Overview

overview

10

Static

static

3

magic.exe

windows10-2004-x64

10

magic.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    281s
  • max time network
    290s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-09-2024 22:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    magic.exe

  • Size

    34KB

  • MD5

    3f69a87cb4bde9c863f39301eb1f29c8

  • SHA1

    3c9de5d2605eb4419fe38c1728e97b6e7a9057ef

  • SHA256

    a4b990527a7439738349dc225d6bbdb8aada977b9c52add94bc94ae897311b18

  • SHA512

    d9fa11922158349c540adbd9a9e44062e42f7a5e9372ed89194554d536be186e239e254a2dac1fa40e8caace13c815e5f7a0d35fbd7007f251e5a8462408774d

  • SSDEEP

    384:sckalfdKxiis5iHo40IKYb93V5XiVOcvbvx0fAmwD6:xlkxiihHo4fb93b4TvbOpq6

Score
10/10
metasploitbackdoorpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

124.221.70.199:8762

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3416
      • C:\Users\Admin\AppData\Local\Temp\magic.exe
        "C:\Users\Admin\AppData\Local\Temp\magic.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4740
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2080
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
      1⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3256
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GUY07P0L\www.bing[1].xml
      Filesize

      539B

      MD5

      52154b2fa497b2c17f45f364246370ef

      SHA1

      f4b9aa2301352b25bbf6e1990b92e87ae9daa907

      SHA256

      04a6ce32e94e95bacda4213dff0688288b159255c42c6b531b39488f1a07079f

      SHA512

      ca6233f64b9dbd03990f7bfa014f7071d6e2c6dc73ea83d47f16df726cea3e7a45c7892cb1a37e721ee0cc868506a3f543acd44ad2f8372a3cd19ba63d3b0136

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GUY07P0L\www.bing[1].xml
      Filesize

      18KB

      MD5

      e56b0ccb851e03680caed61fbb8cec7c

      SHA1

      d92dc6718d574fa3fc3475b54a64f4c145872b29

      SHA256

      5d0a83be6f9d286158ffd44c925f71d1da10d03d90d093eab54d8be7d34b2b73

      SHA512

      5dbd2b56115c5049bd336c61589919ae5b11351c638bae0df9382173afd4bcc45422c1f59aad1afa0a2beba89b5e9c0ba891cc51a093110e3c3f84350eb73da0

      Download Submit

    • memory/3256-54-0x0000014DF79C0000-0x0000014DF7AC0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3256-86-0x0000014DFB630000-0x0000014DFB730000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3256-108-0x0000014DFB5B0000-0x0000014DFB5D0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3256-109-0x0000014DFADA0000-0x0000014DFADC0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3256-110-0x0000014DFBAE0000-0x0000014DFBB00000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3256-198-0x0000014DFF3D0000-0x0000014DFF4D0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3416-0-0x0000000002670000-0x0000000002671000-memory.dmp

      Filesize

      4KB

      Download