d4718
          4⤵
            PID:2468
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5189145051219210889,8639270356194488699,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
            4⤵
              PID:844
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5189145051219210889,8639270356194488699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4624
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5189145051219210889,8639270356194488699,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
              4⤵
                PID:1568
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5189145051219210889,8639270356194488699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
                4⤵
                  PID:5072
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5189145051219210889,8639270356194488699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
                  4⤵
                    PID:2100
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:2564
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:896

                Network

                MITRE ATT&CK Matrix ATT&CK v13

                Initial Access

                Execution

                Persistence

                Privilege Escalation

                Defense Evasion

                Credential Access

                Unsecured Credentials

                1
                T1552

                Credentials In Files

                1
                T1552.001

                Discovery

                Query Registry

                3
                T1012

                System Information Discovery

                3
                T1082

                Peripheral Device Discovery

                1
                T1120

                Lateral Movement

                Collection

                Data from Local System

                1
                T1005

                Exfiltration

                Command and Control

                Impact

                Resource Development

                Reconnaissance

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                  Filesize

                  152B

                  MD5

                  2579d07b98bbefadc929d80fb3dbd32a

                  SHA1

                  1ceb57c4b81f0f23500e118a4b9a225116a467de

                  SHA256

                  b8443c289ad36568a2bf794ac9ec1f259a9dd930c36680dafc8d0cb4de81feb6

                  SHA512

                  53522ad5e8e2a272d5b1bff9b9226b7d976d47413891c60d7efebd4365baff12b6891e3f79b20e14892ec7c654ad2d437941014290c428c6b1bd78a7b3e557de

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                  Filesize

                  152B

                  MD5

                  8c91c8582b0c918416d14bd7eedd686e

                  SHA1

                  b2ff8149bc21144fdcec64111afda492965c6621

                  SHA256

                  1e839706b748c04adf8efa2790564ca1efd707fdf6451e71af6862e07123717e

                  SHA512

                  a93be868d9f08097bff39069378a0bfa0f5c78e74e9e8df820be9b0426cbfe84e03e9638b329b6142279ed140a120c4c4c21857f410fc4789a370445c3919dcf

                  Download Submit
                • C:\Windows\system32\drivers\etc\hosts
                  Filesize

                  822B

                  MD5

                  03450e8ddb20859f242195450c19b8f1

                  SHA1

                  9698f8caf67c8853e14c8bf4933949f458c3044a

                  SHA256

                  1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b

                  SHA512

                  87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

                  Download Submit
                • \??\pipe\LOCAL\crashpad_3444_XYRRBREIHMEKEATZ
                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  Download Submit
                • memory/1188-0-0x00000000021F0000-0x00000000021F1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1188-1-0x00000000021F0000-0x00000000021F1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1188-2-0x00000000022C0000-0x00000000022C1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1188-4-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-15-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-23-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-13-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-16-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-17-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-18-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-19-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-14-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-24-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-26-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-12-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-11-0x0000000002410000-0x0000000002411000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4576-9-0x0000000000400000-0x00000000005E5000-memory.dmp
                  Filesize

                  1.9MB

                  Download
                • memory/4576-6-0x0000000002410000-0x0000000002411000-memory.dmp
                  Filesize

                  4KB

                  Download