Overview

overview

10

Static

static

10

1b67889924...48.msi

windows7-x64

10

1b67889924...48.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b678899247d6239f5c03b9f017b6808524d3a5e9320e31f78a355017323db48.msi

  • Size

    156KB

  • MD5

    ea86d9f4827f1b24baf14d0a62111c81

  • SHA1

    dfbe48a8b76917ff03cf74d0519dda2c1ab76dfb

  • SHA256

    1b678899247d6239f5c03b9f017b6808524d3a5e9320e31f78a355017323db48

  • SHA512

    ab86da16e79c4d000ec736528f7e58e5973f2ff9654c1bcb0ba9ef7ef1d14ce3134f5d0f31a5803da93a6676c0c3f35dee0559fe66dda60f16e0098e56ca0d10

  • SSDEEP

    384:iHpe4ZvJXK7gzFM7WuMOxceoXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyuvDCUyWMDC

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

1.14.247.162:40001

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1b678899247d6239f5c03b9f017b6808524d3a5e9320e31f78a355017323db48.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3012
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ADAA38F5F84EF3DFBA71815924535ED7
      2⤵
        PID:396
      • C:\Windows\Installer\MSI3371.tmp
        "C:\Windows\Installer\MSI3371.tmp"
        2⤵
        • Executes dropped EXE
        PID:2112
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2336
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C8" "000000000000059C"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2396

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\Installer\MSI3371.tmp
      Filesize

      124KB

      MD5

      32bca63e32bfa7abf23e77edd30478d6

      SHA1

      57beba1d54428d559fd3ed8d258a691990cd0245

      SHA256

      c6b4471618c370d9216fc3632dc258ad460471e2385ded2f2929133e9b1e67ab

      SHA512

      3a0f987a78316728da4ee30ea307919a2b73c9b85c0cbe24e179f4c6bb6255d89fc056f1d3f9f56bd6ff6ad40e22521fc581f08630a8759bed9cc3892c81b553

      Download Submit
    • memory/2112-16-0x0000000140000000-0x00000001400042A0-memory.dmp
      Filesize

      16KB

      Download
    • memory/2780-15-0x0000000140000000-0x0000000140005000-memory.dmp
      Filesize

      20KB

      Download
    • memory/2780-14-0x0000000140000000-0x0000000140005000-memory.dmp
      Filesize

      20KB

      Download