Overview

overview

10

Static

static

3

joeseph-Lu...ed.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    87s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-08-2024 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    joeseph-Luna-Logged.exe

  • Size

    13.2MB

  • MD5

    50c48cf579fee7a01dcdff742f16f7c2

  • SHA1

    8758e4bb451725834bae5cb0b006f37898731ebd

  • SHA256

    e456ee3e4e60b14525e3a2f0b0ca1bda82afcc1fa9ba9696f60c6297c4d01390

  • SHA512

    ee542f1c789ae41160d468f9c6e1cd82157203676f177313deed519e4ae4af07a374eb7d594bc146a0c4704deceab723b932201ea9682c1ef1332b8b89ecc618

  • SSDEEP

    393216:hWjIc+GLlRL+bXtZwOTQ44PSEgyumuQM272+Yyx+X:hAvpYdZwO1tmu07JYyIX

Score
10/10
sliverbackdoordefense_evasiondiscoveryexecutiontrojan

Malware Config

Signatures

  • Sliver RAT v2 1 IoCs
  • SliverRAT

    SliverRAT is an open source Adversary Emulation Framework.

    trojanbackdoorsliver
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Indirect Command Execution 1 TTPs 1 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    defense_evasion
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\joeseph-Luna-Logged.exe
    "C:\Users\Admin\AppData\Local\Temp\joeseph-Luna-Logged.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\system32\whoami.exe
      "whoami" /priv
      2⤵
        PID:512
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Public\Downloads
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4620
      • C:\Users\Public\Downloads\mssearch.exe
        "C:\Users\Public\Downloads\mssearch.exe"
        2⤵
        • Executes dropped EXE
        PID:2188
      • C:\Windows\system32\forfiles.exe
        "forfiles" /p c:\windows\system32 /m cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-tulv5pCqX4rUFuOF697d23eyhoWINRAR\cache_h8F8OJ6KqI2tixYAD8V9zxZ3b6.exe
        2⤵
        • Indirect Command Execution
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-tulv5pCqX4rUFuOF697d23eyhoWINRAR\cache_h8F8OJ6KqI2tixYAD8V9zxZ3b6.exe
          "C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-tulv5pCqX4rUFuOF697d23eyhoWINRAR\cache_h8F8OJ6KqI2tixYAD8V9zxZ3b6.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          PID:1120
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:348
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:196

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
        Filesize

        14KB

        MD5

        e1c74f6f5a31e89bf810e96e3d748fd9

        SHA1

        4c79542471b444905c85de7f2e29831d096fe16a

        SHA256

        ff3a5237dd64717e7dca5862c1f424ca9ed481b769711af9da31c0aba23723d2

        SHA512

        49f2072da07bcdb88a8144beca9ea019e40c5540fefeebb44d12b1c20379e5db32584e23f219a4429215c7ad66d8fb0f3c134f173af5dcea4643ea746085235d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-tulv5pCqX4rUFuOF697d23eyhoWINRAR\cache_h8F8OJ6KqI2tixYAD8V9zxZ3b6.exe
        Filesize

        11.7MB

        MD5

        eaeea58815f18ebdee07608ac15fb73f

        SHA1

        f0a4a6b521d46f803a5e1c4d8c09ebe42b428243

        SHA256

        dee1e4964a5db85611dcb801159112d687ffa4d49fb24e86845465b3da1935fb

        SHA512

        c28d84ef619a1e0704975e867b4279b84849a80282d889e35ccd983d8283347ebf91b0aac5c8cf76257e35d2abc3bac7ea0bb68b1e8078d24e99b53b9127db0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ny2qvdwr.2l4.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit

      • C:\Users\Public\Downloads\mssearch.exe
        Filesize

        14.9MB

        MD5

        542c777a796fb4bbfbd0e6ae9bcdafbc

        SHA1

        f15b056e1db72781fd0254a10b99721893a2495f

        SHA256

        91dd9b2373d18f974fb0dfa3dbca971c97386679eaa0956d30f160df6eb74277

        SHA512

        d1d1607d2b71e2af498d307c08f7b2c2330a44d57b4cbdcf80482f899b9a5af791e86c8e4c1f9f34dcbe6b27f1af5d105e406bb31de9e81fb17e67103f95bd93

        Download Submit

      • memory/4620-4-0x00007FFCAC3F3000-0x00007FFCAC3F4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4620-6-0x000001E1F3C00000-0x000001E1F3C22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4620-10-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4620-9-0x000001E1F3CB0000-0x000001E1F3D26000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4620-21-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4620-24-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4620-50-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

        Filesize

        9.9MB

        Download