metasploit | a6d83d134a7fdc7dafdddfdb8b5f0e8a41d3396d02915fb0beef7f2d3a7025bc

General

Target

SecuriteInfo.com.VB.Heur2.EmoDldr.5.700FC47C.Gen.13195.5911.doc
Size

68KB
MD5

40f29a4e81362d9a05688a5eb279bcd6
SHA1

98bacf0e21570110c64672dd8f666f6490f28faa
SHA256

a6d83d134a7fdc7dafdddfdb8b5f0e8a41d3396d02915fb0beef7f2d3a7025bc
SHA512

93a19ad096579089fdcb87463acbbaf8711a4a44ab9f5fc5be3476ff92a59adc7e2b4b9a72cfce5d58499902bf418c72028235f33cd5db7c9ea026ffb04673e5

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://remote.viowi.org:443/thumb/preview.gif

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MSBuild.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1292	336	MSBuild.exe	WINWORD.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

336 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

336 WINWORD.EXE
336 WINWORD.EXE

pid	process
336	WINWORD.EXE

pid	process
336	WINWORD.EXE
336	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEMSBuild.execsc.exe

description	pid	process	target process
PID 336 wrote to memory of 1292	336	WINWORD.EXE	MSBuild.exe
PID 336 wrote to memory of 1292	336	WINWORD.EXE	MSBuild.exe
PID 336 wrote to memory of 1292	336	WINWORD.EXE	MSBuild.exe
PID 336 wrote to memory of 1292	336	WINWORD.EXE	MSBuild.exe
PID 1292 wrote to memory of 1620	1292	MSBuild.exe	csc.exe
PID 1292 wrote to memory of 1620	1292	MSBuild.exe	csc.exe
PID 1292 wrote to memory of 1620	1292	MSBuild.exe	csc.exe
PID 1292 wrote to memory of 1620	1292	MSBuild.exe	csc.exe
PID 1620 wrote to memory of 860	1620	csc.exe	cvtres.exe
PID 1620 wrote to memory of 860	1620	csc.exe	cvtres.exe
PID 1620 wrote to memory of 860	1620	csc.exe	cvtres.exe
PID 1620 wrote to memory of 860	1620	csc.exe	cvtres.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur2.EmoDldr.5.700FC47C.Gen.13195.5911.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Users\Admin\Documents\template.xml
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lhkj0zys\lhkj0zys.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E6A.tmp" "c:\Users\Admin\AppData\Local\Temp\lhkj0zys\CSC77845121CA6D47B881754EB37627D4C9.TMP"
4⤵
PID:860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8E6A.tmp
MD5
726fdd3d9ba67c7884b5a88cad258d22

SHA1
8e0b89687c4753d7ddd1ba1312934ce555dfdc01

SHA256
5f4f577afeeaad05407bdecd931f06de81ac8c64a59168d443c33c9e298e2e76

SHA512
2dc64c38d5e850b0458fe2f6511bd96ada2e65aea827d624f0a8337ceb74691060ca155446e9ea2f986cff7e1e788a2ceb41bb418d3c7113bacf6b8dcd8f2d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhkj0zys\lhkj0zys.dll
MD5
237e08b1cb5091f9529c112dbb63b92b

SHA1
9290313fa5ddbc39f6e7e96b5cf31971960b62b7

SHA256
d364c6417fdbf6d19180dd5d7825ded2c7040c944f05761c9bfc48e07351823a

SHA512
c9a251240a58deba450661b5709a113aacf9f6eb2327cae5703f6445df2821f79fe937c60bd0be649d8b3150052cee1143f640fae443593f04c6e32f81829c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhkj0zys\lhkj0zys.pdb
MD5
1fee2767d2656fb605eb15b4c4284bb8

SHA1
aa9a9537aa83bbccef64eec06e6391b6425866dd

SHA256
ed3a17f6ad3867356cec4e372ad0ec256d166ae846edd742e16116a071e61af6

SHA512
87ab160d67af2edf20511a92a66a469516d3a1439a7442275846ec86f2eccc604b999622c465da23187c12ba2ffb27ee49285c2119ace481640bde617c377299

Download Submit
C:\Users\Admin\Documents\template.xml
MD5
33d91e9ab32c8b1659666360438894ad

SHA1
0506714e2cf930423357e69df81fa9d3de10dd34

SHA256
3b1eff572645ccf2488b6afb6a0a0abb6fa37c019b7c7b382267594075783128

SHA512
ad6a2f642f27cf27ef6ec4c75cc32f5f5115d01e9b63a92bccd700cb84d4c6bf42d04f2940f1a28bce90e4a2c4952c1b9d6d2e71e6a00a0f7a1d751265281534

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lhkj0zys\CSC77845121CA6D47B881754EB37627D4C9.TMP
MD5
f4e714fc99780c47529b58d71bcb14a3

SHA1
5950d8af4788bb116d8bdd8d8115159a424bd7e7

SHA256
c5a57b973bb686bed8a0606b94370bad096afbc00864af36c0adfb6696633f02

SHA512
8173370d2a8c07819ce47e933de2a06fbc7ac270f950e0898b441a8848aad2e8a67f636aef30972e2d4a9cd4eec964262842f7db0056b21da8e98c028b2f7878

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lhkj0zys\lhkj0zys.0.cs
MD5
194f7a38a0bfd4157d16502917f7cad1

SHA1
9bb6d112728c33a1009fc12837ceebf48d70ff55

SHA256
cf186081fc91ef5c08335e52a41111ef846723e1159be7e1be61fb8d21f1fc11

SHA512
afc993508a2c94a221e9ead9d3417db8ad90c15635f05c744ce1d2c6e1545faed7bc5318e1bf447bc1637832d09c19b9ca926e1a3f28fb8d5be1288610d56fb9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lhkj0zys\lhkj0zys.cmdline
MD5
e710398bfd8589661b1705dc3b0020ef

SHA1
e7300096985def141ab36b4bf5a3c58b93d4732c

SHA256
35b477386e208c44b8c14012bc553110c8aa030f3b41a97e166b355e4e93dca1

SHA512
8a245cad19ed5a47f7e32292d1333351379983ed14bfd953e450285b42fbf859dd4d37ef4f9d81da71feeb9d582f23ed9641c32d64fcb99e22a6fee10b881e9c

Download Submit
memory/336-2-0x00000000720E1000-0x00000000720E4000-memory.dmp

Filesize
12KB

Download
memory/336-25-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/336-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/336-3-0x000000006FB61000-0x000000006FB63000-memory.dmp

Filesize
8KB

Download
memory/596-27-0x000007FEF6EA0000-0x000007FEF711A000-memory.dmp

Filesize
2.5MB

Download
memory/860-19-0x0000000000000000-mapping.dmp

Download
memory/1292-8-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1292-15-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1292-14-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1292-13-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1292-12-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1292-11-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/1292-10-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1292-7-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1292-24-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/1292-6-0x000000006A8B0000-0x000000006AF9E000-memory.dmp

Filesize
6.9MB

Download
memory/1292-26-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1292-5-0x0000000000000000-mapping.dmp

Download
memory/1620-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads