Overview

overview

10

Static

static

10

ob.exe

windows7-x64

10

ob.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ob.exe

  • Size

    72KB

  • MD5

    a9cbb39c444099cc845042715642b3ae

  • SHA1

    172394be0eaebdd74a793d534d03fbd15ceebbb7

  • SHA256

    97e9d58c9203373d457756c312075cf6d529115df21b1ccb02e22d8808cd9b23

  • SHA512

    46c5cc4e604fa25267b721aa523b93a3b4169af497eb4dd8cb5a8495ecc44b028abd9948510d77b48ab01cb4e382f3b17699f1e9b8f8a992c4038f737948f894

  • SSDEEP

    1536:IU/VhJ9ojsHHRRL8Aoy07H7vpd87bpvOPbhMb+KR0Nc8QsJq39:t/7J9ojybL8ATUs7Qzhe0Nc8QsC9

Score
10/10
metasploitbackdoorexecutionpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

146.190.15.117:60170

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Blocklisted process makes network request 1 IoCs
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ob.exe
    "C:\Users\Admin\AppData\Local\Temp\ob.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c sc query TextService | findstr /I /C:"SERVICE_NAME: TextService" && exit 0 || (echo "Service does not exist, proceeding..." && sc create TextService binPath= "C:\windows\system32\sms_service.exe" start= auto && sc start TextService)
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\sc.exe
        sc query TextService
        3⤵
        • Launches sc.exe
        PID:2592
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I /C:"SERVICE_NAME: TextService"
        3⤵
          PID:1048
        • C:\Windows\SysWOW64\sc.exe
          sc create TextService binPath= "C:\windows\system32\sms_service.exe" start= auto
          3⤵
          • Launches sc.exe
          PID:988
        • C:\Windows\SysWOW64\sc.exe
          sc start TextService
          3⤵
          • Launches sc.exe
          PID:2148
    • C:\Windows\SysWOW64\sms_service.exe
      C:\Windows\SysWOW64\sms_service.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe
        2⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c sc query TextService | findstr /I /C:"SERVICE_NAME: TextService" && exit 0 || (echo "Service does not exist, proceeding..." && sc create TextService binPath= "C:\windows\system32\sms_service.exe" start= auto && sc start TextService)
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3020
          • C:\Windows\SysWOW64\sc.exe
            sc query TextService
            4⤵
            • Launches sc.exe
            PID:2980
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I /C:"SERVICE_NAME: TextService"
            4⤵
              PID:2500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\sms_service.exe
        Filesize

        15KB

        MD5

        a764d19701c5fc1d48083270e945743a

        SHA1

        d4af43b67757b89b9cf0c8ef11308b3d2ba56e43

        SHA256

        d364328da5e9db108ea3aaa5a87c1524386552aeae57778daa2789a2213ed359

        SHA512

        9b75e6a1375d136be6451cf62ef910508bfc24fc453074996bec70a7913ef5e8261c5c1c887fc1dd812ac9ee98c474942d9de28ee5cc0e66bf342b1a03915195

        Download Submit

      • \??\c:\windows\SysWOW64\sms_service.exe
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit

      • memory/1284-70-0x0000000000230000-0x0000000000261000-memory.dmp

        Filesize

        196KB

        Download

      • memory/1284-128-0x0000000001280000-0x0000000001380000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1284-103-0x00000000005F0000-0x00000000006F0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1284-82-0x0000000001280000-0x0000000001380000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1284-129-0x00000000005F0000-0x00000000006F0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1284-69-0x0000000000200000-0x000000000022C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/1284-64-0x0000000000230000-0x0000000000261000-memory.dmp

        Filesize

        196KB

        Download

      • memory/1284-68-0x0000000000230000-0x0000000000261000-memory.dmp

        Filesize

        196KB

        Download

      • memory/1284-63-0x0000000000090000-0x0000000000091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1284-59-0x0000000000090000-0x0000000000091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1284-60-0x0000000000090000-0x0000000000091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2204-35-0x0000000002560000-0x0000000002585000-memory.dmp

        Filesize

        148KB

        Download

      • memory/2204-20-0x0000000000290000-0x00000000002C1000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2204-2-0x0000000000290000-0x00000000002C1000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2204-6-0x0000000000290000-0x00000000002C1000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2204-56-0x0000000000290000-0x00000000002C1000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2204-45-0x0000000000290000-0x00000000002C1000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2204-41-0x0000000000290000-0x00000000002C1000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2204-40-0x0000000002070000-0x0000000002170000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2204-0-0x0000000000020000-0x0000000000021000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2204-55-0x0000000000290000-0x00000000002C1000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2204-15-0x0000000002170000-0x00000000021D3000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2204-14-0x0000000002070000-0x0000000002170000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2204-7-0x0000000000290000-0x00000000002C1000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2204-1-0x00000000001C0000-0x00000000001EC000-memory.dmp

        Filesize

        176KB

        Download

      • memory/2204-123-0x00000000001C0000-0x00000000001EC000-memory.dmp

        Filesize

        176KB

        Download

      • memory/2204-124-0x0000000002070000-0x0000000002170000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2204-125-0x0000000002070000-0x0000000002170000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2292-62-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2292-58-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download