metasploit | 4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b

General

Target

4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe
Size

28KB
MD5

b37dde09771f84691575faad7ecd3f89
SHA1

940bf33101e32ac140358dfa51071ffd1e96ca2a
SHA256

4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b
SHA512

952ce6dd9a61a5d993e6c9bacd400b70b223a41e774558db962fa661413a8819798899e75a3dffbb1fa7e0d6fcb23d79bb9b9c1c5163d3ea7c6a433dfbe7ac8f

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://x4k.me:50443/static-directory/admin.gif

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3124-132-0x000000006C900000-0x000000006C925000-memory.dmp	upx
behavioral2/memory/3124-152-0x000000006C900000-0x000000006C925000-memory.dmp	upx

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.execmd.exeMSBuild.execsc.exe

description	pid	process	target process
PID 3124 wrote to memory of 4072	3124	4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe	cmd.exe
PID 3124 wrote to memory of 4072	3124	4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe	cmd.exe
PID 4072 wrote to memory of 5016	4072	cmd.exe	MSBuild.exe
PID 4072 wrote to memory of 5016	4072	cmd.exe	MSBuild.exe
PID 4072 wrote to memory of 5016	4072	cmd.exe	MSBuild.exe
PID 5016 wrote to memory of 2676	5016	MSBuild.exe	csc.exe
PID 5016 wrote to memory of 2676	5016	MSBuild.exe	csc.exe
PID 5016 wrote to memory of 2676	5016	MSBuild.exe	csc.exe
PID 2676 wrote to memory of 2824	2676	csc.exe	cvtres.exe
PID 2676 wrote to memory of 2824	2676	csc.exe	cvtres.exe
PID 2676 wrote to memory of 2824	2676	csc.exe	cvtres.exe
PID 5016 wrote to memory of 408	5016	MSBuild.exe	svchost.exe
PID 5016 wrote to memory of 408	5016	MSBuild.exe	svchost.exe
PID 5016 wrote to memory of 408	5016	MSBuild.exe	svchost.exe
PID 5016 wrote to memory of 408	5016	MSBuild.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe
"C:\Users\Admin\AppData\Local\Temp\4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\418712bf-userSettings.xml && move payload.exe C:\ProgramData\HDAudio.exe && reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HighDefinitionAudio /t REG_SZ /f /d "C:\ProgramData\HDAudio.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\418712bf-userSettings.xml
3⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j3a3x1q2\j3a3x1q2.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71BA.tmp" "c:\Users\Admin\AppData\Local\Temp\j3a3x1q2\CSCB025486B6092474B95AB77B5FCE1ADE0.TMP"
5⤵
PID:2824

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\418712bf-userSettings.xml
Filesize
8KB

MD5
41b236f7027b7343a64d5f577edf37d2

SHA1
8c35dd00d23eeb892d1076596a43dd55feeb0acd

SHA256
bbb1bcaa67d14d044e63db6dbd1cf48a190c9076019383ac8ac881be59fb3e3e

SHA512
d010ba4de08ff777c1cf24af84c13879f20eb8b36cb1daef5f3fe0aedddb9bb37d80dc411ddbce747d109a8bde04e801e242c3b82301080b0a7289d007adb8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES71BA.tmp
Filesize
1KB

MD5
35103b288f4b088657f7649059004f53

SHA1
dedcada380f2f13773050e7bbc3bbd326d68e109

SHA256
efaf498789a5ed9bff137a07b66b405c61c9a7fb9357aee05bd500e12c1dbbf9

SHA512
389fd5ec772bea16cc3d4f0ab6ff0507238f6185e0f41e4bb077168feb71c8dd6814647528b0553809448239a7482f22f6a7a049a1a8264e2e0be158b479ca7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\j3a3x1q2\j3a3x1q2.dll
Filesize
9KB

MD5
d6e6eb6f7792afd32d91b855025ca57d

SHA1
36f0641aeb06e6191ebf9008ae69acf4b2597fa8

SHA256
c93dcec9afa809c9b9809577cc81354e4ab643fedfe94ecfd3edbc2786cbc320

SHA512
33f7fc3781b3e738832bb4d2aabed9276f5cd72ed08553ff9ee0c71dcaef73c2f0e4f9446f063ca445759a602ce4d59bc0ceae5d55184536337854075554ade8

