metasploit | 6bed7ef049d8d9728a09a94488ac8670c9c20c0e6c294f80fd2153c37a2bead7

General

Target

6bed7ef049d8d9728a09a94488ac8670c9c20c0e6c294f80fd2153c37a2bead7.docm
Size

83KB
MD5

b3cd1fbbfa7e1fcf124ebb986db5925b
SHA1

90ef51a3601f6c4fc4a588e4f911c0dcc0b7df83
SHA256

6bed7ef049d8d9728a09a94488ac8670c9c20c0e6c294f80fd2153c37a2bead7
SHA512

084ea2e44662bacea593479e7289102569b721df327e49a10ee42495197f10bf3b0b8a8cd033b2d9b1c435ce76f92308d65152d2d2baf3902ff5578c56a84323

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.1.47:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

rad5C9E0.tmp.exe

pid process

3652 rad5C9E0.tmp.exe

pid	process
3652	rad5C9E0.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

632 WINWORD.EXE
632 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

632 WINWORD.EXE
632 WINWORD.EXE
632 WINWORD.EXE
632 WINWORD.EXE
632 WINWORD.EXE
632 WINWORD.EXE
632 WINWORD.EXE

pid	process
632	WINWORD.EXE
632	WINWORD.EXE

pid	process
632	WINWORD.EXE
632	WINWORD.EXE
632	WINWORD.EXE
632	WINWORD.EXE
632	WINWORD.EXE
632	WINWORD.EXE
632	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 632 wrote to memory of 3652	632	WINWORD.EXE	rad5C9E0.tmp.exe
PID 632 wrote to memory of 3652	632	WINWORD.EXE	rad5C9E0.tmp.exe
PID 632 wrote to memory of 3652	632	WINWORD.EXE	rad5C9E0.tmp.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6bed7ef049d8d9728a09a94488ac8670c9c20c0e6c294f80fd2153c37a2bead7.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\rad5C9E0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\rad5C9E0.tmp.exe"
2⤵
- Executes dropped EXE
PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rad5C9E0.tmp.exe
Filesize
72KB

MD5
a2dd0d59f4f6e65aa10a118631a90182

SHA1
af2e14aa2827265fb2bf96d3ea1eb40b314706fc

SHA256
5d8fe64ff6c4ea4d55aec497140578f3b98072c07bda4eacd6ad816f76ad40b4

SHA512
298d7149e3eb178ab21bd30aa3126a2c8480cdcb0f829273e0fbc1c97892c34e905eb8da57f83bed22bfb0e8484aff3f6921858f781a1dbb9fe4191839be66e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad5C9E0.tmp.exe
Filesize
72KB

MD5
a2dd0d59f4f6e65aa10a118631a90182

SHA1
af2e14aa2827265fb2bf96d3ea1eb40b314706fc

SHA256
5d8fe64ff6c4ea4d55aec497140578f3b98072c07bda4eacd6ad816f76ad40b4

SHA512
298d7149e3eb178ab21bd30aa3126a2c8480cdcb0f829273e0fbc1c97892c34e905eb8da57f83bed22bfb0e8484aff3f6921858f781a1dbb9fe4191839be66e7

Download Submit
memory/632-130-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/632-132-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/632-131-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/632-133-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/632-134-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/632-135-0x00007FFC93100000-0x00007FFC93110000-memory.dmp

Filesize
64KB

Download
memory/632-136-0x00007FFC93100000-0x00007FFC93110000-memory.dmp

Filesize
64KB

Download
memory/3652-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads