Overview

overview

10

Static

static

10

20b3f9f500...56.msi

windows7-x64

10

20b3f9f500...56.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 10:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356.msi

  • Size

    156KB

  • MD5

    0372fb862dc13979b09b5505ca32e6e3

  • SHA1

    25cfbfefb6d8dfaf42870bc970ae2c834da44a8c

  • SHA256

    20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356

  • SHA512

    8eecd57b5df14c261ca7f38c7428f03ade00e427274bce1c76c8eed255364a0310aae86cf978a3a2871deb76445b3eb02e45ae8bee461eb20eb9470b0c1003e9

  • SSDEEP

    384:iHpe4ZvJXK7gzFM7Wu8wxukoXgZs+5BCq26yy3M5BCqPN:Zmxa7gBMyuZDCUyWMDC

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

1.14.247.162:40001

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\20b3f9f50049e2025cab5a3d230bcb9e72498c02ec3c8d4160092b1c8f308356.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4456
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:764
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 080D15F2D5A9A07D209BE56A0B47E76E
      2⤵
        PID:724
      • C:\Windows\Installer\MSI8185.tmp
        "C:\Windows\Installer\MSI8185.tmp"
        2⤵
        • Executes dropped EXE
        PID:4444
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:404

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Installer\MSI8185.tmp
      Filesize

      124KB

      MD5

      2dc392ce36491523764af744421ee210

      SHA1

      35fc5c27f6ca384810a059238f33044172cc14ce

      SHA256

      4132c01b4a1b027c4fe418d786c6a9db7ac8f1fe4b7c905e05db577a7c651778

      SHA512

      7061bb881eafc0e2f67ce30ecaa3ee31c17f69d57006c7a8a5daf1e383c61a8316fab3d75e33dda1d30949e6120a30f6b74847e85a8ae4bf001fd8b55054cc00

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      0a789b4fe9b1e58a19887514d80cd978

      SHA1

      464200bee17387c250e5af8de0bf763bd14793ed

      SHA256

      de39c8d7f747273563e94b4cec0c3bf4a591a09635f26dd7833f3ff1c4b32a6b

      SHA512

      12e7a323fa9bf38990d6e1fe333efc51c528aef3ab60fc823e96649fb2ce5c9f464d173b8a8f86c5f4f9d6bd72f2905bcd137632f03ef310419b7a80e41b3a12

      Download Submit
    • \??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{71827f8f-0dab-4553-8aac-ab4bd96c65a1}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      4989b7231dfd57626bae6c3b5e90f1f2

      SHA1

      c6d39e9295e09f6d69de1ba7b1f297ad1e9b7ee0

      SHA256

      0b5a5d15143113bd4f15a815a426bccac98a147fe74cb89d11d2c32c2913e8f1

      SHA512

      3fbe5b806889bd60e450c64b7e74215a1ab741dbb70cde62d154ceddd91a02bc0a78a1fdbea4264e170f5722ddda4f12545c36dda5ed3256cf2572d3e7e0fda6

      Download Submit
    • memory/4444-12-0x0000000140000000-0x0000000140004278-memory.dmp
      Filesize

      16KB

      Download