Overview

overview

10

Static

static

10

21d6b63327...02.exe

windows7-x64

10

21d6b63327...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21d6b63327f1f57348899d5992d43102.exe

  • Size

    124KB

  • MD5

    21d6b63327f1f57348899d5992d43102

  • SHA1

    c1f72ac6dedd7817c094c41df3d9dd505675d93d

  • SHA256

    a5d024a0be4a491e5004b9c4c1343fc172e210cc1bf78641d512c6fd9ec41f62

  • SHA512

    0af75df0a6dfe44b33b03f4dc716c48db3a479f438fe0a9332b82cc832ffdb2d56254b073bfb67feed8c0f5516ede72a93f1de70e62c8ae9e9e9fd09f600d1cf

  • SSDEEP

    1536:IFaM5mTEVEQnqrZM5V3J6fgNWbMb+KR0Nc8QsJq3:iaMqEVEUWZulJGgNAe0Nc8QsC

Score
10/10
metasploitxmrigbackdoorminerpyinstallertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

86.104.74.31:9981

Extracted

Family

metasploit

Version

windows/reverse_winhttp

C2

https://86.104.74.31:2526/ikfdrhy-qkcCVANVZGyCLw-WZQJ__3gJI6bV47gaYkMVSsAScxNyy

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 7 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      2⤵
        PID:512
      • \??\c:\windows\system32\BackgroundTransferHost.exe
        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
        2⤵
        • Modifies registry class
        PID:4848
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        2⤵
          PID:4616
        • \??\c:\windows\system32\BackgroundTransferHost.exe
          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
          2⤵
          • Modifies registry class
          PID:64
        • \??\c:\windows\system32\BackgroundTransferHost.exe
          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
          2⤵
          • Modifies registry class
          PID:3656
        • \??\c:\windows\system32\WindowsUpdate.exe
          c:/windows/system32/\WindowsUpdate.exe
          2⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of FindShellTrayWindow
          PID:3772
        • \??\c:\windows\system32\Python-deamon.exe
          c:/windows/system32/\Python-deamon.exe
          2⤵
          • Executes dropped EXE
          PID:2904
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
          2⤵
            PID:744
        • C:\Users\Admin\AppData\Local\Temp\21d6b63327f1f57348899d5992d43102.exe
          "C:\Users\Admin\AppData\Local\Temp\21d6b63327f1f57348899d5992d43102.exe"
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1564
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MDzTJO.exe" JldBikd
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:452
            • C:\Users\Admin\AppData\Local\Temp\MDzTJO.exe
              C:\Users\Admin\AppData\Local\Temp\MDzTJO.exe JldBikd
              3⤵
              • Executes dropped EXE
              PID:4144
        • C:\Windows\system32\cmd.exe
          cmd.exe /c echo hkhhoj > \\.\pipe\hkhhoj
          1⤵
            PID:4896
          • C:\Users\Admin\AppData\Local\Temp\MDzTJO.exe
            "C:\Users\Admin\AppData\Local\Temp\MDzTJO.exe" pMUmtapl
            1⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1624
            • C:\Users\Admin\AppData\Local\Temp\MDzTJO.exe
              C:\Users\Admin\AppData\Local\Temp\MDzTJO.exe
              2⤵
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              PID:2072

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\80763b86-ed3d-40c0-8596-02a30f53324e.down_data
            Filesize

            439KB

            MD5

            e7d4d8c834f81b46938ee56eb1ec1974

            SHA1

            36cd3b81ef0bdd43ffcc3f1d684ca8554b5d3ba9

            SHA256

            b0e22f1db86c4afceb6c86f7a9fb8ffbeedb1e790f76cef9765592483e6360d1

            SHA512

            186846ed80d00ba6b4e20b4391055b0e24392e43ded863b1305ba7a9bd72e8d7ce538a1a1699b4a6d711e070a2226a1c2d97a881a317b87afc9653365dd4cb69

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e3cd264a-e4b1-4408-9d97-e54a5bc1be06.down_data
            Filesize

            457KB

            MD5

            3daa691a0971e7a4b6c2f2807fb22a9c

            SHA1

            60f00370e50a9e9d648b5d2dc8d9fa8e7a554049

            SHA256

            10f3aeee4aa8e7cc98d1d0d2ab3763f53e38bb0856851c3b2cc86845d871d298

            SHA512

            1dc0723fa0aacff5aace89556ff4b1dc7eea044c61954814afaf5dfc8dea7de603a99c877003b54f9e89c519ea54f85e3d5fa94513d49a29ccbc809c24e63b1e

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\MDzTJO.exe
            Filesize

