metasploit | 1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47

General

Target

1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe
Size

255KB
MD5

05dfc0a684be42b4dcd524f238744869
SHA1

16cd0520e989d386708b5c561f20b0867917d3d6
SHA256

1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47
SHA512

47f7fb910d4b3c8be5c922371bed2e18961d610b5a6504fe70cbb773cb5ed2e92e9a33f9b63b9fc8c306dc7fcee6880eacf355e6765eb4993967f857bd049617

Score

10^/10

metasploit backdoor bootkit persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

InfDefaultInstall.exe

pid process

1988 InfDefaultInstall.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

InfDefaultInstall.exe

description ioc process

File opened for modification \??\PhysicalDrive0 InfDefaultInstall.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

InfDefaultInstall.exe

description pid process

Token: SeShutdownPrivilege 1988 InfDefaultInstall.exe

pid	process
1988	InfDefaultInstall.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	InfDefaultInstall.exe

description	pid	process
Token: SeShutdownPrivilege	1988	InfDefaultInstall.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe

description	pid	process	target process
PID 2232 wrote to memory of 1988	2232	1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe	InfDefaultInstall.exe
PID 2232 wrote to memory of 1988	2232	1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe	InfDefaultInstall.exe
PID 2232 wrote to memory of 1988	2232	1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe	InfDefaultInstall.exe

C:\Users\Admin\AppData\Local\Temp\1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe
"C:\Users\Admin\AppData\Local\Temp\1421260042d8f5f46f8e37e2efa0d1b21391cc6f3fe826dce10549f9c399df47.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Roaming\{0894f11d-d65b-4123-a883-b4a35b394652}\InfDefaultInstall.exe
"C:\Users\Admin\AppData\Roaming\{0894f11d-d65b-4123-a883-b4a35b394652}\InfDefaultInstall.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{0894f11d-d65b-4123-a883-b4a35b394652}\InfDefaultInstall.exe

Filesize
255KB

MD5
998e08c4e197dbcbef060b4354648d6b

SHA1
0fc79a3acf2167fa2f08d4dac2e814c24e026b04

SHA256
89686081df1be5b01e3d698198590b6a5d37264b392485def684c4b58c05a6b9

SHA512
3f534c6636c9665f3486552824ccb35524d0280418d94f4139fe48c95ba622a0ef0b577aa5b31ed86031431da7a12badba63ee4fe43317b18945d1273a4f2a18

Download Submit
C:\Users\Admin\AppData\Roaming\{0894f11d-d65b-4123-a883-b4a35b394652}\InfDefaultInstall.exe

Filesize
255KB

MD5
998e08c4e197dbcbef060b4354648d6b

SHA1
0fc79a3acf2167fa2f08d4dac2e814c24e026b04

SHA256
89686081df1be5b01e3d698198590b6a5d37264b392485def684c4b58c05a6b9

SHA512
3f534c6636c9665f3486552824ccb35524d0280418d94f4139fe48c95ba622a0ef0b577aa5b31ed86031431da7a12badba63ee4fe43317b18945d1273a4f2a18

Download Submit
memory/1988-130-0x0000000000000000-mapping.dmp

Download
memory/1988-135-0x0000000000500000-0x000000000051A000-memory.dmp

Filesize
104KB

Download
memory/2232-132-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2232-134-0x0000000000A30000-0x0000000000A4A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing