Overview

overview

10

Static

static

10

1b67889924...48.msi

windows7-x64

10

1b67889924...48.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b678899247d6239f5c03b9f017b6808524d3a5e9320e31f78a355017323db48.msi

  • Size

    156KB

  • MD5

    ea86d9f4827f1b24baf14d0a62111c81

  • SHA1

    dfbe48a8b76917ff03cf74d0519dda2c1ab76dfb

  • SHA256

    1b678899247d6239f5c03b9f017b6808524d3a5e9320e31f78a355017323db48

  • SHA512

    ab86da16e79c4d000ec736528f7e58e5973f2ff9654c1bcb0ba9ef7ef1d14ce3134f5d0f31a5803da93a6676c0c3f35dee0559fe66dda60f16e0098e56ca0d10

  • SSDEEP

    384:iHpe4ZvJXK7gzFM7WuMOxceoXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyuvDCUyWMDC

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

1.14.247.162:40001

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1b678899247d6239f5c03b9f017b6808524d3a5e9320e31f78a355017323db48.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5036
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\Installer\MSI7149.tmp
      "C:\Windows\Installer\MSI7149.tmp"
      2⤵
      • Executes dropped EXE
      PID:3660
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 702FEE46A924C17B5BB0AC2494C9EC6E
      2⤵
        PID:3016
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2696

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSI7149.tmp
      Filesize

      124KB

      MD5

      32bca63e32bfa7abf23e77edd30478d6

      SHA1

      57beba1d54428d559fd3ed8d258a691990cd0245

      SHA256

      c6b4471618c370d9216fc3632dc258ad460471e2385ded2f2929133e9b1e67ab

      SHA512

      3a0f987a78316728da4ee30ea307919a2b73c9b85c0cbe24e179f4c6bb6255d89fc056f1d3f9f56bd6ff6ad40e22521fc581f08630a8759bed9cc3892c81b553

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      e2a1164c2804dd2c95351e49dec908e3

      SHA1

      6abf505e29bd554b3ed27952bb1991f18baa424f

      SHA256

      27590eb605afc2f94e6235ffa8ddf6578a18df55fd4c091cf039de3f725e8b82

      SHA512

      7264761ce61ad30c8a1ca7b5d00bcb3b5bd0af769aa1853383634162b5e7a61ede82dda3a5e93792482346b9170d1ff9e770a1716796922b9e18a0f86614f206

      Download Submit
    • \??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2e8362ae-86a3-4c28-890f-f1a5d1170870}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      ff3a34c0c9d82e83765fe42b71955ac8

      SHA1

      992b3ac8ba9263dd470d06bf6ec45cbab8b59be3

      SHA256

      852f5cd3cd1fb682eb416f64145648a847552d862cf11670b7a1e65deb3c87b7

      SHA512

      00951943b84b3a296c3bec8f7da3006fd3821288802f1458f5992f8f00a62faf78be6e9090703d4b0c00ff6ad4bfab8172b2a20ced95acfe5d82515c0fbc54df

      Download Submit
    • memory/3660-12-0x0000000140000000-0x00000001400042A0-memory.dmp
      Filesize

      16KB

      Download