Overview

overview

10

Static

static

3

f45cf85a3b...b1.exe

windows7-x64

10

f45cf85a3b...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f45cf85a3b8e82a8e03a103644f880c83b0e90696ce8567ed2ff994d909fd6b1.exe

  • Size

    4.0MB

  • MD5

    be08040460827e77d6e5c638c22761a1

  • SHA1

    9312eb4a8d5f32718447e0f0dbe29b477196e63a

  • SHA256

    f45cf85a3b8e82a8e03a103644f880c83b0e90696ce8567ed2ff994d909fd6b1

  • SHA512

    91896e37b7a6463cafafc23402312391f54e8e8d687f94a892566e84f9d865149aebe48180ad82066fa7cbf4e15a3d6ff9f398641bf300c08ee0a5a21516fde7

  • SSDEEP

    49152:31ZXtxDOmWP0pVfuFt37RH9/9pSTQSpItLc8a2n7s+TTCP0VXbpX5Sl35mjAYRGo:/txKmWMs3RH9o4P7hTbM

Score
10/10
metasploitbackdoorbootkitdiscoverypersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

192.168.5.9:3636

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f45cf85a3b8e82a8e03a103644f880c83b0e90696ce8567ed2ff994d909fd6b1.exe
    "C:\Users\Admin\AppData\Local\Temp\f45cf85a3b8e82a8e03a103644f880c83b0e90696ce8567ed2ff994d909fd6b1.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_2348.log
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\cpuz_driver_2348.log
    Filesize

    487B

    MD5

    8c277645c9b6bee6267d2d849fc3d8bc

    SHA1

    0c9063349fb57476c2cdf9e9b472bf53e414a033

    SHA256

    55fe70bc5f62d6a5d67809b71ecd4f936e4ea89a3c70498e067eae938b2a927a

    SHA512

    10a16d526d894552016d9353e934fb99639e4cd7e49b2c6cf17afda683a20d8e04afe9f36decb8385083239fadd7e7b28551e4e11e24c6ba0a888d8daad05b1c

    Download Submit

  • C:\Windows\temp\cpuz_driver_2348.log
    Filesize

    2KB

    MD5

    b6fceea235ea7a47276d37987aa94f29

    SHA1

    e7d194194868d63d649ced4dbea74ded794bec76

    SHA256

    fd8103428c1840fb8cd4231039f077ca7c416de3b40922def54b1b1d12d8cf39

    SHA512

    f23e73d4946c9fb57e853c5dbe912fa76755011b355c1e447e923fe2743165b90d462635dcb261106d6323d79d9ce5e77e31a1c0d3e9fb1b0feaa06ce2833447

    Download Submit

  • memory/2348-1-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2348-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download