            8KB

            MD5

            27f21ce7e4e96e0e3f7642acbc7c000f

            SHA1

            a6a5774cff6cfc3c74d2c5a93fec751657c48e5a

            SHA256

            a70de8c5648bde459a0711f4770fc0b57d1ac10d784ebc1884b236394a07380c

            SHA512

            f4303b011787fc1aef56534da99efc9aefc492f369dcbf62e2db8f5dc3c6a0515d44f018587ca6dcc53121b2f2946744244009273b8f79af542ade38d21003a8

            Download Submit
          • C:\Windows\System32\Python-deamon.exe
            Filesize

            4.9MB

            MD5

            2213c24bf5f894162377e83435bf6394

            SHA1

            34d35d4fefa2464c7a7adcf844a2055161283fcb

            SHA256

            920ddce9db19abbde837de204acf2c28abdc93525d50c74e686f2b64560dc6a2

            SHA512

            4fbccf72968372841668a4860ac5201138458c98eaf6dd034e435ae0741dba143cc5d5241cf19c1aee18ac425eb25ad3f9dd04452bc302b27f825313785fd554

            Download Submit
          • C:\Windows\System32\WindowsUpdate.exe
            Filesize

            5.4MB

            MD5

            1ce931c7db9f11fe942e34857e16100e

            SHA1

            18aa4aa3d4f4653ca3c8fb706b004f911a5dd9de

            SHA256

            7fac868eff64e2fae4e1d2cc9ef2d30b6e865e91f48782d5400f7f1376aeb543

            SHA512

            44d99eb110efd3e636a8c74015277f13b24306e41965a67a1b970e7a07cb63343a7e6d1dc48308a6a115330e568ea5c7e50e2ec8897e639de2d322278fa67a9e

            Download Submit
          • \??\c:\windows\system32\config.json
            Filesize

            2KB

            MD5

            97190f32e9ebd6cfc56e63a7b558b4e5

            SHA1

            9085d5e432921cfee05603fc4cee635860494c78

            SHA256

            25e696edfadd0de5f13af4d3a7bd85a5cceac365d6d3ba96d1db4cdf3123ed2d

            SHA512

            d521d2efe74278b74bf04ef397ca33ed32afbd4b0d61442cfd4d57b4f940981472634eba8c32dffc996dbc79d47c2ab48ae53d0fca0f786cc2bd1329a5566617

            Download Submit
          • memory/792-145-0x000001BD33E00000-0x000001BD34000000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/792-119-0x0000000000920000-0x0000000000952000-memory.dmp
            Filesize

            200KB

            Download
          • memory/792-272-0x000001BD33E00000-0x000001BD34000000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/792-271-0x000001BD33E00000-0x000001BD34000000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/792-131-0x000001BD33E00000-0x000001BD34000000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/1564-110-0x0000000002520000-0x0000000002620000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1564-36-0x00000000009C0000-0x00000000009E5000-memory.dmp
            Filesize

            148KB

            Download
          • memory/1564-67-0x0000000000910000-0x0000000000941000-memory.dmp
            Filesize

            196KB

            Download
          • memory/1564-20-0x0000000002520000-0x0000000002620000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1564-1-0x00000000006C0000-0x00000000006EC000-memory.dmp
            Filesize

            176KB

            Download
          • memory/1564-2-0x0000000000910000-0x0000000000941000-memory.dmp
            Filesize

            196KB

            Download
          • memory/1564-15-0x0000000000950000-0x00000000009B3000-memory.dmp
            Filesize

            396KB

            Download
          • memory/1564-111-0x00000000001E0000-0x00000000001E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1564-42-0x0000000000910000-0x0000000000941000-memory.dmp
            Filesize

            196KB

            Download
          • memory/1564-41-0x0000000002520000-0x0000000002620000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1564-0-0x0000000000670000-0x0000000000671000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1564-8-0x0000000000910000-0x0000000000941000-memory.dmp
            Filesize

            196KB

            Download
          • memory/1564-7-0x0000000000910000-0x0000000000941000-memory.dmp
            Filesize

            196KB

            Download
          • memory/1564-62-0x0000000000910000-0x0000000000941000-memory.dmp
            Filesize

            196KB

            Download
          • memory/1564-21-0x0000000000910000-0x0000000000941000-memory.dmp
            Filesize

            196KB

            Download
          • memory/1564-6-0x00000000006C0000-0x00000000006EC000-memory.dmp
            Filesize

            176KB

            Download
          • memory/2072-87-0x0000000001800000-0x0000000001C00000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/2072-75-0x00000000003F0000-0x00000000003F1000-memory.dmp
            Filesize

            4KB

            Download