Download Submit
C:\Users\Admin\AppData\Local\Temp\j3a3x1q2\j3a3x1q2.pdb
Filesize
11KB

MD5
a27b7ab44596fc8f051117bc6c4db502

SHA1
ad9540fc52fc1bff9ae9e3211bfa35262bb42223

SHA256
0a27286ed286f697a832368b2aeae24b1df343a090f1f9d3bb6e0fd4808b35e6

SHA512
6fa9a2c5b616cfc0959c5a0a907c9eb5e0e67e655a2761552fd9052292aabf9d4b474f046344d3a1c02d8fd3a467c641fba971bc6ba13e39e6e626c61ea26b43

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j3a3x1q2\CSCB025486B6092474B95AB77B5FCE1ADE0.TMP
Filesize
652B

MD5
bc06ceda4306b84262331a77a70cef04

SHA1
7442aa14353c50a3252265eadcd06aaaf610cde0

SHA256
13264f1a962c7d5e2a1acbd802a68fff007c600c5c4285692f1ffff63fa9021f

SHA512
5df35a2e4196529169c29f280ab25d358fd4a6e092d291e1463f1d6b053686ef53ac82bc3bec753a551bd00796630b2bc061480001baebcbefe5682aacc71a93

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j3a3x1q2\j3a3x1q2.0.cs
Filesize
7KB

MD5
6a8b1c37f1f756583e60b385e48c2b12

SHA1
eb03ca238d1054c2591cc42b3e5829b0a4649782

SHA256
1df927bc417dc9cf24cfd5ca5de91cd6949591f90f24c480d319e85eee03fc54

SHA512
553559d629a81623d4aeed7baad20618a2c3937f9059998d077bf219544ee0399c67a359c672b19c9f40d78426733bea2fdc9f7f9b053efe484347e7bd98cc4a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j3a3x1q2\j3a3x1q2.cmdline
Filesize
660B

MD5
61f85cd16b1352c7f0bd0b33b079e86e

SHA1
db320f51bf208dbe8c667d0fe95dd0001af5a2fe

SHA256
528df001c07aab9805a5119f64c16423e09defebd67396a62c0f2d94fdff0ecc

SHA512
1e085883e5e391b25bbf14af885bb0abc2de921ef6ff265476a37f94d83d4f25d3d015bbe18b1d56b4e4c5677f4841a5b8717e8655c1bfbd1e0d13cb7cc16054

Download Submit
memory/408-150-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/408-151-0x0000000000000000-mapping.dmp

Download
memory/2676-142-0x0000000000000000-mapping.dmp

Download
memory/2824-145-0x0000000000000000-mapping.dmp

Download
memory/3124-132-0x000000006C900000-0x000000006C925000-memory.dmp

Filesize
148KB

Download
memory/3124-152-0x000000006C900000-0x000000006C925000-memory.dmp

Filesize
148KB

Download
memory/4072-130-0x0000000000000000-mapping.dmp

Download
memory/5016-135-0x0000000004FC0000-0x000000000511A000-memory.dmp

Filesize
1.4MB

Download
memory/5016-141-0x0000000006150000-0x00000000064B6000-memory.dmp

Filesize
3.4MB

Download
memory/5016-140-0x0000000005DE0000-0x0000000005F5C000-memory.dmp

Filesize
1.5MB

Download
memory/5016-139-0x0000000005AA0000-0x0000000005AE4000-memory.dmp

Filesize
272KB

Download
memory/5016-138-0x0000000005B80000-0x0000000005CA2000-memory.dmp

Filesize
1.1MB

Download
memory/5016-136-0x0000000004F00000-0x0000000004F30000-memory.dmp

Filesize
192KB

Download
memory/5016-134-0x0000000004E10000-0x0000000004E2A000-memory.dmp

Filesize
104KB

Download
memory/5016-133-0x0000000000510000-0x0000000000550000-memory.dmp

Filesize
256KB

Download
memory/5016-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing