metasploit | 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015

General

Target

9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
Size

199KB
MD5

5b5e120a4cf6fd359750b10a3afe5dd1
SHA1

d54e0bb8305f468797fd03f22d64edef03fd65f3
SHA256

9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015
SHA512

a4e87629cb12aec6b7d280877210c241e5d9c129b099473ad3c54f2ba0ef6686d940ce8ffb9d65d2b5980e4a2441c87511d61b8fa600f63c26146b0739c6eb46

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://thedonald.win:443/t6pNyjKhMouuSa9I8aNlOQxTWalk1ZSCWvqscRqnGo-36PO2VBgdduQJebUNp8cgFO03Hha7yXrD9Q8hF5KFjWFydleor9rJO_IdHjJYnwDz3V3CD1ZzbMGMIRgBfd4oD91ekmuH9O36BFxS-ApQa4m-JXlszaAFF92RuNpJlwnOZQaIE

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3636 created 2072 3636 WerFault.exe 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe

description	pid	process	target process
PID 3636 created 2072	3636	WerFault.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe

ServiceHost packer 26 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2072-14-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-15-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-13-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-16-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-17-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-19-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-18-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-21-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-20-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-23-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-22-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-25-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-26-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-27-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-24-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-29-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-28-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-32-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-31-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-35-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-34-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-33-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-36-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-37-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-39-0x00000000004010A1-mapping.dmp	servicehost
behavioral2/memory/2072-38-0x00000000004010A1-mapping.dmp	servicehost

Executes dropped EXE 1 IoCs

Processes:

9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe

pid process

2072 9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe

pid	process
2072	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	upx

Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe

description	pid	process	target process
PID 4068 set thread context of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2908	2072	WerFault.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
3636	2072	WerFault.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exeWerFault.exeWerFault.exe

pid	process
4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2908	WerFault.exe
Token: SeBackupPrivilege	2908	WerFault.exe
Token: SeDebugPrivilege	2908	WerFault.exe
Token: SeDebugPrivilege	3636	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe

pid	process
4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.execmd.exenet.exe

description	pid	process	target process
PID 4068 wrote to memory of 3192	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	cmd.exe
PID 4068 wrote to memory of 3192	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	cmd.exe
PID 4068 wrote to memory of 3192	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	cmd.exe
PID 4068 wrote to memory of 3124	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	cmd.exe
PID 4068 wrote to memory of 3124	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	cmd.exe
PID 4068 wrote to memory of 3124	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	cmd.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 4068 wrote to memory of 2072	4068	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe	9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
PID 3124 wrote to memory of 1324	3124	cmd.exe	net.exe
PID 3124 wrote to memory of 1324	3124	cmd.exe	net.exe
PID 3124 wrote to memory of 1324	3124	cmd.exe	net.exe
PID 1324 wrote to memory of 184	1324	net.exe	net1.exe
PID 1324 wrote to memory of 184	1324	net.exe	net1.exe
PID 1324 wrote to memory of 184	1324	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
"C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:3192

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:184

C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
"C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe"
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1252
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1244
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015.exe
MD5
5b5e120a4cf6fd359750b10a3afe5dd1

SHA1
d54e0bb8305f468797fd03f22d64edef03fd65f3

SHA256
9fb70c001307ee5f60eff1a9d9f5903ef909ddde5526cbe85a143d2fa6f51015

SHA512
a4e87629cb12aec6b7d280877210c241e5d9c129b099473ad3c54f2ba0ef6686d940ce8ffb9d65d2b5980e4a2441c87511d61b8fa600f63c26146b0739c6eb46

Download Submit
memory/184-10-0x0000000000000000-mapping.dmp

Download
memory/1324-9-0x0000000000000000-mapping.dmp

Download
memory/2072-28-0x00000000004010A1-mapping.dmp

Download
memory/2072-8-0x0000000000400000-0x0000000000C98000-memory.dmp

Filesize
8.6MB

Download
memory/2072-5-0x00000000004010A1-mapping.dmp

Download
memory/2072-23-0x00000000004010A1-mapping.dmp

Download
memory/2072-4-0x0000000000400000-0x0000000000C98000-memory.dmp

Filesize
8.6MB

Download
memory/2072-22-0x00000000004010A1-mapping.dmp

Download
memory/2072-38-0x00000000004010A1-mapping.dmp

Download
memory/2072-20-0x00000000004010A1-mapping.dmp

Download
memory/2072-14-0x00000000004010A1-mapping.dmp

Download
memory/2072-15-0x00000000004010A1-mapping.dmp

Download
memory/2072-13-0x00000000004010A1-mapping.dmp

Download
memory/2072-16-0x00000000004010A1-mapping.dmp

Download
memory/2072-17-0x00000000004010A1-mapping.dmp

Download
memory/2072-19-0x00000000004010A1-mapping.dmp

Download
memory/2072-18-0x00000000004010A1-mapping.dmp

Download
memory/2072-21-0x00000000004010A1-mapping.dmp

Download
memory/2072-39-0x00000000004010A1-mapping.dmp

Download
memory/2072-7-0x00000000004010A1-mapping.dmp

Download
memory/2072-37-0x00000000004010A1-mapping.dmp

Download
memory/2072-25-0x00000000004010A1-mapping.dmp

Download
memory/2072-26-0x00000000004010A1-mapping.dmp

Download
memory/2072-27-0x00000000004010A1-mapping.dmp

Download
memory/2072-24-0x00000000004010A1-mapping.dmp

Download
memory/2072-29-0x00000000004010A1-mapping.dmp

Download
memory/2072-36-0x00000000004010A1-mapping.dmp

Download
memory/2072-33-0x00000000004010A1-mapping.dmp

Download
memory/2072-32-0x00000000004010A1-mapping.dmp

Download
memory/2072-31-0x00000000004010A1-mapping.dmp

Download
memory/2072-35-0x00000000004010A1-mapping.dmp

Download
memory/2072-34-0x00000000004010A1-mapping.dmp

Download
memory/2908-12-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/2908-11-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/3124-3-0x0000000000000000-mapping.dmp

Download
memory/3192-2-0x0000000000000000-mapping.dmp

Download
memory/3636-30-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads