Overview

overview

10

Static

static

3

9ff1808058...b3.exe

windows7-x64

10

9ff1808058...b3.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ff1808058d0d7f98dbb52ae548e9fdc7343e99bace5c742850d1a7aaba943b3.exe

  • Size

    1.1MB

  • MD5

    e15851877969e07ec3a9262ea71de051

  • SHA1

    2e1fddbf86a95a29c2480d4194be5f70e1723381

  • SHA256

    9ff1808058d0d7f98dbb52ae548e9fdc7343e99bace5c742850d1a7aaba943b3

  • SHA512

    182c9665dcc09b96d76e3c028280f9cf44bbf8673f7e051c4c3f42fdccf1fde9efa0753c8f4ad9c209006de4b1e63af0ff7a9fc893e1dbbb2a3450eaa400c704

  • SSDEEP

    24576:GtH5sAdXEIFkj249qVgvFACJzsQ9Ss4fhK5muxGYpgjTAXouhWhsZ:AdKv9qkGKzssJ4fhKocOjTA4u6A

Score
10/10
metasploitbackdoordiscoverytrojan

Malware Config

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Metasploit payload 1 IoCs
  • Requests dangerous framework permissions 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ff1808058d0d7f98dbb52ae548e9fdc7343e99bace5c742850d1a7aaba943b3.exe
    "C:\Users\Admin\AppData\Local\Temp\9ff1808058d0d7f98dbb52ae548e9fdc7343e99bace5c742850d1a7aaba943b3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BD1001.APK
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BD1001.APK"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2736
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BD1001.APK
    Filesize

    10KB

    MD5

    99d7c2676a485078410f4654c2613733

    SHA1

    ccbd757507a3a7098781f32fcbf0b4cadc49a48c

    SHA256

    faabb5c09940e54d1916e0c18ca1598d03eae61d61d0e5cf66d3ae46eeb4203d

    SHA512

    c1d66f8d201c883dea9fc625e0effa0a8ffc601c0e20d985933f86c71d7b15eb30722f05cc0f6e54c7c56ebd48689cc807571b52b779a92f3293412bf04511c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tpmm1001.png
    Filesize

    813KB

    MD5

    d40a84d2ef4a2587cd92015bba40f58c

    SHA1

    1909be8fff24cf1b9894f5fcf88082573fa93142

    SHA256

    c2a570743c33f9d5dc49a9986a180c19c8896399e84c0101bb4d8bf4042f8ab0

    SHA512

    8bf4a2f9104739a9e0fe03b7466269815f249dfe89b4906d09ab8ef4e35e02d09abad455776ea0cfe00cabd90f817c6bdcfa74f4f90a0be49b86c92f077d4f7d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    a5707392836b63c37e3ee112c554055a

    SHA1

    cc69340fec039832cee8b993946ac4deb529e307

    SHA256

    7310481274c8f0f66a8369d52899e24e59a0a61a05a41b66775ab3a05a097b13

    SHA512

    8b3b2418bdc8182095d80cd500bb86bbaa42d70d2b2bb07ca31ef78bd4c9257cb3c85f49c1042ae333d8783097fdbd6d247a9199089d441cddf021fdd882a7a7

    Download Submit

  • memory/2128-5-0x0000000000180000-0x0000000000182000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2396-4-0x0000000002380000-0x0000000002382000-memory.dmp

    Filesize

    8KB

    Download