Malware Analysis Report

2024-09-23 03:56

Sample ID 240601-awzr3aca57
Target 2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence
SHA256 328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75
Tags
metasploit backdoor bootkit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75

Threat Level: Known bad

The file 2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor bootkit persistence trojan

Auto-generated rule

MetaSploit

Detects Reflective DLL injection artifacts

Auto-generated rule

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-01 00:34

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 00:34

Reported

2024-06-01 00:37

Platform

win7-20240215-en

Max time kernel

4s

Max time network

1s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe"

C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe

"C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe"

Network

N/A

Files

memory/2328-1-0x0000000000250000-0x000000000026A000-memory.dmp

memory/2328-0-0x0000000000230000-0x0000000000246000-memory.dmp

\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe

MD5 73a3209d8cbc944b590a6f8a214fffd4
SHA1 e58cd1d36cda61c366bfd05b09e0909e3d67d36d
SHA256 dcf7cff709faf0b70220ac1790b3896d3a5db33e73c72b6af114542f5d651244
SHA512 bcf8fdb15e683adad9de447c4e2c27dd291a4e737a955c0de4dd6d7fb1b4aa1da2084ebdf1dc6425978b8541845c06472fbeef82a6708ec3d6e1c4f4a8bf91d5

memory/2328-12-0x0000000000250000-0x000000000026A000-memory.dmp

memory/1032-13-0x00000000002E0000-0x00000000002FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 00:34

Reported

2024-06-01 00:34

Platform

win10v2004-20240508-en

Max time kernel

4s

Max time network

7s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe"

C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe

"C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp

Files

memory/4936-1-0x0000000000A30000-0x0000000000A4A000-memory.dmp

memory/4936-0-0x0000000000A10000-0x0000000000A26000-memory.dmp

C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe

MD5 296dfd96df11ccece142a4ec5e4990db
SHA1 276d7041ddd61d86fa9129db880f9c850198519c
SHA256 dcf957d521b3d845fa7df58d6109bcd6c262a13fad982712a423681cdba2320c
SHA512 f90090e1571574398be2a32e72ae0bb421cb5428c6ae0264cf0ace721d4735b12a186e79d03f0e79c77091cf036794938fcff46e14d1b57eee2ca604933341d6

memory/2236-11-0x00000000004D0000-0x00000000004EA000-memory.dmp