metasploit | 23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52

General

Target

23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
Size

95KB
MD5

c74bb08e57a5cb5535b6348f2272ced9
SHA1

fcf7da57789483170bd787e33175c112c776792c
SHA256

23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52
SHA512

0f8179c997cff1cd793aa51256e5070f4766722cee166674c40586e976656bfd01305996f44092d7fdede9e2504ca67a3c12e1bbbbbf704ce4758b1106ad90ee

Score

10^/10

metasploit backdoor persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 2 IoCs

Processes:

AdobeARM.exeAdobeARM.exe

pid process

1532 AdobeARM.exe
1736 AdobeARM.exe

pid	process
1532	AdobeARM.exe
1736	AdobeARM.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2016-56-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2016-60-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2016-62-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2016-63-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/2016-69-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1736-77-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1736-78-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1736-79-0x0000000000400000-0x000000000048D000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe

pid	process
2016	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
2016	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exeAdobeARM.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\patches = "1"	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeARM = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARM.exe"	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeARM = "\\AdobeARM.exe"	AdobeARM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeARM = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARM.exe"	AdobeARM.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exeAdobeARM.exe

description	pid	process	target process
PID 1668 set thread context of 2016	1668	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 1532 set thread context of 1736	1532	AdobeARM.exe	AdobeARM.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exeAdobeARM.exe

description	pid	process	target process
PID 1668 wrote to memory of 2016	1668	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 1668 wrote to memory of 2016	1668	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 1668 wrote to memory of 2016	1668	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 1668 wrote to memory of 2016	1668	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 1668 wrote to memory of 2016	1668	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 1668 wrote to memory of 2016	1668	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 2016 wrote to memory of 1532	2016	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	AdobeARM.exe
PID 2016 wrote to memory of 1532	2016	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	AdobeARM.exe
PID 2016 wrote to memory of 1532	2016	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	AdobeARM.exe
PID 2016 wrote to memory of 1532	2016	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	AdobeARM.exe
PID 1532 wrote to memory of 1736	1532	AdobeARM.exe	AdobeARM.exe
PID 1532 wrote to memory of 1736	1532	AdobeARM.exe	AdobeARM.exe
PID 1532 wrote to memory of 1736	1532	AdobeARM.exe	AdobeARM.exe
PID 1532 wrote to memory of 1736	1532	AdobeARM.exe	AdobeARM.exe
PID 1532 wrote to memory of 1736	1532	AdobeARM.exe	AdobeARM.exe
PID 1532 wrote to memory of 1736	1532	AdobeARM.exe	AdobeARM.exe

C:\Users\Admin\AppData\Local\Temp\23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
"C:\Users\Admin\AppData\Local\Temp\23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
"C:\Users\Admin\AppData\Local\Temp\23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Roaming\AdobeARM.exe
C:\Users\Admin\AppData\Roaming\AdobeARM.exe 388 "C:\Users\Admin\AppData\Local\Temp\23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Roaming\AdobeARM.exe
"C:\Users\Admin\AppData\Roaming\AdobeARM.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AdobeARM.exe
Filesize
95KB

MD5
c74bb08e57a5cb5535b6348f2272ced9

SHA1
fcf7da57789483170bd787e33175c112c776792c

SHA256
23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52

SHA512
0f8179c997cff1cd793aa51256e5070f4766722cee166674c40586e976656bfd01305996f44092d7fdede9e2504ca67a3c12e1bbbbbf704ce4758b1106ad90ee

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeARM.exe
Filesize
95KB

MD5
c74bb08e57a5cb5535b6348f2272ced9

SHA1
fcf7da57789483170bd787e33175c112c776792c

SHA256
23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52

SHA512
0f8179c997cff1cd793aa51256e5070f4766722cee166674c40586e976656bfd01305996f44092d7fdede9e2504ca67a3c12e1bbbbbf704ce4758b1106ad90ee

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeARM.exe
Filesize
95KB

MD5
c74bb08e57a5cb5535b6348f2272ced9

SHA1
fcf7da57789483170bd787e33175c112c776792c

SHA256
23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52

SHA512
0f8179c997cff1cd793aa51256e5070f4766722cee166674c40586e976656bfd01305996f44092d7fdede9e2504ca67a3c12e1bbbbbf704ce4758b1106ad90ee

Download Submit
\Users\Admin\AppData\Roaming\AdobeARM.exe
Filesize
95KB

MD5
c74bb08e57a5cb5535b6348f2272ced9

SHA1
fcf7da57789483170bd787e33175c112c776792c

SHA256
23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52

SHA512
0f8179c997cff1cd793aa51256e5070f4766722cee166674c40586e976656bfd01305996f44092d7fdede9e2504ca67a3c12e1bbbbbf704ce4758b1106ad90ee

Download Submit
\Users\Admin\AppData\Roaming\AdobeARM.exe
Filesize
95KB

MD5
c74bb08e57a5cb5535b6348f2272ced9

SHA1
fcf7da57789483170bd787e33175c112c776792c

SHA256
23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52

SHA512
0f8179c997cff1cd793aa51256e5070f4766722cee166674c40586e976656bfd01305996f44092d7fdede9e2504ca67a3c12e1bbbbbf704ce4758b1106ad90ee

Download Submit
memory/1532-66-0x0000000000000000-mapping.dmp

Download
memory/1736-79-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1736-78-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1736-77-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1736-73-0x0000000000489920-mapping.dmp

Download
memory/2016-60-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2016-63-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2016-69-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2016-62-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2016-54-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2016-59-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/2016-57-0x0000000000489920-mapping.dmp

Download
memory/2016-56-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads