Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-12-12...er.exe

windows7-x64

10

2024-12-12...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/12/2024, 02:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-12_0178d22ec86dd92c1cd8e0ba2ac223e5_avoslocker_hijackloader_luca-stealer_magniber.exe

  • Size

    22.7MB

  • MD5

    0178d22ec86dd92c1cd8e0ba2ac223e5

  • SHA1

    30025465a07d50a21b8dda66b4591f545c35989d

  • SHA256

    b52c47e114f8e8523dfb634146a4bf8bb54d639d3e733d7b3afe7cfb623208cc

  • SHA512

    0c2075ac382e3c31eaac831e6225bc5cf96e4971d0779e636215fce16b2acecd6d6fb7722877e2139190331e6c4443c92a16bf51816748a6a1e322263dd9c9bf

  • SSDEEP

    196608:49uXVejN2DaVCjRgo5wwDScTLKdJ4R2zJXTO0yVejN2DaVCjRgo5wwDScTLKdJ4I:49pWH5/+dBJXTzrWH5/+dBJXTz

Score
10/10
metasploitbackdoordiscoverytrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.1.26:443

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Loads dropped DLL 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-12_0178d22ec86dd92c1cd8e0ba2ac223e5_avoslocker_hijackloader_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-12_0178d22ec86dd92c1cd8e0ba2ac223e5_avoslocker_hijackloader_luca-stealer_magniber.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\system32\msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\vnc64.msi ProductLanguage=1033
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1576
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4076
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding AFA63CEB3E348CE9874EC98DA92CFDFA E Global\MSI0000
        2⤵
        • Loads dropped DLL
        PID:4408
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:5052

    Network

    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      3.26.192.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      3.26.192.23.in-addr.arpa
      IN PTR
      Response
      3.26.192.23.in-addr.arpa
      IN PTR
      a23-192-26-3deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • 192.168.1.26:443
      2024-12-12_0178d22ec86dd92c1cd8e0ba2ac223e5_avoslocker_hijackloader_luca-stealer_magniber.exe
      728 B
       14
    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      3.26.192.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      3.26.192.23.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e58506e.rbs
      Filesize

      1.0MB

      MD5

      ceda158434fa9d180aadb2683bd5aa10

      SHA1

      cd4a4e6538173368449b2ee7f8673f823f88aade

      SHA256

      9edbc72df116c051f1f0fa4c0c0c95c990268cc81f23e6ca6f228efee4d09693

      SHA512

      eeeedf83f3d4dca0003e7c529bd16fbb2f48df017351191d8938a029aae72aa4979c0528f3c7efa86652f071d6dc6a1533b63902c3d609e600cf6d1d217a6fab

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
      Filesize

      471B

      MD5

      4a9aa6a614556e086a26fd3799e56ddd

      SHA1

      f20b660dfaba446060f0c074a511cb931adc1129

      SHA256

      1f26a246511a771e468f21ebf16ebc65771824106b0cdf4ac4d7686a0e33f9ec

      SHA512

      417fe3d13064b688bc432a363bb8ffcbb5236b0481eb804889ffe836f3796d5e96634f1685c4f36588c067a05cb15b50795bf6363f1ded5c23533faecb15ad47

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F59623AEE3E6048CCD92ADA564422513
      Filesize

      727B

      MD5

      2720763d3d6e1af588241a850d29db71

      SHA1

      5304cfecb54632e1824150f2db0d69ff1fa5a686

      SHA256

      aaf83b6a0722f145f3b5a85052e44b6c59689ffb03189d68a44b24cb0b5fd364

      SHA512

      64d2b84bc11e36de9aec359523e628636874e8c5ebe76f46134dd01ddd8bfa1c1666af0fae865268c464b4a83eba2ecc4c93f386cd101f988be07593bd014cf0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
      Filesize

      727B

      MD5

      144166bcdd73de6bc88826b56a505cf7

      SHA1

      ec02bf36ee81da1c0b9092337a054956480ea26a

      SHA256

      d7ed6d87057832f9a9d0476cc4f287cfd161453d978088bac3504428709a7523

      SHA512

      f56bbc0ed83c96aac239356e0664ac511b7c4c651017843f9fadf189e9a5dc0bc9f0eba3cb95179383d69c076feb966c2fd9bf00ef976e2c925ae8cbada4e463

