metasploit | a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2 | Triage

Analysis

max time kernel
115s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 03:18

Sharing

Report Analysis Logs

General

Target

a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Size

313KB
MD5

ab99d86641bc4e215cd5c5cb7901f296
SHA1

60ae30ec44ee3eb2d057717ccaf7ad2b0b5cdb81
SHA256

a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2
SHA512

23a129543a547cc147b20d55e8bd8657cc6e400bb048825220e033ed9e7e0552c6981eb4a8cfb309b78cf8ae72e3f164fc355a9c4acace4ded291c1dfcd95c7a

Score

10^/10

metasploit backdoor trojan

Malware Config

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 173.0.54.10

Modifies registry class 18 IoCs

Processes:

a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\DefaultIcon	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A1BC48~1.EXE,1"	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\print\command	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\printto\command	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.srz\ = "SerializeExp.Document"	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\print	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\printto	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A1BC48~1.EXE \"%1\""	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.srz	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.srz\ShellNew\NullFile	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\ = "Serial Document"	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\open\command	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\open	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A1BC48~1.EXE /p \"%1\""	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SerializeExp.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A1BC48~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.srz\ShellNew	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe

pid	process
4556	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
4556	a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe

C:\Users\Admin\AppData\Local\Temp\a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe
"C:\Users\Admin\AppData\Local\Temp\a1bc48d75bee7b2afcd7e035effda4960d9346f7fd087b05a53cc0ca539175f2.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4556-130-0x0000000000C50000-0x0000000000C66000-memory.dmp

Filesize
88KB

Download
memory/4556-134-0x0000000000C30000-0x0000000000C48000-memory.dmp

Filesize
96KB

Download