Malware Analysis Report

2024-09-23 04:20

Sample ID 240620-jbfm5awcpa
Target c4642c13d6112f2f5600eab7aeec27bca90992060a64d3340f4edef942b9e722
SHA256 c4642c13d6112f2f5600eab7aeec27bca90992060a64d3340f4edef942b9e722
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4642c13d6112f2f5600eab7aeec27bca90992060a64d3340f4edef942b9e722

Threat Level: Known bad

The file c4642c13d6112f2f5600eab7aeec27bca90992060a64d3340f4edef942b9e722 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 07:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 07:29

Reported

2024-06-20 07:32

Platform

win7-20240611-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4642c13d6112f2f5600eab7aeec27bca90992060a64d3340f4edef942b9e722.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\temp\testmsf.exe N/A
N/A N/A C:\windows\temp\Everything.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\J: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\K: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\M: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\P: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\X: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\B: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\E: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\I: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\V: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\Y: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\G: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\L: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\O: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\R: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\S: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\W: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\A: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\N: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\Q: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\T: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\U: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\Z: C:\windows\temp\Everything.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\windows\temp\Everything.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\windows\temp\Everything.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\windows\temp\Everything.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4642c13d6112f2f5600eab7aeec27bca90992060a64d3340f4edef942b9e722.exe

"C:\Users\Admin\AppData\Local\Temp\c4642c13d6112f2f5600eab7aeec27bca90992060a64d3340f4edef942b9e722.exe"

C:\windows\temp\testmsf.exe

"C:\windows\temp\testmsf.exe"

C:\windows\temp\Everything.exe

"C:\windows\temp\Everything.exe"

Network

Country Destination Domain Proto
N/A 192.168.136.128:9999 tcp

Files

C:\Windows\Temp\testmsf.exe

MD5 065dd3013bb3482ce4fb3e36687a8f33
SHA1 6ad26262e9c2a589078ce9b8c8e4884aa27d20df
SHA256 c01a3fe713ce73f423a5c64dc25084631bb05a3feb240cbffa34411fe423daf5
SHA512 b4b194e41d140f21f710d17aed8790a221be02b6ae1bd73acd69ac6f2f61f20527aa22745d14942e0e76f9b51d4f044159417d9d4b3a9b6dd884a2282798cc03

memory/2360-11-0x0000000000700000-0x0000000000705000-memory.dmp

memory/2360-10-0x0000000000700000-0x0000000000705000-memory.dmp

memory/2284-15-0x0000000140000000-0x0000000140004278-memory.dmp

\Windows\Temp\Everything.exe

MD5 0170601e27117e9639851a969240b959
SHA1 7a4aee1910b84c6715c465277229740dfc73fa39
SHA256 35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7
SHA512 3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 07:29

Reported

2024-06-20 07:32

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4642c13d6112f2f5600eab7aeec27bca90992060a64d3340f4edef942b9e722.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c4642c13d6112f2f5600eab7aeec27bca90992060a64d3340f4edef942b9e722.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\temp\testmsf.exe N/A
N/A N/A C:\windows\temp\Everything.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\I: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\N: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\Q: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\T: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\B: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\L: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\S: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\V: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\H: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\K: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\M: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\P: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\R: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\U: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\Z: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\E: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\J: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\O: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\W: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\X: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\Y: C:\windows\temp\Everything.exe N/A
File opened (read-only) \??\A: C:\windows\temp\Everything.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\windows\temp\Everything.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\windows\temp\Everything.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\windows\temp\Everything.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4642c13d6112f2f5600eab7aeec27bca90992060a64d3340f4edef942b9e722.exe

"C:\Users\Admin\AppData\Local\Temp\c4642c13d6112f2f5600eab7aeec27bca90992060a64d3340f4edef942b9e722.exe"

C:\windows\temp\testmsf.exe

"C:\windows\temp\testmsf.exe"

C:\windows\temp\Everything.exe

"C:\windows\temp\Everything.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 192.168.136.128:9999 tcp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp

Files

C:\Windows\Temp\testmsf.exe

MD5 065dd3013bb3482ce4fb3e36687a8f33
SHA1 6ad26262e9c2a589078ce9b8c8e4884aa27d20df
SHA256 c01a3fe713ce73f423a5c64dc25084631bb05a3feb240cbffa34411fe423daf5
SHA512 b4b194e41d140f21f710d17aed8790a221be02b6ae1bd73acd69ac6f2f61f20527aa22745d14942e0e76f9b51d4f044159417d9d4b3a9b6dd884a2282798cc03

memory/1332-12-0x0000000140000000-0x0000000140004278-memory.dmp

C:\Windows\Temp\Everything.exe

MD5 0170601e27117e9639851a969240b959
SHA1 7a4aee1910b84c6715c465277229740dfc73fa39
SHA256 35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7
SHA512 3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

memory/1332-22-0x0000000140000000-0x0000000140004278-memory.dmp