metasploit | 110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639

General

Target

110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
Size

89KB
MD5

00f3c5e9de28495de0aeba766e905b7d
SHA1

da6e3dc9163fb2626aa5c514c99925420f05eb82
SHA256

110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639
SHA512

011316f4ff28f0841823dd61af6ece96de33007cbe679f89deb917f96c8b17d8fd8e01733c2a44d4b536cdc5bb7e82d1c3a9ee22fa7d6dc4066e76ff9ef36967

Score

10^/10

metasploit backdoor persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 2 IoCs

Processes:

AdobeARMS.exeAdobeARMS.exe

pid process

1692 AdobeARMS.exe
1800 AdobeARMS.exe

pid	process
1692	AdobeARMS.exe
1800	AdobeARMS.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1104-55-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1104-57-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1104-60-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1104-65-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1104-66-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1104-67-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1104-73-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1800-86-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1800-87-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1800-88-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe

pid	process
1104	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
1104	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AdobeARMS.exe110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "\\AdobeARMS.exe"	AdobeARMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARMS.exe"	AdobeARMS.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\patches = "1"	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARMS.exe"	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exeAdobeARMS.exe

description	pid	process	target process
PID 1908 set thread context of 1104	1908	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 1692 set thread context of 1800	1692	AdobeARMS.exe	AdobeARMS.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exeAdobeARMS.exe

description	pid	process	target process
PID 1908 wrote to memory of 1104	1908	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 1908 wrote to memory of 1104	1908	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 1908 wrote to memory of 1104	1908	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 1908 wrote to memory of 1104	1908	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 1908 wrote to memory of 1104	1908	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 1908 wrote to memory of 1104	1908	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 1908 wrote to memory of 1104	1908	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 1908 wrote to memory of 1104	1908	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 1104 wrote to memory of 1692	1104	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	AdobeARMS.exe
PID 1104 wrote to memory of 1692	1104	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	AdobeARMS.exe
PID 1104 wrote to memory of 1692	1104	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	AdobeARMS.exe
PID 1104 wrote to memory of 1692	1104	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	AdobeARMS.exe
PID 1692 wrote to memory of 1800	1692	AdobeARMS.exe	AdobeARMS.exe
PID 1692 wrote to memory of 1800	1692	AdobeARMS.exe	AdobeARMS.exe
PID 1692 wrote to memory of 1800	1692	AdobeARMS.exe	AdobeARMS.exe
PID 1692 wrote to memory of 1800	1692	AdobeARMS.exe	AdobeARMS.exe
PID 1692 wrote to memory of 1800	1692	AdobeARMS.exe	AdobeARMS.exe
PID 1692 wrote to memory of 1800	1692	AdobeARMS.exe	AdobeARMS.exe
PID 1692 wrote to memory of 1800	1692	AdobeARMS.exe	AdobeARMS.exe
PID 1692 wrote to memory of 1800	1692	AdobeARMS.exe	AdobeARMS.exe

C:\Users\Admin\AppData\Local\Temp\110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
"C:\Users\Admin\AppData\Local\Temp\110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
"C:\Users\Admin\AppData\Local\Temp\110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
C:\Users\Admin\AppData\Roaming\AdobeARMS.exe 476 "C:\Users\Admin\AppData\Local\Temp\110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
"C:\Users\Admin\AppData\Roaming\AdobeARMS.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
Filesize
89KB

MD5
00f3c5e9de28495de0aeba766e905b7d

SHA1
da6e3dc9163fb2626aa5c514c99925420f05eb82

SHA256
110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639

SHA512
011316f4ff28f0841823dd61af6ece96de33007cbe679f89deb917f96c8b17d8fd8e01733c2a44d4b536cdc5bb7e82d1c3a9ee22fa7d6dc4066e76ff9ef36967

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
Filesize
89KB

MD5
00f3c5e9de28495de0aeba766e905b7d

SHA1
da6e3dc9163fb2626aa5c514c99925420f05eb82

SHA256
110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639

SHA512
011316f4ff28f0841823dd61af6ece96de33007cbe679f89deb917f96c8b17d8fd8e01733c2a44d4b536cdc5bb7e82d1c3a9ee22fa7d6dc4066e76ff9ef36967

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
Filesize
89KB

MD5
00f3c5e9de28495de0aeba766e905b7d

SHA1
da6e3dc9163fb2626aa5c514c99925420f05eb82

SHA256
110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639

SHA512
011316f4ff28f0841823dd61af6ece96de33007cbe679f89deb917f96c8b17d8fd8e01733c2a44d4b536cdc5bb7e82d1c3a9ee22fa7d6dc4066e76ff9ef36967

Download Submit
\Users\Admin\AppData\Roaming\AdobeARMS.exe
Filesize
89KB

MD5
00f3c5e9de28495de0aeba766e905b7d

SHA1
da6e3dc9163fb2626aa5c514c99925420f05eb82

SHA256
110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639

SHA512
011316f4ff28f0841823dd61af6ece96de33007cbe679f89deb917f96c8b17d8fd8e01733c2a44d4b536cdc5bb7e82d1c3a9ee22fa7d6dc4066e76ff9ef36967

Download Submit
\Users\Admin\AppData\Roaming\AdobeARMS.exe
Filesize
89KB

MD5
00f3c5e9de28495de0aeba766e905b7d

SHA1
da6e3dc9163fb2626aa5c514c99925420f05eb82

SHA256
110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639

SHA512
011316f4ff28f0841823dd61af6ece96de33007cbe679f89deb917f96c8b17d8fd8e01733c2a44d4b536cdc5bb7e82d1c3a9ee22fa7d6dc4066e76ff9ef36967

Download Submit
memory/1104-64-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1104-60-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1104-66-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1104-67-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1104-54-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1104-62-0x0000000000488340-mapping.dmp

Download
memory/1104-55-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1104-65-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1104-57-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1104-73-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1692-70-0x0000000000000000-mapping.dmp

Download
memory/1800-82-0x0000000000488340-mapping.dmp

Download
memory/1800-86-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1800-87-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1800-88-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads