Overview

overview

10

Static

static

10

dolphin.exe

windows7-x64

10

dolphin.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dolphin.exe

  • Size

    49KB

  • MD5

    a8d122b4f018d69a87bfefac354dadec

  • SHA1

    ca065d08ed255fb72e3dc3f2ae76ad3d9a436875

  • SHA256

    8e0029263ffa6d3b6b2c4c762ce1d2cfd6042501e8e4cddf91aa2020dce15605

  • SHA512

    39732c7af6027b4de628c2f6ed6635c720e2a046d5b465759a43934723cd872b577cfb4d3d3d2489ff94d1a49441b14f7fda5500e0e3e7073450f16d1aa82e1c

  • SSDEEP

    768:jxEOjnLj98hUO47oKHLAPP3lLuzZPKq+kXKZHlm3o7L:znLWKd7bHkPP3lLuBZ+AKZFm3oP

Score
10/10
metasploitbackdoorpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

windows/exec

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dolphin.exe
    "C:\Users\Admin\AppData\Local\Temp\dolphin.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net localgroup administrators
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\net.exe
        net localgroup administrators
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup administrators
          4⤵
            PID:3040
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c systeminfo
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          3⤵
          • Gathers system information
          PID:3048
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c whoami
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Windows\SysWOW64\whoami.exe
          whoami
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3052
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c tasklist
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2620
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -w 1 "reg.exe save HKLM\SAM bin"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" save HKLM\SAM bin
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2532

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Account Manipulation

    1
    T1098

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Process Discovery

    1
    T1057

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2316-6-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2820-0-0x00000000001C0000-0x00000000001C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2820-2-0x00000000001C0000-0x00000000001C1000-memory.dmp
      Filesize

      4KB

      Download