Malware Analysis Report

2024-09-23 04:02

Sample ID 240616-y3vzfswcqh
Target eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5
SHA256 eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5

Threat Level: Known bad

The file eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-16 20:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 20:19

Reported

2024-06-16 20:21

Platform

win7-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe

"C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe"

C:\windows\temp\9999.exe

"C:\windows\temp\9999.exe"

Network

Country Destination Domain Proto
N/A 192.168.232.128:9999 tcp

Files

\Windows\Temp\9999.exe

MD5 4bbe06c7549d05c5753ad8a66ae9e7db
SHA1 10ef56dc6d7caaee5b0a5ae4a9e7c934edbc40d9
SHA256 5af31bbe66bbb434fde759c6ec9c2e401d68b00f41e5d8d94472be7e1d4e681e
SHA512 0853216991deee65f4631d6b964d1c00f5a520f14a488cd682cf5ce7172df30683d0edd308ade8ad99e318ebb071d772fdc0076741bee82269743d3110949491

memory/2232-11-0x0000000002370000-0x0000000002375000-memory.dmp

memory/2232-10-0x0000000002370000-0x0000000002375000-memory.dmp

memory/2284-14-0x0000000140000000-0x0000000140004278-memory.dmp

memory/2232-15-0x0000000002390000-0x0000000002391000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 20:19

Reported

2024-06-16 20:21

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\temp\9999.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe

"C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe"

C:\windows\temp\9999.exe

"C:\windows\temp\9999.exe"

Network

Country Destination Domain Proto
N/A 192.168.232.128:9999 tcp

Files

C:\Windows\Temp\9999.exe

MD5 4bbe06c7549d05c5753ad8a66ae9e7db
SHA1 10ef56dc6d7caaee5b0a5ae4a9e7c934edbc40d9
SHA256 5af31bbe66bbb434fde759c6ec9c2e401d68b00f41e5d8d94472be7e1d4e681e
SHA512 0853216991deee65f4631d6b964d1c00f5a520f14a488cd682cf5ce7172df30683d0edd308ade8ad99e318ebb071d772fdc0076741bee82269743d3110949491

memory/2552-11-0x0000000140000000-0x0000000140004278-memory.dmp