Malware Analysis Report

2024-09-23 03:47

Sample ID 240528-y3vzfsbh39
Target 86539cdc564a2cf1a1132b3b8c15f3d68d77b56f4812c7d558ce97a396689042
SHA256 86539cdc564a2cf1a1132b3b8c15f3d68d77b56f4812c7d558ce97a396689042
Tags
metasploit backdoor trojan vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86539cdc564a2cf1a1132b3b8c15f3d68d77b56f4812c7d558ce97a396689042

Threat Level: Known bad

The file 86539cdc564a2cf1a1132b3b8c15f3d68d77b56f4812c7d558ce97a396689042 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan vmprotect

MetaSploit

Loads dropped DLL

Executes dropped EXE

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-28 20:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 20:19

Reported

2024-05-28 20:21

Platform

win7-20240221-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86539cdc564a2cf1a1132b3b8c15f3d68d77b56f4812c7d558ce97a396689042.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.dat N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.dat N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin.dat N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.dat N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86539cdc564a2cf1a1132b3b8c15f3d68d77b56f4812c7d558ce97a396689042.exe

"C:\Users\Admin\AppData\Local\Temp\86539cdc564a2cf1a1132b3b8c15f3d68d77b56f4812c7d558ce97a396689042.exe"

C:\Users\Admin\AppData\Local\Temp\bin.dat

C:\Users\Admin\AppData\Local\Temp\bin.dat

Network

N/A

Files

memory/2892-1-0x0000000000400000-0x00000000009CB000-memory.dmp

\Users\Admin\AppData\Local\Temp\bin.dat

MD5 a6366c20dc8c1bf42c67f7a657bd2afb
SHA1 f89c15bfc06be01c9d640b5822a44003a9a68880
SHA256 5db89139ed94737f4fec7a23d9826794f1e4d70bbcb3c0db55ae1ed6712bef26
SHA512 003ed0a31c60b2778f6b7bb254daf42181f23d8667a2cd6944a70fa906908a23daba2171df67dec7c6fd2bfce811f339231e04b3082f1ab3dbf564e76fbc4687

memory/2892-13-0x0000000000020000-0x0000000000021000-memory.dmp

memory/3016-11-0x00000000001C0000-0x0000000000219000-memory.dmp

memory/3016-9-0x00000000001C0000-0x0000000000219000-memory.dmp

memory/3016-20-0x0000000010000000-0x000000001005E000-memory.dmp

memory/3016-14-0x0000000010000000-0x000000001005E000-memory.dmp

memory/3016-23-0x0000000000330000-0x0000000000331000-memory.dmp

memory/3016-24-0x00000000004CB000-0x0000000000825000-memory.dmp

memory/3016-54-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/3016-59-0x00000000012D0000-0x00000000012D1000-memory.dmp

memory/3016-57-0x00000000012D0000-0x00000000012D1000-memory.dmp

memory/3016-55-0x00000000012D0000-0x00000000012D1000-memory.dmp

memory/3016-52-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/3016-49-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/3016-47-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/3016-44-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/3016-42-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/3016-39-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3016-37-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3016-34-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/3016-32-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/3016-30-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/3016-29-0x0000000000340000-0x0000000000341000-memory.dmp

memory/3016-27-0x0000000000340000-0x0000000000341000-memory.dmp

memory/3016-25-0x0000000000340000-0x0000000000341000-memory.dmp

memory/3016-64-0x00000000012E0000-0x00000000012E1000-memory.dmp

memory/3016-62-0x00000000012E0000-0x00000000012E1000-memory.dmp

memory/3016-60-0x00000000012E0000-0x00000000012E1000-memory.dmp

memory/3016-67-0x0000000000400000-0x0000000000DC1000-memory.dmp

memory/3016-68-0x0000000000400000-0x0000000000DC1000-memory.dmp

memory/3016-71-0x0000000000400000-0x0000000000DC1000-memory.dmp

memory/3016-70-0x0000000010000000-0x000000001005E000-memory.dmp

memory/3016-69-0x0000000000400000-0x0000000000DC1000-memory.dmp

memory/3016-72-0x0000000010000000-0x000000001005E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\key.ini

MD5 d3d152d4ec094c1e55aaa1647acb6e54
SHA1 85a4e9316091bdd549ae32efe2aea506a641dec6
SHA256 a7e0169b34770707c106ed54e842a453f7501bcab877b544a238184b18aa0f07
SHA512 7a5cbea3819914cc17ce1e8d8432032536014d85ce4317214da4a78c36205adae6a64ae645341bc9bf69a3f63818d6b197fca15744cbf35292c207eaa561830a

memory/2892-74-0x0000000000400000-0x00000000009CB000-memory.dmp

memory/2892-75-0x0000000000020000-0x0000000000021000-memory.dmp

memory/3016-77-0x0000000000400000-0x0000000000DC1000-memory.dmp

memory/3016-78-0x00000000004CB000-0x0000000000825000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 20:19

Reported

2024-05-28 20:21

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86539cdc564a2cf1a1132b3b8c15f3d68d77b56f4812c7d558ce97a396689042.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.dat N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.dat N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin.dat N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.dat N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86539cdc564a2cf1a1132b3b8c15f3d68d77b56f4812c7d558ce97a396689042.exe

"C:\Users\Admin\AppData\Local\Temp\86539cdc564a2cf1a1132b3b8c15f3d68d77b56f4812c7d558ce97a396689042.exe"

C:\Users\Admin\AppData\Local\Temp\bin.dat

C:\Users\Admin\AppData\Local\Temp\bin.dat

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/4384-1-0x0000000000400000-0x00000000009CB000-memory.dmp

memory/468-4-0x0000000000DD0000-0x0000000000E29000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bin.dat

MD5 a6366c20dc8c1bf42c67f7a657bd2afb
SHA1 f89c15bfc06be01c9d640b5822a44003a9a68880
SHA256 5db89139ed94737f4fec7a23d9826794f1e4d70bbcb3c0db55ae1ed6712bef26
SHA512 003ed0a31c60b2778f6b7bb254daf42181f23d8667a2cd6944a70fa906908a23daba2171df67dec7c6fd2bfce811f339231e04b3082f1ab3dbf564e76fbc4687

memory/4384-7-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

memory/468-14-0x0000000010000000-0x000000001005E000-memory.dmp

memory/468-8-0x0000000010000000-0x000000001005E000-memory.dmp

memory/468-16-0x0000000000400000-0x0000000000DC1000-memory.dmp

memory/468-17-0x0000000000400000-0x0000000000DC1000-memory.dmp

memory/468-26-0x0000000000400000-0x0000000000DC1000-memory.dmp

memory/468-18-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/468-25-0x0000000003070000-0x0000000003071000-memory.dmp

memory/468-24-0x0000000003050000-0x0000000003051000-memory.dmp

memory/468-23-0x0000000003040000-0x0000000003041000-memory.dmp

memory/468-22-0x0000000003030000-0x0000000003031000-memory.dmp

memory/468-21-0x0000000003020000-0x0000000003021000-memory.dmp

memory/468-20-0x0000000003010000-0x0000000003011000-memory.dmp

memory/468-19-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

memory/468-29-0x0000000000400000-0x0000000000DC1000-memory.dmp

memory/468-30-0x0000000000400000-0x0000000000DC1000-memory.dmp

memory/468-31-0x0000000010000000-0x000000001005E000-memory.dmp

memory/468-32-0x0000000010000000-0x000000001005E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\key.ini

MD5 d3d152d4ec094c1e55aaa1647acb6e54
SHA1 85a4e9316091bdd549ae32efe2aea506a641dec6
SHA256 a7e0169b34770707c106ed54e842a453f7501bcab877b544a238184b18aa0f07
SHA512 7a5cbea3819914cc17ce1e8d8432032536014d85ce4317214da4a78c36205adae6a64ae645341bc9bf69a3f63818d6b197fca15744cbf35292c207eaa561830a

memory/4384-34-0x0000000000400000-0x00000000009CB000-memory.dmp

memory/468-35-0x0000000000400000-0x0000000000DC1000-memory.dmp