Overview

overview

10

Static

static

3

WO.exe

windows7-x64

10

WO.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WO.exe

  • Size

    126KB

  • Sample

    241223-xjl2rsxpgl

  • MD5

    7176b040816932541eb9c2b91d90b29b

  • SHA1

    137a9c4620366caff2a1d1c297b6ae8c6d28761d

  • SHA256

    db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95

  • SHA512

    1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de

  • SSDEEP

    3072:a2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcX011:7bJhs7QW69hd1MMdxPe9N9uA0hu9TBZn

Score
10/10
metasploitbackdoordiscoveryevasionexecutiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

147.185.221.23:1121

Targets

    • Target

      WO.exe

    • Size

      126KB

    • MD5

      7176b040816932541eb9c2b91d90b29b

    • SHA1

      137a9c4620366caff2a1d1c297b6ae8c6d28761d

    • SHA256

      db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95

    • SHA512

      1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de

    • SSDEEP

      3072:a2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcX011:7bJhs7QW69hd1MMdxPe9N9uA0hu9TBZn

    Score
    10/10
    evasionexecutiontrojanmetasploitbackdoordiscovery

    • Disables service(s)

      evasionexecution

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks