Overview

overview

10

Static

static

10

reverse_tcp.msi

windows7-x64

10

reverse_tcp.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 04:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    reverse_tcp.msi

  • Size

    156KB

  • MD5

    0372fb862dc13979b09b5505ca32e6e3

  • SHA1

    25cfbfefb6d8dfaf42870bc970ae2c834da44a8c

  • SHA256

    20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356

  • SHA512

    8eecd57b5df14c261ca7f38c7428f03ade00e427274bce1c76c8eed255364a0310aae86cf978a3a2871deb76445b3eb02e45ae8bee461eb20eb9470b0c1003e9

  • SSDEEP

    384:iHpe4ZvJXK7gzFM7Wu8wxukoXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyuZDCUyWMDC

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

1.14.247.162:40001

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\reverse_tcp.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1484
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1164
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 8B56ED9BD5E5D9C851FCEE732DD266D3
      2⤵
        PID:676
      • C:\Windows\Installer\MSI8907.tmp
        "C:\Windows\Installer\MSI8907.tmp"
        2⤵
        • Executes dropped EXE
        PID:3632
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSI8907.tmp
      Filesize

      124KB

      MD5

      2dc392ce36491523764af744421ee210

      SHA1

      35fc5c27f6ca384810a059238f33044172cc14ce

      SHA256

      4132c01b4a1b027c4fe418d786c6a9db7ac8f1fe4b7c905e05db577a7c651778

      SHA512

      7061bb881eafc0e2f67ce30ecaa3ee31c17f69d57006c7a8a5daf1e383c61a8316fab3d75e33dda1d30949e6120a30f6b74847e85a8ae4bf001fd8b55054cc00

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      70231927785fbdc31278b209ab78fa6f

      SHA1

      0823f9f1d13ed778310b9b112f35311a0a416131

      SHA256

      170cf04a9ae74195c89a71fe78d10af438fe11f9e40e6a625ddda1ca95e6bbd4

      SHA512

      5bf85b648335bed1c7a9be2b87a0c2cd60e0712cb5464dad4511816e8a754f9b917a8dc20cb36b304ae979378e53f748681c2d58b520f66732abf340b468b693

      Download Submit
    • \??\Volume{5110105b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5443e4bb-5daa-4a30-9fd1-c722b64beb93}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      0b90e7996504dd14ef475e529ce56a71

      SHA1

      19bfb57ab598be8f05d0ab9c9cf1f39c49d5d02c

      SHA256

      16ba25bcc882a6723380ef4b9fed50dbb5187e5049dcc9e64d67f05d2497adc6

      SHA512

      7c4cce995d60e7034afdd9746f24a8125a0cdbe716dd805e0543cd276982e334ca47b515185de339d23f9b3a38524b547f3819d50d7f6acb8fd1218f804bc4b8

      Download Submit
    • memory/3632-12-0x0000000140000000-0x0000000140004278-memory.dmp
      Filesize

      16KB

      Download