metasploit | 2fa943c5900d06592383233dfc8258014945f353ee3f17ac4288ac6e465394ec

General

Target

salary_ranges.docm
Size

255KB
MD5

ed3b4e9f3e4ecaa892a385bf73637b7d
SHA1

cbe4f0dfe65091ac454323821a87bf4811a4b985
SHA256

20e34ba4bc010f84a75d72ee6dad0b1a0524b56fa5268deb84a3d88c4ed87880
SHA512

bfc5f7db658e893bffe4bc08b4916d1478349198b1b80c822ece134689f171c8ce5334893150cbb6cbacd98f5f8ae4489dcf5a86006f0ffc802057e0eacd7fb1

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://intranet.iml-bank.info:8443/bYdlO5EaAdxEN0U2HZnuJgNIg3DW9OTJnb8evXSt58vYMLdYSI0mna6_pJRRxZXDbngIH_8E88XkC337M3U3EQJNFwHQJtiw8a8bTNqNcc-niwQ-nqOBcnfqorz6aMGUvym9oK5dH3ctbP8zV

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

file.exe

pid process

3448 file.exe

pid	process
3448	file.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4548 WINWORD.EXE
4548 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4548 WINWORD.EXE
4548 WINWORD.EXE
4548 WINWORD.EXE
4548 WINWORD.EXE
4548 WINWORD.EXE
4548 WINWORD.EXE
4548 WINWORD.EXE

pid	process
4548	WINWORD.EXE
4548	WINWORD.EXE

pid	process
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4548 wrote to memory of 3448	4548	WINWORD.EXE	file.exe
PID 4548 wrote to memory of 3448	4548	WINWORD.EXE	file.exe
PID 4548 wrote to memory of 3448	4548	WINWORD.EXE	file.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\salary_ranges.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Executes dropped EXE
PID:3448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.exe
Filesize
72KB

MD5
644b38db200b8f0d59fc74c8e252d519

SHA1
a293c6ee0fc92e62c22ac1186441a8ef81231403

SHA256
aa2b79a78eac63315d2c20a89f28fd1261d9d5e96434c2e015b7dad8e5a043f0

SHA512
4908fe977c23fd98bc06082fa8e247fc37661b94878f3271ff4fba067c37d51ca67464b1e0eac1b3ed695cc6416c474260cd7f454518b9ce96af0e8733378a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
Filesize
72KB

MD5
644b38db200b8f0d59fc74c8e252d519

SHA1
a293c6ee0fc92e62c22ac1186441a8ef81231403

SHA256
aa2b79a78eac63315d2c20a89f28fd1261d9d5e96434c2e015b7dad8e5a043f0

SHA512
4908fe977c23fd98bc06082fa8e247fc37661b94878f3271ff4fba067c37d51ca67464b1e0eac1b3ed695cc6416c474260cd7f454518b9ce96af0e8733378a65

Download Submit
memory/3448-137-0x0000000000000000-mapping.dmp

Download
memory/4548-133-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4548-134-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4548-135-0x00007FF8013C0000-0x00007FF8013D0000-memory.dmp

Filesize
64KB

Download
memory/4548-136-0x00007FF8013C0000-0x00007FF8013D0000-memory.dmp

Filesize
64KB

Download
memory/4548-130-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4548-132-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4548-131-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4548-141-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4548-142-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4548-143-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4548-144-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads