Overview

overview

10

Static

static

3

774e1eb4c5...67.exe

windows7-x64

10

774e1eb4c5...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2024 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    774e1eb4c59ff11ff0278843076292a0b64326075d41a79536df154a76b8fc67.exe

  • Size

    3.0MB

  • MD5

    be7a9dd0b25c5ed86f4314baae9905fa

  • SHA1

    2cea8306d8ce6e17da4cbabc700c993cb1c73db1

  • SHA256

    774e1eb4c59ff11ff0278843076292a0b64326075d41a79536df154a76b8fc67

  • SHA512

    c0fc7466e8a8733e82e7cb9ae8172f0e2f3e3ca431bf6a0a1a6b38852337bd9dde83cf7128db7e2e6021996f82892365c949aff79e0b5ca774e698f50c14d338

  • SSDEEP

    49152:phBfJXAE4pq5PtDZebWSGUDHLtDEy2sr0mRu3ljzSTz7Lv14BBQpsEAvG8:phBfKE4wbZeaSrmy2s76jqPL9UksEAO8

Score
10/10
metasploitbackdoordiscoverypersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

192.168.119.191:4445

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies system executable filetype association 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\774e1eb4c59ff11ff0278843076292a0b64326075d41a79536df154a76b8fc67.exe
    "C:\Users\Admin\AppData\Local\Temp\774e1eb4c59ff11ff0278843076292a0b64326075d41a79536df154a76b8fc67.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Program Files (x86)\WinRAR\uninstall.exe
      "C:\Program Files (x86)\WinRAR\uninstall.exe" /setup
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\WinRAR\Rar.txt
    Filesize

    105KB

    MD5

    e3e92d933a7887710508d1a9a64f8e16

    SHA1

    191d054e3f48caa446322d9620fa9776dcd0eac7

    SHA256

    a4d41d73f7e56ab9f6254807e48bc94af3b214fbac9a17d24b8140a99aad26b3

    SHA512

    75c65e9c145b4980fc58460daa14da1ea45784943454eca2dc7ed69154a8d2cf92a6a213ad8a3dfdfa3045b4e1a8772372019f4c1d5e0e4dd407ee3f2348d75c

    Download Submit

  • C:\Program Files (x86)\WinRAR\WhatsNew.txt
    Filesize

    86KB

    MD5

    9965bee67e4b4556f14558fb541defa4

    SHA1

    76657102bd53ddaa42a85128201e57d2adf27695

    SHA256

    f8e9c3be9c76ee13f7fc7a5ae8dd397440adb1dd6745b17e0ffce89e2d0fccad

    SHA512

    9e966914a8449d371fdd46e6ddbd47ae2fb40ee1f8e7c82d04584a42cda68d60d15441c90e54e9a8b0aed9dce95110a65c7e3ac3e358d950300f279d07f6aa7e

    Download Submit

  • C:\Program Files (x86)\WinRAR\WinRAR.chm
    Filesize

    313KB

    MD5

    eca0e0be50f4f0dc5f2ccdbbc0338365

    SHA1

    1978b9d6ef60d5cd4258f0668d683be87fca0497

    SHA256

    750e5efc4ebb5e051b17efad93708ea2d5c27d22de720db0fea2408be85b3d42

    SHA512

    d9af9cc3c6cbf73818d6ab1c57c5ee7eb9345d03e5cd6b0e49b5d1c57728b183776dc83c9c0a5353bd15155d3d981886edbeaae202f2bb734841225b31bb619f

    Download Submit

  • C:\Program Files (x86)\WinRAR\WinRAR.exe
    Filesize

    2.4MB

    MD5

    40aeb4034033e94bce6f00b12d07dd86

    SHA1

    7ae7cd6245a1a71c53f4aaaba6f02876a1332148

    SHA256

    6321e32f8d63f64d30be5e3269fc37a187b2b4f28dea02589284de0e9a37dd40

    SHA512

    d4f797ee8dff166a47c0be43e16fe0d57aae20b59c9fe2fafdbf4a9257517321ccb994889809915b0d0387ffdb8727d603dd75158063b2e12d42bef2e17ee5be

    Download Submit

  • \Program Files (x86)\WinRAR\Uninstall.exe
    Filesize

    370KB

    MD5

    1aca2f757448ff3eb56c9b443de43e6c

    SHA1

    835a09ee47ebe6e9510a423b09e438eff183f1d2

    SHA256

    79396a300812449e5cabdeccfde4cb8d8938eb552223a29c2d5f9c8bdb1876d2

    SHA512

    782ab3b920b81c94cf77bbe371dea41ccc549937e068839c01affee5522d6b18471fb98241438d20f6e7b15228d907f258d423c0eaf4dc413c4bd93f7ca962e7

    Download Submit

  • memory/2232-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2232-1-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download