Overview

overview

10

Static

static

10

21d6b63327...02.exe

windows7-x64

10

21d6b63327...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21d6b63327f1f57348899d5992d43102.exe

  • Size

    124KB

  • MD5

    21d6b63327f1f57348899d5992d43102

  • SHA1

    c1f72ac6dedd7817c094c41df3d9dd505675d93d

  • SHA256

    a5d024a0be4a491e5004b9c4c1343fc172e210cc1bf78641d512c6fd9ec41f62

  • SHA512

    0af75df0a6dfe44b33b03f4dc716c48db3a479f438fe0a9332b82cc832ffdb2d56254b073bfb67feed8c0f5516ede72a93f1de70e62c8ae9e9e9fd09f600d1cf

  • SSDEEP

    1536:IFaM5mTEVEQnqrZM5V3J6fgNWbMb+KR0Nc8QsJq3:iaMqEVEUWZulJGgNAe0Nc8QsC

Score
10/10
metasploitxmrigbackdoorminerpyinstallertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

86.104.74.31:9981

Extracted

Family

metasploit

Version

windows/reverse_winhttp

C2

https://86.104.74.31:2526/QFdn-an7LHXwH_EelidwNALmab8nbAeOtEi1Yl3P72-JNCwyowwFlk68eXfNDS9-kdqb4r2ePQlozfgaqz7zjmwbWEZMELNzJghq2QD2e7G_n7TOWCrhIRiQxMb-xV3inm-tt9SwNaVUoFkq4CgzV-6j1O22d4xaPK9AAHu57c34Y6kcLN8ei3gF2cPwQM-A52_6XfA8FqJ0ov95KWITQ

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 13 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      2⤵
        PID:4124
      • \??\c:\windows\system32\WindowsUpdate.exe
        c:/windows/system32/\WindowsUpdate.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4136
      • \??\c:\windows\system32\Python-deamon.exe
        c:/windows/system32/\Python-deamon.exe
        2⤵
        • Executes dropped EXE
        PID:4240
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        2⤵
          PID:788
      • C:\Users\Admin\AppData\Local\Temp\21d6b63327f1f57348899d5992d43102.exe
        "C:\Users\Admin\AppData\Local\Temp\21d6b63327f1f57348899d5992d43102.exe"
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TpkoZj.exe" WIOpTON
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4468
          • C:\Users\Admin\AppData\Local\Temp\TpkoZj.exe
            C:\Users\Admin\AppData\Local\Temp\TpkoZj.exe WIOpTON
            3⤵
            • Executes dropped EXE
            PID:4288
      • C:\Windows\system32\cmd.exe
        cmd.exe /c echo tffnev > \\.\pipe\tffnev
        1⤵
          PID:4720
        • C:\Users\Admin\AppData\Local\Temp\TpkoZj.exe
          "C:\Users\Admin\AppData\Local\Temp\TpkoZj.exe" LsXT
          1⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4780
          • C:\Users\Admin\AppData\Local\Temp\TpkoZj.exe
            C:\Users\Admin\AppData\Local\Temp\TpkoZj.exe
            2⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            PID:4088

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\TpkoZj.exe
          Filesize

          10KB

          MD5

          5581032c78f96c48cb5576cef71b3672

          SHA1

          7d6b19ccb84917d1e52ca853a64ee1a2ba941a21

          SHA256

          f7cd8c058f3499b5d38a80e3134c8edca152a1ca70952c91190322850cb6b15d

          SHA512

          33521c19d5424084b0bc3ef2f244506e024ec4c2553f2a3834a6377d8046a3156ab39b8c2eacc8268a123fcf75b714e05c4f5e107fdfd1d6108fc28595760f26

          Download Submit
        • C:\Windows\System32\Python-deamon.exe
          Filesize

          4.9MB

          MD5

          2213c24bf5f894162377e83435bf6394

          SHA1

          34d35d4fefa2464c7a7adcf844a2055161283fcb

          SHA256

          920ddce9db19abbde837de204acf2c28abdc93525d50c74e686f2b64560dc6a2

          SHA512

          4fbccf72968372841668a4860ac5201138458c98eaf6dd034e435ae0741dba143cc5d5241cf19c1aee18ac425eb25ad3f9dd04452bc302b27f825313785fd554

          Download Submit
        • C:\Windows\System32\WindowsUpdate.exe
          Filesize

          5.4MB

          MD5

          1ce931c7db9f11fe942e34857e16100e

          SHA1

          18aa4aa3d4f4653ca3c8fb706b004f911a5dd9de

          SHA256

          7fac868eff64e2fae4e1d2cc9ef2d30b6e865e91f48782d5400f7f1376aeb543

          SHA512

          44d99eb110efd3e636a8c74015277f13b24306e41965a67a1b970e7a07cb63343a7e6d1dc48308a6a115330e568ea5c7e50e2ec8897e639de2d322278fa67a9e

          Download Submit
        • \??\c:\windows\system32\config.json
          Filesize

          2KB

          MD5

          97190f32e9ebd6cfc56e63a7b558b4e5

          SHA1

          9085d5e432921cfee05603fc4cee635860494c78

          SHA256

          25e696edfadd0de5f13af4d3a7bd85a5cceac365d6d3ba96d1db4cdf3123ed2d

          SHA512

          d521d2efe74278b74bf04ef397ca33ed32afbd4b0d61442cfd4d57b4f940981472634eba8c32dffc996dbc79d47c2ab48ae53d0fca0f786cc2bd1329a5566617

          Download Submit
        • memory/776-315-0x000001B03C600000-0x000001B03C800000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/776-253-0x000001B03C600000-0x000001B03C800000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/776-252-0x000001B03C600000-0x000001B03C800000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/776-225-0x000001B03C600000-0x000001B03C800000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/776-152-0x000001B03C600000-0x000001B03C800000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/776-138-0x000001B03C600000-0x000001B03C800000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/776-126-0x0000000000FD0000-0x0000000001002000-memory.dmp
          Filesize

          200KB

          Download
        • memory/1888-20-0x00000000008F0000-0x0000000000921000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1888-35-0x00000000026E0000-0x0000000002705000-memory.dmp
          Filesize

          148KB

          Download
        • memory/1888-61-0x00000000008F0000-0x0000000000921000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1888-1-0x00000000008C0000-0x00000000008EC000-memory.dmp
          Filesize

          176KB

          Download
        • memory/1888-2-0x00000000008F0000-0x0000000000921000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1888-117-0x00000000008C0000-0x00000000008EC000-memory.dmp
          Filesize

          176KB

          Download
        • memory/1888-118-0x0000000000960000-0x0000000000961000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1888-41-0x00000000008F0000-0x0000000000921000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1888-40-0x0000000002570000-0x0000000002670000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/1888-66-0x00000000008F0000-0x0000000000921000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1888-0-0x0000000000560000-0x0000000000561000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1888-19-0x0000000002570000-0x0000000002670000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/1888-14-0x0000000002670000-0x00000000026D3000-memory.dmp
          Filesize

          396KB

          Download
        • memory/1888-7-0x00000000008F0000-0x0000000000921000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1888-6-0x00000000008F0000-0x0000000000921000-memory.dmp
          Filesize

          196KB

          Download
        • memory/4088-83-0x0000000001CC0000-0x00000000020C0000-memory.dmp
          Filesize

          4.0MB

          Download
        • memory/4088-74-0x00000000005F0000-0x00000000005F1000-memory.dmp
          Filesize

          4KB

          Download