metasploit | 1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b

General

Target

1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe
Size

60KB
MD5

42893adbc36605ec79b5bd610759947e
SHA1

b4e581f173f782a2f1da5d29c95946ee500eb2d0
SHA256

1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b
SHA512

725ff9ba2ce45438983ca5d3596119cb59a9bfe9e661cb9cd8daf42185c4166de34951ac92560d4e129ba9bccb7db0114b15844c660e49fd902001265eb51702

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

NvSmart.exe

pid process

2760 NvSmart.exe

pid	process
2760	NvSmart.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe

Loads dropped DLL 1 IoCs

Processes:

NvSmart.exe

pid process

2760 NvSmart.exe

pid	process
2760	NvSmart.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NvSmart.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	NvSmart.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\360v = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	NvSmart.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe

description pid process

Token: SeIncBasePriorityPrivilege 4176 1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4176	1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exeNvSmart.exe

description	pid	process	target process
PID 4176 wrote to memory of 2760	4176	1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe	NvSmart.exe
PID 4176 wrote to memory of 2760	4176	1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe	NvSmart.exe
PID 4176 wrote to memory of 2760	4176	1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe	NvSmart.exe
PID 4176 wrote to memory of 1212	4176	1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe	cmd.exe
PID 4176 wrote to memory of 1212	4176	1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe	cmd.exe
PID 4176 wrote to memory of 1212	4176	1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe	cmd.exe
PID 2760 wrote to memory of 1020	2760	NvSmart.exe	cmd.exe
PID 2760 wrote to memory of 1020	2760	NvSmart.exe	cmd.exe
PID 2760 wrote to memory of 1020	2760	NvSmart.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe
"C:\Users\Admin\AppData\Local\Temp\1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176

C:\Users\Admin\AppData\Roaming\NvSmart.exe
"C:\Users\Admin\AppData\Roaming\NvSmart.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A
3⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe"
2⤵
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NvSmart.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Roaming\NvSmart.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Roaming\NvSmartMax.dll
Filesize
4KB

MD5
2d8fb1f82724cf542cd2e3a5e041fb52

SHA1
4e14894860034fefbab41cfe9a763d8061d19ef9

SHA256
ece29e4af4b33c02dafac24748a9c125b057e39455acf3c45464db36bfe74881

SHA512
6694a6719bd726c8302240e13e9f75bd6dd9611eec61b2a509392802d36470c09969b9dc11ef13612eff283f06d36b2586a46a7b4d84a6a8e4dd2f3825fd7aa4

Download Submit
C:\Users\Admin\AppData\Roaming\NvSmartMax.dll
Filesize
4KB

MD5
2d8fb1f82724cf542cd2e3a5e041fb52

SHA1
4e14894860034fefbab41cfe9a763d8061d19ef9

SHA256
ece29e4af4b33c02dafac24748a9c125b057e39455acf3c45464db36bfe74881

SHA512
6694a6719bd726c8302240e13e9f75bd6dd9611eec61b2a509392802d36470c09969b9dc11ef13612eff283f06d36b2586a46a7b4d84a6a8e4dd2f3825fd7aa4

Download Submit
C:\Users\Admin\AppData\Roaming\NvSmartMax.dll.url
Filesize
9KB

MD5
7aefbad9367ab56db1f6f20dcfcd38a0

SHA1
a639e0fe6800012c7ff1256e2875771342194b96

SHA256
d8a59fd0ab8e06439c4eb98c39b24cdcfbb3c93ab4cc57d366cf527f6d88c973

SHA512
5a79c5e3b23df51ba4f8054990c690b6641d28bfade41323cc29bf6f2c2cb98b48190dfb2843e513b293ac77f350815da111a535412f3a44cab376294b096b13

Download Submit
memory/1020-140-0x0000000000000000-mapping.dmp

Download
memory/1212-136-0x0000000000000000-mapping.dmp

Download
memory/2760-130-0x0000000000000000-mapping.dmp

Download
memory/2760-137-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2760-141-0x0000000000510000-0x0000000000513000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads