Overview

overview

10

Static

static

3

096024b0cf...31.exe

windows7-x64

10

096024b0cf...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/09/2024, 11:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    096024b0cf6ebcbad059c030d43d76451c1a184a2c1f7680f3976718d198de31.exe

  • Size

    4.0MB

  • MD5

    73f86717725bdb7c72c04f47191f155b

  • SHA1

    52baad3486c9b5e04aa4e07eeec8ff67c861d65b

  • SHA256

    096024b0cf6ebcbad059c030d43d76451c1a184a2c1f7680f3976718d198de31

  • SHA512

    e54c85a61e0a2d98ef0488690f4da23ec98cdb51dae4752982a28ff512f4dfe05a4c692e75d11ce0aaa9e4a1412d22562b527eaf0ea9d1f5c7ed43405ff83155

  • SSDEEP

    49152:i1ZXtxDOmWP0pVfuFt37RW9/9pSTQSpItLc8a2n7s+TTCP0VXbpX5Sl35mjAYRGo:atxKmWMs3RW9o4P7hTbM

Score
10/10
metasploitbackdoordiscoverytrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.5.9:6789

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\096024b0cf6ebcbad059c030d43d76451c1a184a2c1f7680f3976718d198de31.exe
    "C:\Users\Admin\AppData\Local\Temp\096024b0cf6ebcbad059c030d43d76451c1a184a2c1f7680f3976718d198de31.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 472
      2⤵
      • Program crash
      PID:2360
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 480
      2⤵
      • Program crash
      PID:2412
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4220 -ip 4220
    1⤵
      PID:2636
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4220 -ip 4220
      1⤵
        PID:4264

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Temp\cpuz_driver_4220.log
        Filesize

        1KB

        MD5

        c5d2ab0ca789859798fc95d9867b1718

        SHA1

        34bc6347036b92d48e9c211f8d205b18853e5073

        SHA256

        3cd8a015407642962f34519bbffcb5306b61d656b3852bc76e0c34765ee53002

        SHA512

        d9e89d418d17be3ae7275e92f9ee19c889532cb2e463d5a9f8973ba7caa8fc41678a7760e00027a3250885b8354128dd1c21c8259bbf16eba6b62a90f8a6d70d

        Download Submit

      • memory/4220-0-0x0000000000870000-0x0000000000871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4220-22-0x0000000000870000-0x0000000000871000-memory.dmp

        Filesize

        4KB

        Download