metasploit | 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-en-20211208
submitted
27-01-2022 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
Size

120KB
MD5

22cbe2b0f1ef3f2b18b4c5aed6d7bb79
SHA1

9063797b6ebe0cb1c83cde2c15d9c69736d53c71
SHA256

2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233
SHA512

b96d33189d73f228936173293c68be3fa2545a4e36db0712d999a664bbc15c5b252b1ba1d9beb591f01c46188bdbce3845b09916ff61227e04c3c9c9c494c612

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 3 IoCs

Processes:

thinprobe.exethinprobe.exethinprobe.exe

pid process

288 thinprobe.exe
1060 thinprobe.exe
1804 thinprobe.exe
Deletes itself 1 IoCs

Processes:

thinprobe.exe

pid process

288 thinprobe.exe
Loads dropped DLL 2 IoCs

Processes:

2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exethinprobe.exe

pid process

744 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
288 thinprobe.exe
Drops file in Windows directory 1 IoCs

Processes:

thinprobe.exe

description ioc process

File opened for modification C:\Windows\pcawhere\config.ini thinprobe.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

svchost.exe

pid process

1196 svchost.exe
1196 svchost.exe
1196 svchost.exe
1196 svchost.exe
1196 svchost.exe
1196 svchost.exe
1196 svchost.exe
1196 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

thinprobe.exethinprobe.exe

description pid process

Token: SeDebugPrivilege 288 thinprobe.exe
Token: SeDebugPrivilege 1804 thinprobe.exe

pid	process
288	thinprobe.exe
1060	thinprobe.exe
1804	thinprobe.exe

pid	process
288	thinprobe.exe

pid	process
744	2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
288	thinprobe.exe

description	ioc	process
File opened for modification	C:\Windows\pcawhere\config.ini	thinprobe.exe

pid	process
1196	svchost.exe
1196	svchost.exe
1196	svchost.exe
1196	svchost.exe
1196	svchost.exe
1196	svchost.exe
1196	svchost.exe
1196	svchost.exe

description	pid	process
Token: SeDebugPrivilege	288	thinprobe.exe
Token: SeDebugPrivilege	1804	thinprobe.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exethinprobe.exethinprobe.exe

description	pid	process	target process
PID 744 wrote to memory of 288	744	2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe	thinprobe.exe
PID 744 wrote to memory of 288	744	2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe	thinprobe.exe
PID 744 wrote to memory of 288	744	2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe	thinprobe.exe
PID 744 wrote to memory of 288	744	2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe	thinprobe.exe
PID 288 wrote to memory of 1060	288	thinprobe.exe	thinprobe.exe
PID 288 wrote to memory of 1060	288	thinprobe.exe	thinprobe.exe
PID 288 wrote to memory of 1060	288	thinprobe.exe	thinprobe.exe
PID 288 wrote to memory of 1060	288	thinprobe.exe	thinprobe.exe
PID 1804 wrote to memory of 1196	1804	thinprobe.exe	svchost.exe
PID 1804 wrote to memory of 1196	1804	thinprobe.exe	svchost.exe
PID 1804 wrote to memory of 1196	1804	thinprobe.exe	svchost.exe
PID 1804 wrote to memory of 1196	1804	thinprobe.exe	svchost.exe
PID 1804 wrote to memory of 1196	1804	thinprobe.exe	svchost.exe
PID 1804 wrote to memory of 1196	1804	thinprobe.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
"C:\Users\Admin\AppData\Local\Temp\2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinprobe.exe
C:\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinprobe.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\pcawhere\thinprobe.exe
"C:\Windows\pcawhere\thinprobe.exe"
3⤵
- Executes dropped EXE
PID:1060

C:\Windows\pcawhere\thinprobe.exe
C:\Windows\pcawhere\thinprobe.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\svchost.exe
-daemon
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z5CC532E8\ThinHostProbedll.dll
MD5
bfb71e0efe5d9208aa9cbdfd4a85a52d

SHA1
ea487fbad911df1f51aa9332336847e2d5dd68bf

SHA256
c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d

SHA512
de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z5CC532E8\thumb.db
MD5
3de31dfdc8b414e2adc69ba0b98c15a4

SHA1
e1a2fd0649a9cededc9254913b763ed0cbc4a1d8

SHA256
16934d5efcc37b0d8e3cd65a8c4b60cd9a16dfd2ee15c2dfb18827b4735849e0

SHA512
0e9cc74392f7a6e96ebd3ffbd858cd0dbf5d05bb81d0dbdee840cbc2905a3e3a80e2cde9c8d7e05ddd4bc4ab9745e83aeaed1b55ddba120bd4b9520939503a8c

Download Submit
C:\Windows\pcawhere\config.ini
MD5
829764fab82c0a19b9eca6e2fa6547db

SHA1
e074ace3328a4f151d79658c0045315f7867ceb5

SHA256
4641daae5ebc1d169df2c1e5fe7f63791f193edde009aefcf3b964f0732ca8b0

SHA512
67866e0cb9c49ae6a6aeb1ab6c39c82d1e1338163cedefcd91bf8b287524c6978b6df8856eb52a04ce294638a069d33e5f258a6360fe8745474abfcece43ce09

Download Submit
C:\Windows\pcawhere\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
C:\Windows\pcawhere\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinhostprobedll.dll
MD5
bfb71e0efe5d9208aa9cbdfd4a85a52d

SHA1
ea487fbad911df1f51aa9332336847e2d5dd68bf

SHA256
c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d

SHA512
de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6

Download Submit
\Users\Admin\AppData\Local\Temp\7z5CC532E8\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
memory/288-61-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/288-66-0x0000000074A20000-0x0000000074A2D000-memory.dmp

Filesize
52KB

Download
memory/288-67-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/744-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1060-69-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/1060-84-0x0000000074A20000-0x0000000074A2D000-memory.dmp

Filesize
52KB

Download
memory/1196-78-0x00000000000C0000-0x00000000000CD000-memory.dmp

Filesize
52KB

Download
memory/1196-85-0x00000000000C0000-0x00000000000CD000-memory.dmp

Filesize
52KB

Download
memory/1804-83-0x0000000074A20000-0x0000000074A2D000-memory.dmp

Filesize
52KB

Download