Overview

overview

10

Static

static

1

run2.vbs

windows7-x64

10

run2.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20/05/2024, 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    run2.vbs

  • Size

    261KB

  • MD5

    a706bd911f5e832cae1626739c28477a

  • SHA1

    db2a4e98c698ea8f89000d4a22746a0a5eeb37c0

  • SHA256

    d42989249e63da78fb0dd9fedca355f0a2006b2ab39e63ecfbebf5a2aca8d50d

  • SHA512

    99eef31b3e4f1f462240647be0717435f492e71bd1bf4ec355d284f9378b2a432a103812c5ad477f1efab52287df6baeeacf83cc48330cade3b9ad246c806539

  • SSDEEP

    6144:w3G3wiSHA2I+g5N91lSkuhNB/Lq3uqX883Wjq507OJsq8repl+JPUczCsJQf7UVk:w3G3wiSHAx+g5N91l7uX9Ly

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://NASDJKNASDJKNJKSDNL.COM:80/html/terces.php?/12345

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run2.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    72KB

    MD5

    516ca9cd506502745e0bfdf2d51d285c

    SHA1

    88aa578264dcedc72da7276c63cc98ac200b8e86

    SHA256

    d4c09b1b430ef6448900924186d612b9638fc0e78d033697f1ebfb56570d1127

    SHA512

    bc24ab05d63da5e5041d9d2e6b79790d2b44fcffa60bc860064790a0e24cb399f32125f3626518c97e55e450325327f4027bdbe2939213340492faf94ba38f84

    Download Submit

  • memory/2620-7-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download