metasploit | 112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8

General

Target

112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe
Size

48KB
MD5

3a59d45ff99888ef3eda7595c10e295a
SHA1

2e41ca17e9549244d314fd287aeb159748d261f7
SHA256

112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8
SHA512

890fb4cc5c73b84f52a2b3f1fc125200a5e1eee4aec39739814e923ad53f7c5397d0655a30a87d3b990482fae27930389d9663d9121e7b2008bd691ee8f18d92

Score

10^/10

metasploit backdoor persistence suricata trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
suricata: ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24
suricata: ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24
suricata

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\sadrive32.exe"	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe

Executes dropped EXE 1 IoCs

Processes:

sadrive32.exe

pid process

4424 sadrive32.exe

pid	process
4424	sadrive32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\sadrive32.exe"	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe

Drops file in Windows directory 3 IoCs

Processes:

112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exesadrive32.exe

description	ioc	process
File created	C:\Windows\sadrive32.exe	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe
File opened for modification	C:\Windows\sadrive32.exe	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe
File created	C:\Windows\%windir%\lfffile32.log	sadrive32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe

pid	process
4100	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe
4100	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe
4100	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe
4100	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe

description	pid	process	target process
PID 4100 wrote to memory of 4424	4100	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe	sadrive32.exe
PID 4100 wrote to memory of 4424	4100	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe	sadrive32.exe
PID 4100 wrote to memory of 4424	4100	112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe	sadrive32.exe

C:\Users\Admin\AppData\Local\Temp\112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe
"C:\Users\Admin\AppData\Local\Temp\112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8.exe"
1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\sadrive32.exe
"C:\Windows\sadrive32.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sadrive32.exe
Filesize
48KB

MD5
3a59d45ff99888ef3eda7595c10e295a

SHA1
2e41ca17e9549244d314fd287aeb159748d261f7

SHA256
112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8

SHA512
890fb4cc5c73b84f52a2b3f1fc125200a5e1eee4aec39739814e923ad53f7c5397d0655a30a87d3b990482fae27930389d9663d9121e7b2008bd691ee8f18d92

Download Submit
C:\Windows\sadrive32.exe
Filesize
48KB

MD5
3a59d45ff99888ef3eda7595c10e295a

SHA1
2e41ca17e9549244d314fd287aeb159748d261f7

SHA256
112626c80723081de153623493adad8068d5b27497edf13dab5ed905bc3368e8

SHA512
890fb4cc5c73b84f52a2b3f1fc125200a5e1eee4aec39739814e923ad53f7c5397d0655a30a87d3b990482fae27930389d9663d9121e7b2008bd691ee8f18d92

Download Submit
memory/4100-130-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/4100-131-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4100-135-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4424-132-0x0000000000000000-mapping.dmp

Download
memory/4424-137-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4424-136-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/4424-138-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads