Overview

overview

10

Static

static

10

20b3f9f500...56.msi

windows7-x64

10

20b3f9f500...56.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 10:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356.msi

  • Size

    156KB

  • MD5

    0372fb862dc13979b09b5505ca32e6e3

  • SHA1

    25cfbfefb6d8dfaf42870bc970ae2c834da44a8c

  • SHA256

    20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356

  • SHA512

    8eecd57b5df14c261ca7f38c7428f03ade00e427274bce1c76c8eed255364a0310aae86cf978a3a2871deb76445b3eb02e45ae8bee461eb20eb9470b0c1003e9

  • SSDEEP

    384:iHpe4ZvJXK7gzFM7Wu8wxukoXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyuZDCUyWMDC

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

1.14.247.162:40001

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2140
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1CA0F518032ED0855132C0A4B2CF20C0
      2⤵
        PID:624
      • C:\Windows\Installer\MSI3738.tmp
        "C:\Windows\Installer\MSI3738.tmp"
        2⤵
        • Executes dropped EXE
        PID:832
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A0" "0000000000000590"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2596

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\Installer\MSI3738.tmp
      Filesize

      124KB

      MD5

      2dc392ce36491523764af744421ee210

      SHA1

      35fc5c27f6ca384810a059238f33044172cc14ce

      SHA256

      4132c01b4a1b027c4fe418d786c6a9db7ac8f1fe4b7c905e05db577a7c651778

      SHA512

      7061bb881eafc0e2f67ce30ecaa3ee31c17f69d57006c7a8a5daf1e383c61a8316fab3d75e33dda1d30949e6120a30f6b74847e85a8ae4bf001fd8b55054cc00

      Download Submit
    • memory/832-15-0x0000000140000000-0x0000000140004278-memory.dmp
      Filesize

      16KB

      Download
    • memory/2948-9-0x0000000140000000-0x0000000140005000-memory.dmp
      Filesize

      20KB

      Download
    • memory/2948-29-0x0000000140000000-0x0000000140005000-memory.dmp
      Filesize

      20KB

      Download