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
      Filesize

      400B

      MD5

      12489dc42680b6ff2903abcaa955525b

      SHA1

      f37272715600f29dad0eaa6b0d1a3c7b59d84c9d

      SHA256

      10e2694b87c7e819b42e5ce5ed11318d677c595ee3a8f5ef674dea7a65a8fea6

      SHA512

      9486dad59fc2a36e3a6727e388a529f23c05c530b71c822c9074ea0fe2ca082217474398b85c824d2a8fa472bbdccbac7595470510eecf8a41e158ec582b2319

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_F59623AEE3E6048CCD92ADA564422513
      Filesize

      408B

      MD5

      26dc9004ae0d938213f1536f55539280

      SHA1

      c64c1888929eaa2b1670096c074550af8ea444b5

      SHA256

      0c423d8849d5ff951603f5452bc6311b809d1e74d0abba2807e6f417cc55a1ae

      SHA512

      a850c2ebea5e368623abb5ea7b3ace6ea2566698e0670990305877a75066c1336b9078ce3f201e2877240e024b852cca0e08e9031b9469bf7af971e848f8dbc1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
      Filesize

      412B

      MD5

      24fa6d293fbea6a80e9cc940aff8a42f

      SHA1

      0b2303e1a23ff169e55eb7cb24a2c8c3e10188a7

      SHA256

      72efad98c41379358af4258b84e3c2c3b3d7c40e3886f728557832ecc618b516

      SHA512

      76dd3c43e8ce12ac64884248847a06cacd8b2ed99fbbea270af2f7ecc33de02d0551b750bbdfe62f2a11cd900c204cf194013673d844b5495790c00cc8cc09c7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vnc64.msi
      Filesize

      5.6MB

      MD5

      5b24d1c6b28984bf3a307a217ae862b4

      SHA1

      4db2cb295343977d1c4b1a6f0c8890f47aab6271

      SHA256

      14c5a337888158e635ea9d5c6d608ad5e9fb6af0b5f125d20b38bb03e26ffd6b

      SHA512

      1e30c593a2542099372dd0e6dc14f25a4cfeb5d4aa95a3981da4def8942db9ed0603e64f9c5d8040ca21f3894c7fe705fff62bb47dfe6ff9ccb7a84516f014a8

      Download Submit

    • C:\Windows\Installer\MSI534C.tmp
      Filesize

      1.0MB

      MD5

      55d3dcd4008adcfef3e0cb44fb0f229b

      SHA1

      6f828fa6e759b1cae266954670448f8bc6c6316f

      SHA256

      96fad74bb3630a31b8793887f394ba45a251b4b292c37225db05f47785c7dcf7

      SHA512

      19fc3c4b83392734a30019e08408ba4865ba483fd2ab701c630aad67b70bc9d0785aa70f737692b1955357a9a7e702ad868e48f6d6f03e5639126481f3319634

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      ec13911ae2831c1e17041a5f7c5b240b

      SHA1

      5f14233ce0126602a7eb89cf8cad0e3ee34320df

      SHA256

      d0d034d015f444a7eb155d54865ed6941a4109d6cdeb414c43e9d037ed1abc71

      SHA512

      74a2cac2accdaf05b24f35366d0cab8e5e2fc96dba145c0c212cff45c795aaf1c8aeb71a9d42aeea2a1ccb5daba43459db7daede0c64fac60ba0f2d374c8aad3

      Download Submit

    • \??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3400cfe7-0190-450f-b270-db00779ca9b3}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      b4e1c5c8aac91dd74724738312aab153

      SHA1

      4723a347de66b69a4b1ddf09cffa4f26cd5ba8b1

      SHA256

      4f2fd7328a7f4d758814ac0868fc399253f77d71981c67763365f2244ca1ca51

      SHA512

      9fb94f87f2f9ade722463f9eebce977430cab1801956e4faa5e1327c01fdc20843d4c25cf48214de731f03c6321bff33e6131cd383812947d47c0b715c686ca0

      Download Submit

    • memory/3520-0-0x0000000000400000-0x0000000001AB5AEC-memory.dmp

      Filesize

      22.7MB

      Download

    • memory/3520-51-0x0000000000400000-0x0000000001AB5AEC-memory.dmp

      Filesize

      22.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.