Overview

overview

10

Static

static

3

e9e5280f0e...0N.exe

windows7-x64

10

e9e5280f0e...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2024, 02:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9e5280f0ef834435ddd568d2bb7c240N.exe

  • Size

    5KB

  • MD5

    e9e5280f0ef834435ddd568d2bb7c240

  • SHA1

    553e05ff696006097ff15c0ebe6ae6045dcffd5c

  • SHA256

    f44056d7cddcb37c7d7130aa76b3b53dd008a248b3a044068d7b821246bb29f8

  • SHA512

    c0df70a49b6c93ccfd66a175dcb635250c20f55822408b3de5fd4d3cc113e82667e83b571089bc7c2d0ad5a038b986dc4897817cc5f9c9e9059fa10734a45f2e

  • SSDEEP

    96:1KDbGKINu62GnnfasTU9ig+vyGs7YdDjSxXCkwdkmApAccsYa6JhduV0:1KbGTN52+mi7yGsgaxy9q8aYhduV0

Score
10/10
metasploitxmrigbackdoordiscoveryminertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

194.59.31.31:1117

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9e5280f0ef834435ddd568d2bb7c240N.exe
    "C:\Users\Admin\AppData\Local\Temp\e9e5280f0ef834435ddd568d2bb7c240N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      WindowsUpdate.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      PID:2916
    • C:\Users\Admin\AppData\Local\Temp\golang-woo.exe
      golang-woo.exe
      2⤵
      • Executes dropped EXE
      PID:2140
  • C:\Windows\system32\cmd.exe
    cmd.exe /c echo csfuzv > \\.\pipe\csfuzv
    1⤵
      PID:3048

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
      Filesize

      6.1MB

      MD5

      5fba8ae226b096da3b31de0e17496735

      SHA1

      d532a01254cf9e0229d3c5803b78ff7c9b0cb8d3

      SHA256

      ca28f4aeaa5e16d216cd828b67454a56f3c7feeb242412d26ed914fadff20d40

      SHA512

      951e44fc0864a6741bcbb4227feb5429a032713dabd91102f4f0e27a69181ce7f23562e902cc09896ae26334b6d18caf0f5a13d81370bd703fd7ed6f78b47e72

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\config.json
      Filesize

      2KB

      MD5

      7a48e70aa2373571158cff1e773d84ab

      SHA1

      5aa406578bc4aa57ab869b15d3c6b3d3ff7e8e9e

      SHA256

      afe0f9b5099c8fd5446872e88a6cb98e090157418bfa78c6a2f35731b2afc4b6

      SHA512

      497509d8b457f33cba21f67e94ed207b9cf7e1866ede63d5f2f44483b75ec0673bc240e6634f02d1bf66e251227fc7ea652e784076a3020a3cd5c68ef291a616

      Download Submit

    • \Users\Admin\AppData\Local\Temp\golang-woo.exe
      Filesize

      2.3MB

      MD5

      a0a55d12504c014c089c22070432503a

      SHA1

      2908f6116969305e46c7881c13de6fd5db580882

      SHA256

      34d0f0ac841c3ff7d5f1c33833d513a5abd56011f9c87bfb27c786255c9385b2

      SHA512

      7eeee6b3a1bb4b4919346be46b65e12146a1069c260aa238d58986742d05604f5b568225a1dc5f4af7f84c7010832d1c90dd3249832cd307c734c6642c958bd0

      Download Submit

    • memory/2296-35-0x0000000000160000-0x0000000000185000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2296-41-0x0000000000290000-0x00000000002C1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/2296-14-0x0000000000F60000-0x0000000001060000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2296-15-0x0000000000490000-0x00000000004F3000-memory.dmp

      Filesize

      396KB

      Download

    • memory/2296-20-0x0000000000290000-0x00000000002C1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/2296-0-0x0000000000020000-0x0000000000021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2296-40-0x0000000000F60000-0x0000000001060000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2296-7-0x0000000000290000-0x00000000002C1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/2296-65-0x0000000000290000-0x00000000002C1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/2296-66-0x0000000000130000-0x000000000015C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2296-67-0x0000000000F60000-0x0000000001060000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2296-68-0x0000000000F60000-0x0000000001060000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2296-6-0x0000000000290000-0x00000000002C1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/2296-2-0x0000000000290000-0x00000000002C1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/2296-1-0x0000000000130000-0x000000000015C000-memory.dmp

      Filesize

      176KB

      Download