Malware Analysis Report

2025-01-03 08:11

Sample ID 240419-mvrfhsaa6v
Target 389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe
SHA256 389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
Tags
metasploit backdoor bootkit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

Threat Level: Known bad

The file 389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor bootkit persistence trojan

MetaSploit

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 10:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 10:47

Reported

2024-04-19 10:48

Platform

win7-20240221-en

Max time kernel

20s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\{bfab744a-57a0-4f60-8549-bd411868a446}\cmd.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\{bfab744a-57a0-4f60-8549-bd411868a446}\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\{bfab744a-57a0-4f60-8549-bd411868a446}\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe

"C:\Users\Admin\AppData\Local\Temp\389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97.exe"

C:\Users\Admin\AppData\Roaming\{bfab744a-57a0-4f60-8549-bd411868a446}\cmd.exe

"C:\Users\Admin\AppData\Roaming\{bfab744a-57a0-4f60-8549-bd411868a446}\cmd.exe"

Network

N/A

Files

memory/2740-0-0x00000000002B0000-0x00000000002C6000-memory.dmp

memory/2740-1-0x00000000002D0000-0x00000000002EA000-memory.dmp

\Users\Admin\AppData\Roaming\{bfab744a-57a0-4f60-8549-bd411868a446}\cmd.exe

MD5 e3b7d39be5e821b59636d0fe7c2944cc
SHA1 00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
SHA256 389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
SHA512 8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

memory/2740-13-0x00000000002D0000-0x00000000002EA000-memory.dmp

memory/2116-14-0x00000000005E0000-0x00000000005FA000-memory.dmp