Overview

overview

10

Static

static

10

21d6b63327...02.exe

windows7-x64

10

21d6b63327...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21d6b63327f1f57348899d5992d43102.exe

  • Size

    124KB

  • MD5

    21d6b63327f1f57348899d5992d43102

  • SHA1

    c1f72ac6dedd7817c094c41df3d9dd505675d93d

  • SHA256

    a5d024a0be4a491e5004b9c4c1343fc172e210cc1bf78641d512c6fd9ec41f62

  • SHA512

    0af75df0a6dfe44b33b03f4dc716c48db3a479f438fe0a9332b82cc832ffdb2d56254b073bfb67feed8c0f5516ede72a93f1de70e62c8ae9e9e9fd09f600d1cf

  • SSDEEP

    1536:IFaM5mTEVEQnqrZM5V3J6fgNWbMb+KR0Nc8QsJq3:iaMqEVEUWZulJGgNAe0Nc8QsC

Score
10/10
metasploitxmrigbackdoorminerpersistencepyinstallertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

86.104.74.31:9981

Extracted

Family

metasploit

Version

windows/reverse_winhttp

C2

https://86.104.74.31:2526/-zHGcUeWz9B__H79GcT_vw6fiq3ZfacoOpiicZAQdFSopE75-m6Wh8pyNy-ksrVkep8OUw6qQpG4yOZsQ6Mj6I-cfdAG

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 11 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Sets service image path in registry
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Windows\system32\cmd.exe
      cmd.exe /c echo rrcuir > \\.\pipe\rrcuir
      2⤵
        PID:2812
      • C:\Users\Admin\AppData\Local\Temp\IOrJ.exe
        "C:\Users\Admin\AppData\Local\Temp\IOrJ.exe" tVoebv
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Users\Admin\AppData\Local\Temp\IOrJ.exe
          C:\Users\Admin\AppData\Local\Temp\IOrJ.exe
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:2296
      • \??\c:\windows\system32\WindowsUpdate.exe
        c:/windows/system32/\WindowsUpdate.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:676
      • \??\c:\windows\system32\Python-deamon.exe
        c:/windows/system32/\Python-deamon.exe
        2⤵
        • Executes dropped EXE
        PID:1616
    • C:\Users\Admin\AppData\Local\Temp\21d6b63327f1f57348899d5992d43102.exe
      "C:\Users\Admin\AppData\Local\Temp\21d6b63327f1f57348899d5992d43102.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IOrJ.exe" kkPVJbd
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Users\Admin\AppData\Local\Temp\IOrJ.exe
          C:\Users\Admin\AppData\Local\Temp\IOrJ.exe kkPVJbd
          3⤵
          • Executes dropped EXE
          PID:1912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Windows\System32\Python-deamon.exe
      Filesize

      4.9MB

      MD5

      2213c24bf5f894162377e83435bf6394

      SHA1

      34d35d4fefa2464c7a7adcf844a2055161283fcb

      SHA256

      920ddce9db19abbde837de204acf2c28abdc93525d50c74e686f2b64560dc6a2

      SHA512

      4fbccf72968372841668a4860ac5201138458c98eaf6dd034e435ae0741dba143cc5d5241cf19c1aee18ac425eb25ad3f9dd04452bc302b27f825313785fd554

      Download Submit
    • C:\Windows\Temp\Tar15E6.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • \??\c:\windows\system32\config.json
      Filesize

      2KB

      MD5

      97190f32e9ebd6cfc56e63a7b558b4e5

      SHA1

      9085d5e432921cfee05603fc4cee635860494c78

      SHA256

      25e696edfadd0de5f13af4d3a7bd85a5cceac365d6d3ba96d1db4cdf3123ed2d

      SHA512

      d521d2efe74278b74bf04ef397ca33ed32afbd4b0d61442cfd4d57b4f940981472634eba8c32dffc996dbc79d47c2ab48ae53d0fca0f786cc2bd1329a5566617

      Download Submit
    • \Users\Admin\AppData\Local\Temp\IOrJ.exe
      Filesize

      8KB

      MD5

      be5834010c0a9ba9b98732357df7520f

      SHA1

      78fa14732624bf36119ee55bec40b6099ea963d3

      SHA256

      d3735d945bf600a6025bb21af2f93a8d5016388bc2245219d89de11ab12dbdfc

      SHA512

      8fbbae396a20052bf64887f78f478faab0417d7fe1d583e95e356cd32c14ee193f094a21c7a53d73fb6ea6649691b95eae9274a7c471e45379bc978108facee1

      Download Submit
    • \Windows\System32\WindowsUpdate.exe
      Filesize

      5.4MB

      MD5

      1ce931c7db9f11fe942e34857e16100e

      SHA1

      18aa4aa3d4f4653ca3c8fb706b004f911a5dd9de

      SHA256

      7fac868eff64e2fae4e1d2cc9ef2d30b6e865e91f48782d5400f7f1376aeb543

      SHA512

      44d99eb110efd3e636a8c74015277f13b24306e41965a67a1b970e7a07cb63343a7e6d1dc48308a6a115330e568ea5c7e50e2ec8897e639de2d322278fa67a9e

      Download Submit
    • memory/464-289-0x0000000001C30000-0x0000000001E30000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/464-283-0x0000000001170000-0x0000000001270000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/464-184-0x0000000001170000-0x0000000001270000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/464-170-0x0000000001C30000-0x0000000001E30000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/464-290-0x0000000001170000-0x0000000001270000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/464-311-0x0000000001170000-0x0000000001270000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/464-134-0x0000000000120000-0x0000000000152000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2032-35-0x0000000002500000-0x0000000002525000-memory.dmp
      Filesize

      148KB

      Download
    • memory/2032-20-0x0000000000330000-0x0000000000361000-memory.dmp
      Filesize

      196KB

      Download
    • memory/2032-1-0x0000000000280000-0x00000000002AC000-memory.dmp
      Filesize

      176KB

      Download
    • memory/2032-111-0x0000000002010000-0x0000000002110000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2032-119-0x0000000002010000-0x0000000002110000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2032-2-0x0000000000330000-0x0000000000361000-memory.dmp
      Filesize

      196KB

      Download
    • memory/2032-127-0x0000000000380000-0x0000000000381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2032-126-0x0000000000370000-0x0000000000371000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2032-62-0x0000000000330000-0x0000000000361000-memory.dmp
      Filesize

      196KB

      Download
    • memory/2032-58-0x0000000000280000-0x00000000002AC000-memory.dmp
      Filesize

      176KB

      Download
    • memory/2032-41-0x0000000000330000-0x0000000000361000-memory.dmp
      Filesize

      196KB

      Download
    • memory/2032-40-0x0000000002010000-0x0000000002110000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2032-0-0x0000000000020000-0x0000000000021000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2032-67-0x0000000000330000-0x0000000000361000-memory.dmp
      Filesize

      196KB

      Download
    • memory/2032-15-0x0000000002110000-0x0000000002173000-memory.dmp
      Filesize

      396KB

      Download
    • memory/2032-14-0x0000000002010000-0x0000000002110000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2032-7-0x0000000000330000-0x0000000000361000-memory.dmp
      Filesize

      196KB

      Download
    • memory/2032-6-0x0000000000330000-0x0000000000361000-memory.dmp
      Filesize

      196KB

      Download
    • memory/2296-120-0x0000000003320000-0x0000000003720000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/2296-77-0x0000000000020000-0x0000000000021000-memory.dmp
      Filesize

      4KB

      Download