Overview

overview

10

Static

static

3

e5a4b41df7...22.exe

windows7-x64

10

e5a4b41df7...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5a4b41df7461382fd0abb49ac6f18813a34171a7a70fc380c38228412dede22.exe

  • Size

    1.8MB

  • MD5

    ebb51d98f6dbaf566f7ebd183e45a71e

  • SHA1

    9fb60d3b6d75a887a63bfbd576e0939255af5614

  • SHA256

    e5a4b41df7461382fd0abb49ac6f18813a34171a7a70fc380c38228412dede22

  • SHA512

    bc2a3105e6714a7e2b845de4ba0a4917f3d319b7c86704c894486794a182287f633bce7d81f2051c7f697de9ee3636f4784ed32d12e6bc4c8ec4e06e299e7b49

  • SSDEEP

    24576:R3vL762VhZBJ905EmMyPnQxhe4j27l9BoUj3QC/hR:R3P6UZTHXW

Score
10/10
metasploitbackdoordiscoveryspywarestealertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

1.15.12.73:4567

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5a4b41df7461382fd0abb49ac6f18813a34171a7a70fc380c38228412dede22.exe
    "C:\Users\Admin\AppData\Local\Temp\e5a4b41df7461382fd0abb49ac6f18813a34171a7a70fc380c38228412dede22.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\e5a4b41df7461382fd0abb49ac6f18813a34171a7a70fc380c38228412dede22.exe
      "C:\Users\Admin\AppData\Local\Temp\e5a4b41df7461382fd0abb49ac6f18813a34171a7a70fc380c38228412dede22.exe" Admin
      2⤵
      • Drops file in Drivers directory
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    375c6271fd3ed6fe52a64f380ecd249c

    SHA1

    198194a22b7db3ca700f8c29dbfd122c8c5d2670

    SHA256

    3eb04c3d1525e312020c0459dd26bd64673036b49c7901bda3b90fcbf28249d9

    SHA512

    083fb49b6522907b779c0e39972791faf955c5f0b84fa584d869385dde1a831711800aa451e0514a8f4f019b21d7c30c39cb9b44bdac4a2e48b61d57aaaa726c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7b25b05d8167458fb9296f3b5da359fb

    SHA1

    d869ecdf17660796c53f36b64c2cf6f74a653608

    SHA256

    5054362f490ec18b8661b059ba6d6f83f7c3fb713d84ad179fcbeb4ce4804181

    SHA512

    286013b65863f6037aac29ca628c77ca7fdbe52ac4423ce187afc6fa907dffb7a3471cd4c0a7069648b5d14c547c7e4b93d22313a3c2d9705867f5c90e5ea78f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0aeb4951d41d848522e9a488be25ba57

    SHA1

    86e37b9d04654a0c1e8a600c202dfca18908f626

    SHA256

    d994c2d87e988eb7cf89890be4c4c9bc438513ebead0c4af92a71bb15af9bad5

    SHA512

    82d48b3b48bf45cd3cd0edcb6fe3eb290f9edc5c8532d56f8ec1f1498e3f3b232227874271ecdf11b8186bc3ac1383bf4bfc9d625c77c8c3c25e373b4cd25deb

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9b5aa20eb6d046bbf76efe856dc119e3

    SHA1

    bc46fec67117642cdbc065661d8f3cd7cb3b5b18

    SHA256

    30568c97090119233987ee50dd97964e3ac788e43e21866fccc4188361634578

    SHA512

    4f706448bcadf026cb777da3f5fc7f493c8404a0e8870fe967eb9f17156de5ff46e90e5ff074a8487036f0d017a22ad4caa5c956b087003fb4a6cd0d0b3ee883

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2d0e3aa2d6211d225af87d8cc0a68e23

    SHA1

    08307bf1bac951b4c4d40bb08c59e9f937d3dbbf

    SHA256

    1faa567aca2bb729d00b8a82143ae1b099d8a42853d6ddd8fa978bbbda34a1aa

    SHA512

    5253cf5224fb2a42418f62dd0ce07d3889ba5b159936bfed2ceb8f1b581edae51bf9ce47c5495e69d7ee54019f522d019fa257e8bb8da991606f80f1059d434e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bada9971b41f9ab69b0384f4cf40ad3e

    SHA1

    89d326d1bcb6fee509bea23166de98953917e406

    SHA256

    832cc14454eeda68e3509143f3ec77281a70b4a071ce46b16f1a9eed62d08dd7

    SHA512

    95419cb1431d5b938ea0fa4d164f46bcdbf4c47b1199baee24183f5b61629bb7d74571f8732ac1886a61c4031b8a43ea0efd9b3c8e5c4767c179e15afbf18e5d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1a5092766a920e6eaac406406b7a602b

    SHA1

    513d93dad91ce30a62735f2660d1c00df6dae1c0

    SHA256

    eaba3ed51dd9e044ded01ce9a8832a796624c5587b0c2cd490148770241e6f7c

    SHA512

    85bd10d16a039e35e6370423a4af55f0118c71722e174558f47b8932b4ff885b8aa5f64d5f55099ddb09f3fce47b347f9c7294ea384f76f1a0b40a1dd9424bee

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f6f2bcda0e5865d572eb7cd9db5f2486

    SHA1

    505600af0122a869fd3184fb2ad76f8a4861c083

    SHA256

    c1421cf5beb5bb93a4aa56583a42893384be8e4b351f5afae77634712a6b15b9

    SHA512

    7433154bd4051d30ad6a4bc97f658547800882b84d6a9e0ed2c91226d5d1b2312fc31bdc0f8c579e66b353222d02d660cf0da341394526daa99d33f8346a3922

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4133749a34cfe43f07441cff26de0a0d

    SHA1

    01eabd070bd042b995cc3f602ca11189bde4e9ae

    SHA256

    370aeae26a34214e5fa51259d1fe68eac11f836ffd9023f7c96b0e0569a04f9a

    SHA512

    95728c515549f8b571efb512d500bf111a5d62af5ed3a0829332d02c93007490ed4353bcd0624acf6c03887b5c3e10216d07971b53a735d1ad74780795cbe176

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9a35ee9306a17ca3d220092543e4cb0a

    SHA1

    5033672ded4957cf6836308437f790f3b8ba6677

    SHA256

    27d296239738f3704ec55df946be9066330af9991e303fb22c218f5e2795cbc3

    SHA512

    cc5fc519df7c2a65402a648d9d2cf60ebc7f56354085503bb7f1e74f4a6be9da7a9da96c6c8e1274fdaebfa2c891bf79a6aeae0cc5bad897c3e9cdc76844da63

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab31.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar1B0.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit
  • memory/1412-9-0x0000000000400000-0x00000000005E5000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1412-6-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1412-11-0x0000000000400000-0x00000000005E5000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2368-2-0x0000000000270000-0x0000000000271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2368-1-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2368-3-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2368-4-0x0000000000400000-0x00000000005E5000-memory.dmp
    Filesize

    1.9MB

    Download