metasploit | 14bd8ce373bf64dc8f78775f284ce5449cc350796a4b53c27505c4f9bcba0379

General

Target

14bd8ce373bf64dc8f78775f284ce5449cc350796a4b53c27505c4f9bcba0379.docm
Size

51KB
MD5

577eab90797f2804a44cce6241eb9c22
SHA1

6bee48fb567b6f0acc2cd129741f0351b961c89f
SHA256

14bd8ce373bf64dc8f78775f284ce5449cc350796a4b53c27505c4f9bcba0379
SHA512

e5a5140424c5dcfccd2dafc34bdf2232dd2d046dd933f47053b9278ccf1f67e3a61110da0c81c9f419a42a0a4538c97c5dba1b8a6dba800d0186b69a07d9770c

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://191.101.42.179:8080/HxJOy7n0CJvydvN3qZ2FLgqSDe-upNDe0J0Ts0S_QVE3U8qmdyykRSnD6T_HvD7La8DNmDu0GFUno6sSH6E1kyH1KFLrK-sU2mx6mwqnG4gBWa7BSH61LeWes6_ip9ijxEIdPAmYbrc9mOjG3ohA4KJrSn_hMCCfI9Pc_7hBhp

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

txqTrPLp.exe

pid process

4172 txqTrPLp.exe

pid	process
4172	txqTrPLp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

868 WINWORD.EXE
868 WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE

pid	process
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 868 wrote to memory of 4172	868	WINWORD.EXE	txqTrPLp.exe
PID 868 wrote to memory of 4172	868	WINWORD.EXE	txqTrPLp.exe
PID 868 wrote to memory of 4172	868	WINWORD.EXE	txqTrPLp.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\14bd8ce373bf64dc8f78775f284ce5449cc350796a4b53c27505c4f9bcba0379.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\txqTrPLp.exe
C:\Users\Admin\txqTrPLp.exe
2⤵
- Executes dropped EXE
PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\txqTrPLp.exe
Filesize
4KB

MD5
4788af93cfbfc6fa40602c34205e8f78

SHA1
27846a108f37d617ea2b062673a7cddb62ea1a71

SHA256
212f19c7162e353259d30000502c8bc7b938f26398596beaff56dbf2577f8307

SHA512
3c70a46284006805ab14d99b834c1192a31ebe4912312e6d4a9b6db5d608d5603c8210e47c5eefc85ebf9d1e648aff53043f0d64d64c66fe58482df9b6d27746

Download Submit
C:\Users\Admin\txqTrPLp.exe
Filesize
4KB

MD5
4788af93cfbfc6fa40602c34205e8f78

SHA1
27846a108f37d617ea2b062673a7cddb62ea1a71

SHA256
212f19c7162e353259d30000502c8bc7b938f26398596beaff56dbf2577f8307

SHA512
3c70a46284006805ab14d99b834c1192a31ebe4912312e6d4a9b6db5d608d5603c8210e47c5eefc85ebf9d1e648aff53043f0d64d64c66fe58482df9b6d27746

Download Submit
memory/868-143-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/868-130-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/868-134-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/868-135-0x00007FFC474A0000-0x00007FFC474B0000-memory.dmp

Filesize
64KB

Download
memory/868-136-0x00007FFC474A0000-0x00007FFC474B0000-memory.dmp

Filesize
64KB

Download
memory/868-132-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/868-146-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/868-145-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/868-131-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/868-144-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/868-133-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/4172-141-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4172-139-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4172-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads