metasploit | 23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52

General

Target

23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
Size

95KB
MD5

c74bb08e57a5cb5535b6348f2272ced9
SHA1

fcf7da57789483170bd787e33175c112c776792c
SHA256

23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52
SHA512

0f8179c997cff1cd793aa51256e5070f4766722cee166674c40586e976656bfd01305996f44092d7fdede9e2504ca67a3c12e1bbbbbf704ce4758b1106ad90ee

Score

10^/10

metasploit backdoor persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 2 IoCs

Processes:

AdobeARM.exeAdobeARM.exe

pid process

3320 AdobeARM.exe
4560 AdobeARM.exe

pid	process
3320	AdobeARM.exe
4560	AdobeARM.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5096-131-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/5096-133-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/5096-134-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/5096-135-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/5096-139-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/4560-144-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/4560-145-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral2/memory/4560-146-0x0000000000400000-0x000000000048D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exeAdobeARM.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\patches = "1"	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeARM = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARM.exe"	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeARM = "\\AdobeARM.exe"	AdobeARM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeARM = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARM.exe"	AdobeARM.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exeAdobeARM.exe

description	pid	process	target process
PID 1136 set thread context of 5096	1136	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 3320 set thread context of 4560	3320	AdobeARM.exe	AdobeARM.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

748 3320 WerFault.exe AdobeARM.exe

pid	pid_target	process	target process
748	3320	WerFault.exe	AdobeARM.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exeAdobeARM.exe

description	pid	process	target process
PID 1136 wrote to memory of 5096	1136	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 1136 wrote to memory of 5096	1136	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 1136 wrote to memory of 5096	1136	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 1136 wrote to memory of 5096	1136	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 1136 wrote to memory of 5096	1136	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
PID 5096 wrote to memory of 3320	5096	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	AdobeARM.exe
PID 5096 wrote to memory of 3320	5096	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	AdobeARM.exe
PID 5096 wrote to memory of 3320	5096	23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe	AdobeARM.exe
PID 3320 wrote to memory of 4560	3320	AdobeARM.exe	AdobeARM.exe
PID 3320 wrote to memory of 4560	3320	AdobeARM.exe	AdobeARM.exe
PID 3320 wrote to memory of 4560	3320	AdobeARM.exe	AdobeARM.exe
PID 3320 wrote to memory of 4560	3320	AdobeARM.exe	AdobeARM.exe
PID 3320 wrote to memory of 4560	3320	AdobeARM.exe	AdobeARM.exe

C:\Users\Admin\AppData\Local\Temp\23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
"C:\Users\Admin\AppData\Local\Temp\23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe
"C:\Users\Admin\AppData\Local\Temp\23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Roaming\AdobeARM.exe
C:\Users\Admin\AppData\Roaming\AdobeARM.exe 912 "C:\Users\Admin\AppData\Local\Temp\23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 280
4⤵
- Program crash
PID:748

C:\Users\Admin\AppData\Roaming\AdobeARM.exe
"C:\Users\Admin\AppData\Roaming\AdobeARM.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1136 -ip 1136
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3320 -ip 3320
1⤵
PID:4376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AdobeARM.exe
Filesize
95KB

MD5
c74bb08e57a5cb5535b6348f2272ced9

SHA1
fcf7da57789483170bd787e33175c112c776792c

SHA256
23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52

SHA512
0f8179c997cff1cd793aa51256e5070f4766722cee166674c40586e976656bfd01305996f44092d7fdede9e2504ca67a3c12e1bbbbbf704ce4758b1106ad90ee

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeARM.exe
Filesize
95KB

MD5
c74bb08e57a5cb5535b6348f2272ced9

SHA1
fcf7da57789483170bd787e33175c112c776792c

SHA256
23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52

SHA512
0f8179c997cff1cd793aa51256e5070f4766722cee166674c40586e976656bfd01305996f44092d7fdede9e2504ca67a3c12e1bbbbbf704ce4758b1106ad90ee

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeARM.exe
Filesize
95KB

MD5
c74bb08e57a5cb5535b6348f2272ced9

SHA1
fcf7da57789483170bd787e33175c112c776792c

SHA256
23189cc64c0ccd26a4ddd11602b4af76bd2e381a0a28250bf257d8e239c42e52

SHA512
0f8179c997cff1cd793aa51256e5070f4766722cee166674c40586e976656bfd01305996f44092d7fdede9e2504ca67a3c12e1bbbbbf704ce4758b1106ad90ee

Download Submit
memory/3320-136-0x0000000000000000-mapping.dmp

Download
memory/4560-140-0x0000000000000000-mapping.dmp

Download
memory/4560-144-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4560-145-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4560-146-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5096-135-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5096-134-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5096-133-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5096-139-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5096-130-0x0000000000000000-mapping.dmp

Download
memory/5096-131-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads