metasploit | f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca

General

Target

f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Size

1.9MB
MD5

449fdd7efd9d93a0ade55e13d5bd93da
SHA1

1b1bc5942cdde5880e23e4b01c4f78215fda2656
SHA256

f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca
SHA512

7c7bcf69669cf9ac4f6228a6de1094bf988fa1ef6e7cbe32f158b6c8aae76ca294c29fabbe29b4b59c937d0d152d70fab807f4d6a77b294937a2c0c1428ce965

Score

10^/10

metasploit backdoor evasion persistence trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
31.44.184.108
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://31.44.184.48:80/tv99

Attributes

headers User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; InfoPath.2)

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion
Executes dropped EXE 3 IoCs

Processes:

taskhostw.exetaskhosta.exetaskhosta.exe

pid process

2840 taskhostw.exe
1648 taskhosta.exe
2260 taskhosta.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Disabling Security Tools
T1089

Service Stop
T1489

pid	process
2840	taskhostw.exe
1648	taskhosta.exe
2260	taskhosta.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskhostw.exef0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

taskhosta.exe

description pid process target process

PID 1648 set thread context of 2260 1648 taskhosta.exe taskhosta.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

description	pid	process	target process
PID 1648 set thread context of 2260	1648	taskhosta.exe	taskhosta.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe

pid	process
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskhostw.exe

pid process

2840 taskhostw.exe

pid	process
2840	taskhostw.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.execmd.exetaskhosta.exe

description	pid	process	target process
PID 3336 wrote to memory of 740	3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe	cmd.exe
PID 3336 wrote to memory of 740	3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe	cmd.exe
PID 3336 wrote to memory of 740	3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe	cmd.exe
PID 740 wrote to memory of 2748	740	cmd.exe	sc.exe
PID 740 wrote to memory of 2748	740	cmd.exe	sc.exe
PID 740 wrote to memory of 2748	740	cmd.exe	sc.exe
PID 3336 wrote to memory of 2840	3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe	taskhostw.exe
PID 3336 wrote to memory of 2840	3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe	taskhostw.exe
PID 3336 wrote to memory of 2840	3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe	taskhostw.exe
PID 3336 wrote to memory of 1648	3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe	taskhosta.exe
PID 3336 wrote to memory of 1648	3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe	taskhosta.exe
PID 3336 wrote to memory of 1648	3336	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe	taskhosta.exe
PID 1648 wrote to memory of 2260	1648	taskhosta.exe	taskhosta.exe
PID 1648 wrote to memory of 2260	1648	taskhosta.exe	taskhosta.exe
PID 1648 wrote to memory of 2260	1648	taskhosta.exe	taskhosta.exe
PID 1648 wrote to memory of 2260	1648	taskhosta.exe	taskhosta.exe
PID 1648 wrote to memory of 2260	1648	taskhosta.exe	taskhosta.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe

C:\Users\Admin\AppData\Local\Temp\f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe
"C:\Users\Admin\AppData\Local\Temp\f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
2⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\sc.exe
sc delete swprv
3⤵
PID:2748

C:\ProgramData\RealtekHD\taskhostw.exe
C:\ProgramData\RealtekHD\taskhostw.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:2840

C:\ProgramData\install\taskhosta.exe
C:\ProgramData\install\taskhosta.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\ProgramData\install\taskhosta.exe
C:\ProgramData\install\taskhosta.exe
3⤵
- Executes dropped EXE
PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Winlogon Helper DLL

1

T1004

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

6

T1112

Disabling Security Tools

3

T1089

Hidden Files and Directories

1

T1158

Bypass User Account Control

1

T1088

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RealtekHD\taskhostw.exe
MD5
3d1bdbe506435b6bcef9ccbe7b1e326e

SHA1
951978f4a11a5afb826c9be3071e72d27700f597

SHA256
a48389633a690d3de789e662a01fb617d794c5e409a893ed4a1e724db25d8ae4

SHA512
225dbd30cb628e3e8554689299dae5a4f4de5d86b1577f1eb77ac118a50706e36e47a8cab428e636b7ad60efadddbebe1108aa0ec1e00f5dcce78a77a5a97ce0

Download Submit
C:\ProgramData\RealtekHD\taskhostw.exe
MD5
3d1bdbe506435b6bcef9ccbe7b1e326e

SHA1
951978f4a11a5afb826c9be3071e72d27700f597

SHA256
a48389633a690d3de789e662a01fb617d794c5e409a893ed4a1e724db25d8ae4

SHA512
225dbd30cb628e3e8554689299dae5a4f4de5d86b1577f1eb77ac118a50706e36e47a8cab428e636b7ad60efadddbebe1108aa0ec1e00f5dcce78a77a5a97ce0

Download Submit
C:\ProgramData\install\taskhosta.exe
MD5
c4fdfc9a690ed2c0ef5ee37878cf20ca

SHA1
510b18f1b41f75fcffc415b70f2db689c43f4930

SHA256
45a30caa46cf531121e81ee34bd6df322ae721de8a2b47a0503419faaffcf54b

SHA512
a09898761be27abc5f36934a342ba795cf06ef6fb1332b98a65a14fc30c03e098732ac293106e0d2d635220e78f552b5a84517955a195f5d9e63eb543360c62b

Download Submit
C:\ProgramData\install\taskhosta.exe
MD5
c4fdfc9a690ed2c0ef5ee37878cf20ca

SHA1
510b18f1b41f75fcffc415b70f2db689c43f4930

SHA256
45a30caa46cf531121e81ee34bd6df322ae721de8a2b47a0503419faaffcf54b

SHA512
a09898761be27abc5f36934a342ba795cf06ef6fb1332b98a65a14fc30c03e098732ac293106e0d2d635220e78f552b5a84517955a195f5d9e63eb543360c62b

Download Submit
C:\ProgramData\install\taskhosta.exe
MD5
c4fdfc9a690ed2c0ef5ee37878cf20ca

SHA1
510b18f1b41f75fcffc415b70f2db689c43f4930

SHA256
45a30caa46cf531121e81ee34bd6df322ae721de8a2b47a0503419faaffcf54b

SHA512
a09898761be27abc5f36934a342ba795cf06ef6fb1332b98a65a14fc30c03e098732ac293106e0d2d635220e78f552b5a84517955a195f5d9e63eb543360c62b

Download Submit
memory/740-0-0x0000000000000000-mapping.dmp

Download
memory/1648-5-0x0000000000000000-mapping.dmp

Download
memory/2260-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2260-9-0x00000000004014B0-mapping.dmp

Download
memory/2260-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2260-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x0000000000000000-mapping.dmp

Download
memory/2840-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads