Overview

overview

10

Static

static

3

ef809ac4fb...02.exe

windows7-x64

10

ef809ac4fb...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef809ac4fbe2ad04c3749e8eda925331faf468546c7d99823212c6c683796402.exe

  • Size

    3.0MB

  • MD5

    1af5edf02ff8abfff316ece781becef5

  • SHA1

    f5bc98cca3a51efe991829d33f639fddd7ed1adc

  • SHA256

    ef809ac4fbe2ad04c3749e8eda925331faf468546c7d99823212c6c683796402

  • SHA512

    7703f6d52625281b0c889fa6c9006dbc445f966af72c2770bffd0a4655f2f1c778a68a9f3ed23f4410caa48df7418deb3ea890e2c92145ba4e9f50b36803435a

  • SSDEEP

    98304:e69201BfKEpPx+gsDcApAbbXWKIpHmgxQAHfqL892:my0gYJmbbXWjpH/Hr2

Score
10/10
metasploitbackdoordiscoverypersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

192.168.147.128:4444

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies system executable filetype association 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef809ac4fbe2ad04c3749e8eda925331faf468546c7d99823212c6c683796402.exe
    "C:\Users\Admin\AppData\Local\Temp\ef809ac4fbe2ad04c3749e8eda925331faf468546c7d99823212c6c683796402.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Program Files (x86)\WinRAR\uninstall.exe
      "C:\Program Files (x86)\WinRAR\uninstall.exe" /setup
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\WinRAR\Rar.txt
    Filesize

    107KB

    MD5

    af6766905702754df5bcdf2c138f1095

    SHA1

    6673b0c7206bad71990833151f7dcb68821ebf6e

    SHA256

    971bd3bfcb422d855761f0a1536003e55716ff37dd7b3517baf7d64f3e4fea4b

    SHA512

    6a5903286d86de086a6cc39419b0dbbd2db932f79e5502f5450afd23e9a059ed12f39395f093675a6cfbfeecaeb186755d5cacbdd8d2e761648ef36f9fb13d89

    Download Submit

  • C:\Program Files (x86)\WinRAR\WhatsNew.txt
    Filesize

    93KB

    MD5

    eb597062d6433ed06834334d4adbb7b4

    SHA1

    97fcb4eb6c41669618b4065909b9e9c53e1357ab

    SHA256

    3a1007071a6f895378337d6bff7854d95508d73c81ae7c1f2ab501e120e1e392

    SHA512

    2211fd33a51bd1b507d0f66a9083cf651193a6842d01ca7eb14b775436f0b456da06d417b9d4c7542dff8f95e4e5ecd10270129e86f7e7ddb901e25b2c1cf527

    Download Submit

  • C:\Program Files (x86)\WinRAR\WinRAR.chm
    Filesize

    314KB

    MD5

    8be25a7a16c509936973ef6000263de6

    SHA1

    ef374544595b77d0df6cbfaef3a638c7b1029af9

    SHA256

    94a10ba0bcb268cc9bc321e7aa83eb98dbf4c2bfe6625362e729cc4075dbbb45

    SHA512

    a9bcbfaa7132194354f50eb9125f99da3cf5797d78b5297f8f1d12733699df0593511513422f0232c9aef66fcef08e680c72796a21bf079763c7d08fb2b28b05

    Download Submit

  • C:\Program Files (x86)\WinRAR\WinRAR.exe
    Filesize

    2.4MB

    MD5

    217b1bb7892c80d55b58147764c37282

    SHA1

    e160afcc8f572cd730097e7d8ea676a100d17964

    SHA256

    e9ab359fb85a778839706f48ed2a33fbaf9d24d777d7373c90cac557e9726bc7

    SHA512

    ea4f0fb86cfb712af1d36be3861e170057bbbe5ecaca133401bd4a16d7c6d632c65103c2dc781931edccc4a1e7955a764212faa1e8a5637d5371c3d28d3d5f33

    Download Submit

  • \Program Files (x86)\WinRAR\Uninstall.exe
    Filesize

    375KB

    MD5

    2db9db8b7149a99119acffc6992d77b1

    SHA1

    8d7bb2b40e5e6692f5060d44b21e3c5384ea6426

    SHA256

    8edb41da6893dcefab9ae1f8c4508d7479d871b2347b6d3f2cc49debaaaf6904

    SHA512

    9cf31e01db29b1a0e1c291194b2045de66f7f76315ffc5ddede801425b9866008e6f07d0a7d81a772bb027cb2f12b9f2d6d179528e1bf6925526530778d7be6d

    Download Submit

  • memory/2868-1-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2868-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download