metasploit | b8a1ecdac45c0d6c815cc70031cb0549b3a8a4dec7adeb8b1e216549e52cbaa9

General

Target

b8a1ecdac45c0d6c815cc70031cb0549b3a8a4dec7adeb8b1e216549e52cbaa9.docm
Size

195KB
MD5

303f486490b099a40f8786abd53fb7f8
SHA1

fb834998ffd0a056fc435270702609f66bf5b377
SHA256

b8a1ecdac45c0d6c815cc70031cb0549b3a8a4dec7adeb8b1e216549e52cbaa9
SHA512

eb3a1409ca7492a13a516016cc9b3a95cbc09ff9805432c75f3b4f4bb61855d1471ec56c6569eec459b1cb90658822574be74954615bfd7df8945807cdd4f7cb

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.2.81:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

radB82DF.tmp.exe

pid process

1456 radB82DF.tmp.exe

pid	process
1456	radB82DF.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4164 WINWORD.EXE
4164 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4164 WINWORD.EXE
4164 WINWORD.EXE
4164 WINWORD.EXE
4164 WINWORD.EXE
4164 WINWORD.EXE
4164 WINWORD.EXE
4164 WINWORD.EXE

pid	process
4164	WINWORD.EXE
4164	WINWORD.EXE

pid	process
4164	WINWORD.EXE
4164	WINWORD.EXE
4164	WINWORD.EXE
4164	WINWORD.EXE
4164	WINWORD.EXE
4164	WINWORD.EXE
4164	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4164 wrote to memory of 1456	4164	WINWORD.EXE	radB82DF.tmp.exe
PID 4164 wrote to memory of 1456	4164	WINWORD.EXE	radB82DF.tmp.exe
PID 4164 wrote to memory of 1456	4164	WINWORD.EXE	radB82DF.tmp.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b8a1ecdac45c0d6c815cc70031cb0549b3a8a4dec7adeb8b1e216549e52cbaa9.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\radB82DF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\radB82DF.tmp.exe"
2⤵
- Executes dropped EXE
PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\radB82DF.tmp.exe

Filesize
72KB

MD5
b9bb353e5da0cc77030c12825657c3f8

SHA1
d7111c78f855d6316bb033107b4be8932b38575b

SHA256
bbb1eb88a95d05ef2f17b7ddb1529f82169a0836c93258693a58a9110e830e3f

SHA512
8840ced724a0638607e5cffe24fe26094d2b110932ef34529c9fecce3d42a1a2ac49cd5a200f6cdc1d53fe9b0c190a2b8313bbe04cea3c19f599d9f36063e9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\radB82DF.tmp.exe

Filesize
72KB

MD5
b9bb353e5da0cc77030c12825657c3f8

SHA1
d7111c78f855d6316bb033107b4be8932b38575b

SHA256
bbb1eb88a95d05ef2f17b7ddb1529f82169a0836c93258693a58a9110e830e3f

SHA512
8840ced724a0638607e5cffe24fe26094d2b110932ef34529c9fecce3d42a1a2ac49cd5a200f6cdc1d53fe9b0c190a2b8313bbe04cea3c19f599d9f36063e9fc

Download Submit
memory/1456-137-0x0000000000000000-mapping.dmp

Download
memory/4164-130-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/4164-131-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/4164-132-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/4164-133-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/4164-134-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/4164-135-0x00007FFA990C0000-0x00007FFA990D0000-memory.dmp

Filesize
64KB

Download
memory/4164-136-0x00007FFA990C0000-0x00007FFA990D0000-memory.dmp

Filesize
64KB

Download
memory/4164-140-0x000001CB501BD000-0x000001CB501BF000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads