metasploit | 110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639

General

Target

110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
Size

89KB
MD5

00f3c5e9de28495de0aeba766e905b7d
SHA1

da6e3dc9163fb2626aa5c514c99925420f05eb82
SHA256

110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639
SHA512

011316f4ff28f0841823dd61af6ece96de33007cbe679f89deb917f96c8b17d8fd8e01733c2a44d4b536cdc5bb7e82d1c3a9ee22fa7d6dc4066e76ff9ef36967

Score

10^/10

metasploit backdoor persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 2 IoCs

Processes:

AdobeARMS.exeAdobeARMS.exe

pid process

5088 AdobeARMS.exe
3480 AdobeARMS.exe

pid	process
5088	AdobeARMS.exe
3480	AdobeARMS.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4692-131-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4692-132-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4692-133-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4692-136-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4692-137-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4692-141-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3480-149-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3480-150-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3480-151-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exeAdobeARMS.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\patches = "1"	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARMS.exe"	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "\\AdobeARMS.exe"	AdobeARMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARMS.exe"	AdobeARMS.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exeAdobeARMS.exe

description	pid	process	target process
PID 4436 set thread context of 4692	4436	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 5088 set thread context of 3480	5088	AdobeARMS.exe	AdobeARMS.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2124	4436	WerFault.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
1432	5088	WerFault.exe	AdobeARMS.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exeAdobeARMS.exe

description	pid	process	target process
PID 4436 wrote to memory of 4692	4436	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 4436 wrote to memory of 4692	4436	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 4436 wrote to memory of 4692	4436	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 4436 wrote to memory of 4692	4436	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 4436 wrote to memory of 4692	4436	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 4436 wrote to memory of 4692	4436	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 4436 wrote to memory of 4692	4436	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 4436 wrote to memory of 4692	4436	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
PID 4692 wrote to memory of 5088	4692	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	AdobeARMS.exe
PID 4692 wrote to memory of 5088	4692	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	AdobeARMS.exe
PID 4692 wrote to memory of 5088	4692	110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe	AdobeARMS.exe
PID 5088 wrote to memory of 3480	5088	AdobeARMS.exe	AdobeARMS.exe
PID 5088 wrote to memory of 3480	5088	AdobeARMS.exe	AdobeARMS.exe
PID 5088 wrote to memory of 3480	5088	AdobeARMS.exe	AdobeARMS.exe
PID 5088 wrote to memory of 3480	5088	AdobeARMS.exe	AdobeARMS.exe
PID 5088 wrote to memory of 3480	5088	AdobeARMS.exe	AdobeARMS.exe
PID 5088 wrote to memory of 3480	5088	AdobeARMS.exe	AdobeARMS.exe
PID 5088 wrote to memory of 3480	5088	AdobeARMS.exe	AdobeARMS.exe
PID 5088 wrote to memory of 3480	5088	AdobeARMS.exe	AdobeARMS.exe

C:\Users\Admin\AppData\Local\Temp\110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
"C:\Users\Admin\AppData\Local\Temp\110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 384
2⤵
- Program crash
PID:2124

C:\Users\Admin\AppData\Local\Temp\110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe
"C:\Users\Admin\AppData\Local\Temp\110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
C:\Users\Admin\AppData\Roaming\AdobeARMS.exe 908 "C:\Users\Admin\AppData\Local\Temp\110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 388
4⤵
- Program crash
PID:1432

C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
"C:\Users\Admin\AppData\Roaming\AdobeARMS.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4436 -ip 4436
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5088 -ip 5088
1⤵
PID:4164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
Filesize
89KB

MD5
00f3c5e9de28495de0aeba766e905b7d

SHA1
da6e3dc9163fb2626aa5c514c99925420f05eb82

SHA256
110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639

SHA512
011316f4ff28f0841823dd61af6ece96de33007cbe679f89deb917f96c8b17d8fd8e01733c2a44d4b536cdc5bb7e82d1c3a9ee22fa7d6dc4066e76ff9ef36967

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
Filesize
89KB

MD5
00f3c5e9de28495de0aeba766e905b7d

SHA1
da6e3dc9163fb2626aa5c514c99925420f05eb82

SHA256
110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639

SHA512
011316f4ff28f0841823dd61af6ece96de33007cbe679f89deb917f96c8b17d8fd8e01733c2a44d4b536cdc5bb7e82d1c3a9ee22fa7d6dc4066e76ff9ef36967

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeARMS.exe
Filesize
89KB

MD5
00f3c5e9de28495de0aeba766e905b7d

SHA1
da6e3dc9163fb2626aa5c514c99925420f05eb82

SHA256
110669939b529f2b854832b4bcdcc2f12018bf4c1b8918c101b383ca0a2ef639

SHA512
011316f4ff28f0841823dd61af6ece96de33007cbe679f89deb917f96c8b17d8fd8e01733c2a44d4b536cdc5bb7e82d1c3a9ee22fa7d6dc4066e76ff9ef36967

Download Submit
memory/3480-151-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3480-150-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3480-149-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3480-142-0x0000000000000000-mapping.dmp

Download
memory/4692-141-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4692-130-0x0000000000000000-mapping.dmp

Download
memory/4692-137-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4692-136-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4692-133-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4692-132-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4692-131-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5088-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads