metasploit | 11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa

General

Target

11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe
Size

58KB
MD5

9329985551d50c0a858d50668f714774
SHA1

b0346c80e1343c9060ad52360fe57ada0860ea9f
SHA256

11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa
SHA512

30d06dd4badbe5c44829a8b64e772637d852e2d933781f6bf06705186d3e430b994e674746969b36b18e8fcba3bfed8705c3f7ce7cfff61219a0f169a068bf31

Score

10^/10

metasploit backdoor evasion persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe:*:Enabled:Windows Live Messenging"	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe

Executes dropped EXE 1 IoCs

Processes:

svhosts.exe

pid process

1124 svhosts.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1064 netsh.exe

pid	process
1124	svhosts.exe

pid	process
1064	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenging = "svhosts.exe"	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe

Drops file in Windows directory 2 IoCs

Processes:

11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe

description	ioc	process
File created	C:\Windows\svhosts.exe	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe
File opened for modification	C:\Windows\svhosts.exe	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe

description	pid	process	target process
PID 2024 wrote to memory of 1064	2024	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe	netsh.exe
PID 2024 wrote to memory of 1064	2024	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe	netsh.exe
PID 2024 wrote to memory of 1064	2024	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe	netsh.exe
PID 2024 wrote to memory of 1064	2024	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe	netsh.exe
PID 2024 wrote to memory of 1124	2024	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe	svhosts.exe
PID 2024 wrote to memory of 1124	2024	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe	svhosts.exe
PID 2024 wrote to memory of 1124	2024	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe	svhosts.exe
PID 2024 wrote to memory of 1124	2024	11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe	svhosts.exe

C:\Users\Admin\AppData\Local\Temp\11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe
"C:\Users\Admin\AppData\Local\Temp\11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa.exe"
1⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram svhost.exe 1 ENABLE
2⤵
- Modifies Windows Firewall
PID:1064

C:\Windows\svhosts.exe
"C:\Windows\svhosts.exe"
2⤵
- Executes dropped EXE
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svhosts.exe
Filesize
58KB

MD5
9329985551d50c0a858d50668f714774

SHA1
b0346c80e1343c9060ad52360fe57ada0860ea9f

SHA256
11023b819f2ab50a2f84f8733af770df40105f1438d8766da2c1c3cb6f949faa

SHA512
30d06dd4badbe5c44829a8b64e772637d852e2d933781f6bf06705186d3e430b994e674746969b36b18e8fcba3bfed8705c3f7ce7cfff61219a0f169a068bf31

Download Submit
memory/1064-55-0x0000000000000000-mapping.dmp

Download
memory/1124-56-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000074DD1000-0x0000000074DD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads