Overview

overview

10

Static

static

3

f45cf85a3b...b1.exe

windows7-x64

10

f45cf85a3b...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f45cf85a3b8e82a8e03a103644f880c83b0e90696ce8567ed2ff994d909fd6b1.exe

  • Size

    4.0MB

  • MD5

    be08040460827e77d6e5c638c22761a1

  • SHA1

    9312eb4a8d5f32718447e0f0dbe29b477196e63a

  • SHA256

    f45cf85a3b8e82a8e03a103644f880c83b0e90696ce8567ed2ff994d909fd6b1

  • SHA512

    91896e37b7a6463cafafc23402312391f54e8e8d687f94a892566e84f9d865149aebe48180ad82066fa7cbf4e15a3d6ff9f398641bf300c08ee0a5a21516fde7

  • SSDEEP

    49152:31ZXtxDOmWP0pVfuFt37RH9/9pSTQSpItLc8a2n7s+TTCP0VXbpX5Sl35mjAYRGo:/txKmWMs3RH9o4P7hTbM

Score
10/10
metasploitbackdoorbootkitdiscoverypersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

192.168.5.9:3636

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f45cf85a3b8e82a8e03a103644f880c83b0e90696ce8567ed2ff994d909fd6b1.exe
    "C:\Users\Admin\AppData\Local\Temp\f45cf85a3b8e82a8e03a103644f880c83b0e90696ce8567ed2ff994d909fd6b1.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_4892.log
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\cpuz_driver_4892.log
    Filesize

    2KB

    MD5

    b2783c165f0c5654acce962909c18d1a

    SHA1

    d464db536480d29b917531156203eebb782e180a

    SHA256

    a2162b65224fa6d7eed2b86ff6d2bdb1b33dcaee1b9c53b8bb7aefc63f81eb3d

    SHA512

    a4374d30e39c08585c92820cd5b64300f7353d1a74fd925247320422226a118fc4b3d11e54b4238075191ac1e49f768515cba745fbfcd46b104e208c60017faf

    Download Submit

  • C:\Windows\Temp\cpuz_driver_4892.log
    Filesize

    1KB

    MD5

    41ada215229864366a4f45d05c0cc250

    SHA1

    033397ba4deef45561feedd74b9cca728a6bc719

    SHA256

    98a76b97388c93e94cafb994f498eb14024aae36ed2752b3e202c83fd39735d6

    SHA512

    2304da57bc8b6dadc12428f3d15caee24d5aeac5e0db3084771a6789a3b0a510eebbac1ff3b6e5d718517efb7c3c1a914bc5e8bccdbc2046e1eaa36e558f2d75

    Download Submit

  • C:\Windows\temp\cpuz_driver_4892.log
    Filesize

    2KB

    MD5

    d139c5091c156b3211183168c7013149

    SHA1

    f250fa4f768296a5bf107cfccb320b3bb074a901

    SHA256

    b5ddce3b5939e9f6e6055a72f4716666b12c59977a61a31f44f1fd7cf8487af7

    SHA512

    a0add1187c2e905a0f2aa272ae2f25fb16cb5070188fe6f7be10fffad27669dbaae0f2ce1d180e9b1fe2299fe5d484253a0299d97aeb4e1153603d04894468c0

    Download Submit

  • memory/4892-0-0x0000000000870000-0x0000000000871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4892-47-0x0000000000870000-0x0000000000871000-memory.dmp

    Filesize

    4KB

    Download