metasploit | 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233

General

Target

2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
Size

120KB
MD5

22cbe2b0f1ef3f2b18b4c5aed6d7bb79
SHA1

9063797b6ebe0cb1c83cde2c15d9c69736d53c71
SHA256

2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233
SHA512

b96d33189d73f228936173293c68be3fa2545a4e36db0712d999a664bbc15c5b252b1ba1d9beb591f01c46188bdbce3845b09916ff61227e04c3c9c9c494c612

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 3 IoCs

Processes:

thinprobe.exethinprobe.exethinprobe.exe

pid process

3784 thinprobe.exe
2844 thinprobe.exe
2700 thinprobe.exe
Deletes itself 1 IoCs

Processes:

thinprobe.exe

pid process

3784 thinprobe.exe
Loads dropped DLL 1 IoCs

Processes:

thinprobe.exe

pid process

3784 thinprobe.exe
Drops file in Windows directory 1 IoCs

Processes:

thinprobe.exe

description ioc process

File opened for modification C:\Windows\pcawhere\config.ini thinprobe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

svchost.exe

pid process

604 svchost.exe
604 svchost.exe
604 svchost.exe
604 svchost.exe
604 svchost.exe
604 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

thinprobe.exethinprobe.exe

description pid process

Token: SeDebugPrivilege 3784 thinprobe.exe
Token: SeDebugPrivilege 2700 thinprobe.exe

pid	process
3784	thinprobe.exe
2844	thinprobe.exe
2700	thinprobe.exe

pid	process
3784	thinprobe.exe

pid	process
3784	thinprobe.exe

description	ioc	process
File opened for modification	C:\Windows\pcawhere\config.ini	thinprobe.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

pid	process
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe

description	pid	process
Token: SeDebugPrivilege	3784	thinprobe.exe
Token: SeDebugPrivilege	2700	thinprobe.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exethinprobe.exethinprobe.exe

description	pid	process	target process
PID 2752 wrote to memory of 3784	2752	2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe	thinprobe.exe
PID 2752 wrote to memory of 3784	2752	2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe	thinprobe.exe
PID 2752 wrote to memory of 3784	2752	2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe	thinprobe.exe
PID 3784 wrote to memory of 2844	3784	thinprobe.exe	thinprobe.exe
PID 3784 wrote to memory of 2844	3784	thinprobe.exe	thinprobe.exe
PID 3784 wrote to memory of 2844	3784	thinprobe.exe	thinprobe.exe
PID 2700 wrote to memory of 604	2700	thinprobe.exe	svchost.exe
PID 2700 wrote to memory of 604	2700	thinprobe.exe	svchost.exe
PID 2700 wrote to memory of 604	2700	thinprobe.exe	svchost.exe
PID 2700 wrote to memory of 604	2700	thinprobe.exe	svchost.exe
PID 2700 wrote to memory of 604	2700	thinprobe.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe
"C:\Users\Admin\AppData\Local\Temp\2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thinprobe.exe
C:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thinprobe.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\pcawhere\thinprobe.exe
"C:\Windows\pcawhere\thinprobe.exe"
3⤵
- Executes dropped EXE
PID:2844

C:\Windows\pcawhere\thinprobe.exe
C:\Windows\pcawhere\thinprobe.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\svchost.exe
-daemon
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\ThinHostProbedll.dll
MD5
bfb71e0efe5d9208aa9cbdfd4a85a52d

SHA1
ea487fbad911df1f51aa9332336847e2d5dd68bf

SHA256
c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d

SHA512
de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thumb.db
MD5
3de31dfdc8b414e2adc69ba0b98c15a4

SHA1
e1a2fd0649a9cededc9254913b763ed0cbc4a1d8

SHA256
16934d5efcc37b0d8e3cd65a8c4b60cd9a16dfd2ee15c2dfb18827b4735849e0

SHA512
0e9cc74392f7a6e96ebd3ffbd858cd0dbf5d05bb81d0dbdee840cbc2905a3e3a80e2cde9c8d7e05ddd4bc4ab9745e83aeaed1b55ddba120bd4b9520939503a8c

Download Submit
C:\Windows\pcawhere\config.ini
MD5
f4a0bb33a4f216f3acc0c3e39b92e6aa

SHA1
59f1b2c58da76d8dac264f559d72bc897fd01fc3

SHA256
fa1aa0780c86d904d6ebeb6935fd5ddc250f16ed80b694d3d329fde86196bc2d

SHA512
1e6955bb56903dcbaf85187542721600f28d6a34d1d5a0efef9f57470f276f89fc8a62d463d722beb767e87c8d9079015b32cf3dbd709edb0289e0767a9abf25

Download Submit
C:\Windows\pcawhere\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
C:\Windows\pcawhere\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
\Users\Admin\AppData\Local\Temp\7z71FB2AC0\thinhostprobedll.dll
MD5
bfb71e0efe5d9208aa9cbdfd4a85a52d

SHA1
ea487fbad911df1f51aa9332336847e2d5dd68bf

SHA256
c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d

SHA512
de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6

Download Submit
memory/604-139-0x00000000024A0000-0x00000000024AD000-memory.dmp

Filesize
52KB

Download
memory/2700-136-0x0000000074640000-0x000000007464D000-memory.dmp

Filesize
52KB

Download
memory/2700-137-0x00000000001E0000-0x00000000001ED000-memory.dmp

Filesize
52KB

Download
memory/2844-138-0x0000000074640000-0x000000007464D000-memory.dmp

Filesize
52KB

Download
memory/3784-124-0x0000000074640000-0x000000007464D000-memory.dmp

Filesize
52KB

Download
memory/3784-120-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing