metasploit | 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa

Analysis

max time kernel
135s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-01-2022 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe
Size

120KB
MD5

0d0320878946a73749111e6c94bf1525
SHA1

1e9b5c685640df11659aea7748d9bf3df70aadcf
SHA256

34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa
SHA512

fc695dd905213d7b623d33d2fa9302399897970f3b8705182fa50e771dad13dac5d5d302a508cdc4f3fdb37122999f2d492188667b92050fe49a29abff53a8b1

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 3 IoCs

Processes:

thinprobe.exethinprobe.exethinprobe.exe

pid process

1248 thinprobe.exe
432 thinprobe.exe
1904 thinprobe.exe
Deletes itself 1 IoCs

Processes:

thinprobe.exe

pid process

1248 thinprobe.exe
Loads dropped DLL 2 IoCs

Processes:

34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exethinprobe.exe

pid process

1612 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe
1248 thinprobe.exe
Drops file in Windows directory 1 IoCs

Processes:

thinprobe.exe

description ioc process

File opened for modification C:\Windows\pcawhere\config.ini thinprobe.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

svchost.exe

pid process

1104 svchost.exe
1104 svchost.exe
1104 svchost.exe
1104 svchost.exe
1104 svchost.exe
1104 svchost.exe
1104 svchost.exe
1104 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

thinprobe.exethinprobe.exe

description pid process

Token: SeDebugPrivilege 1248 thinprobe.exe
Token: SeDebugPrivilege 1904 thinprobe.exe

pid	process
1248	thinprobe.exe
432	thinprobe.exe
1904	thinprobe.exe

pid	process
1248	thinprobe.exe

pid	process
1612	34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe
1248	thinprobe.exe

description	ioc	process
File opened for modification	C:\Windows\pcawhere\config.ini	thinprobe.exe

pid	process
1104	svchost.exe
1104	svchost.exe
1104	svchost.exe
1104	svchost.exe
1104	svchost.exe
1104	svchost.exe
1104	svchost.exe
1104	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1248	thinprobe.exe
Token: SeDebugPrivilege	1904	thinprobe.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exethinprobe.exethinprobe.exe

description	pid	process	target process
PID 1612 wrote to memory of 1248	1612	34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe	thinprobe.exe
PID 1612 wrote to memory of 1248	1612	34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe	thinprobe.exe
PID 1612 wrote to memory of 1248	1612	34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe	thinprobe.exe
PID 1612 wrote to memory of 1248	1612	34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe	thinprobe.exe
PID 1248 wrote to memory of 432	1248	thinprobe.exe	thinprobe.exe
PID 1248 wrote to memory of 432	1248	thinprobe.exe	thinprobe.exe
PID 1248 wrote to memory of 432	1248	thinprobe.exe	thinprobe.exe
PID 1248 wrote to memory of 432	1248	thinprobe.exe	thinprobe.exe
PID 1904 wrote to memory of 1104	1904	thinprobe.exe	svchost.exe
PID 1904 wrote to memory of 1104	1904	thinprobe.exe	svchost.exe
PID 1904 wrote to memory of 1104	1904	thinprobe.exe	svchost.exe
PID 1904 wrote to memory of 1104	1904	thinprobe.exe	svchost.exe
PID 1904 wrote to memory of 1104	1904	thinprobe.exe	svchost.exe
PID 1904 wrote to memory of 1104	1904	thinprobe.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe
"C:\Users\Admin\AppData\Local\Temp\34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinprobe.exe
C:\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinprobe.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\pcawhere\thinprobe.exe
"C:\Windows\pcawhere\thinprobe.exe"
3⤵
- Executes dropped EXE
PID:432

C:\Windows\pcawhere\thinprobe.exe
C:\Windows\pcawhere\thinprobe.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\svchost.exe
-daemon
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z5A6B564C\ThinHostProbedll.dll
MD5
bfb71e0efe5d9208aa9cbdfd4a85a52d

SHA1
ea487fbad911df1f51aa9332336847e2d5dd68bf

SHA256
c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d

SHA512
de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z5A6B564C\thumb.db
MD5
fe185cb4315658e561fd789181dfd1f3

SHA1
dc6468dd9ab1c73210990c55cca82111ed21e00d

SHA256
eb9f6f3fb6b70d1f49c1c92442a0f96e7583e757b035cb4343767cf9382eb354

SHA512
88347235e77553c976d5d45278d8d51d15815523fc57be73d21b6676ea9f296d16d6c96b6f81f1e3900c373717c589fa3c510ef8f6e33df72ea32ef036687382

Download Submit
C:\Windows\pcawhere\config.ini
MD5
bd11bd032f4f32cf7324e0a302e19c54

SHA1
e5953cf07b5656c486207bc3d5a1b69fea6037e0

SHA256
eb3c995504c075b43239788b40aec8e0efab5ecc60b0c567ccc426d3c9fea6c8

SHA512
bb7758930b050dd46273a5180351b9c91a1480e095ac0d849733d776b4e3aa5211032f85d803b6ee4633668102c390a062e6855c1e9a39f4b5e90a6b9f9aaa51

Download Submit
C:\Windows\pcawhere\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
C:\Windows\pcawhere\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinhostprobedll.dll
MD5
bfb71e0efe5d9208aa9cbdfd4a85a52d

SHA1
ea487fbad911df1f51aa9332336847e2d5dd68bf

SHA256
c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d

SHA512
de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6

Download Submit
\Users\Admin\AppData\Local\Temp\7z5A6B564C\thinprobe.exe
MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
memory/432-70-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/432-85-0x0000000075280000-0x000000007528D000-memory.dmp

Filesize
52KB

Download
memory/1104-79-0x0000000000080000-0x000000000008D000-memory.dmp

Filesize
52KB

Download
memory/1104-86-0x0000000000080000-0x000000000008D000-memory.dmp

Filesize
52KB

Download
memory/1248-62-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/1248-67-0x0000000075280000-0x000000007528D000-memory.dmp

Filesize
52KB

Download
memory/1248-68-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/1612-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1904-84-0x0000000075280000-0x000000007528D000-memory.dmp

Filesize
52KB

Download