metasploit | 4564ca0c436fde9e76f5fa65cbcf483adf1fbfa3d7369b7bb67d2c95457f6bc5

General

Target

4564ca0c436fde9e76f5fa65cbcf483adf1fbfa3d7369b7bb67d2c95457f6bc5.dll
Size

80KB
MD5

cb204f1ca7725d54847b1dc0bad7c6dd
SHA1

eb5916c3301d3c0c1d881484c1bcef090f65bf30
SHA256

4564ca0c436fde9e76f5fa65cbcf483adf1fbfa3d7369b7bb67d2c95457f6bc5
SHA512

bc8e03da8b23160ea6fc40267063831b30e10f19dc357b4c381bf3ce196a60686123528f849cf0f525483818b9fd26e5dbadf6fb5574a5eb198ed9943213c91c

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://powershell.services:443/components/massaction.png

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MSBuild.exe

pid process

1236 MSBuild.exe

pid	process
1236	MSBuild.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

rundll32.execmd.exeMSBuild.execsc.exe

description	pid	process	target process
PID 1652 wrote to memory of 1228	1652	rundll32.exe	cmd.exe
PID 1652 wrote to memory of 1228	1652	rundll32.exe	cmd.exe
PID 1652 wrote to memory of 1228	1652	rundll32.exe	cmd.exe
PID 1228 wrote to memory of 1236	1228	cmd.exe	MSBuild.exe
PID 1228 wrote to memory of 1236	1228	cmd.exe	MSBuild.exe
PID 1228 wrote to memory of 1236	1228	cmd.exe	MSBuild.exe
PID 1228 wrote to memory of 1236	1228	cmd.exe	MSBuild.exe
PID 1236 wrote to memory of 1264	1236	MSBuild.exe	csc.exe
PID 1236 wrote to memory of 1264	1236	MSBuild.exe	csc.exe
PID 1236 wrote to memory of 1264	1236	MSBuild.exe	csc.exe
PID 1236 wrote to memory of 1264	1236	MSBuild.exe	csc.exe
PID 1264 wrote to memory of 2028	1264	csc.exe	cvtres.exe
PID 1264 wrote to memory of 2028	1264	csc.exe	cvtres.exe
PID 1264 wrote to memory of 2028	1264	csc.exe	cvtres.exe
PID 1264 wrote to memory of 2028	1264	csc.exe	cvtres.exe
PID 1236 wrote to memory of 1884	1236	MSBuild.exe	svchost.exe
PID 1236 wrote to memory of 1884	1236	MSBuild.exe	svchost.exe
PID 1236 wrote to memory of 1884	1236	MSBuild.exe	svchost.exe
PID 1236 wrote to memory of 1884	1236	MSBuild.exe	svchost.exe
PID 1236 wrote to memory of 1884	1236	MSBuild.exe	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4564ca0c436fde9e76f5fa65cbcf483adf1fbfa3d7369b7bb67d2c95457f6bc5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\11159247-userSettings.xml && move e.exe C:\ProgramData\HDAudio.exe && reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HighDefinitionAudio /t REG_SZ /f /d "C:\ProgramData\HDAudio.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\11159247-userSettings.xml
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wxyrdkxg\wxyrdkxg.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF20.tmp" "c:\Users\Admin\AppData\Local\Temp\wxyrdkxg\CSC1A6AC73DB89449C5A695EEC9AA3CE5A8.TMP"
5⤵
PID:2028

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:1884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\11159247-userSettings.xml
Filesize
8KB

MD5
4020e3b9f8e078e068634f445882eb26

SHA1
51e49b80116dffa6d696cb78088e631a4f13537c

SHA256
83b5c6d73f3fc893dbd7effa7c50dc9b2455ec053aa9c51d70e13305ecf21fa4

SHA512
8a29936d74be11697dc836f482ed3833869a4afbd96ae6bb056873accd22a17c0c2d43b37036ea93d715232395289f9e7b276d8e6146c5b5126148eeb7b8c50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEF20.tmp
Filesize
1KB

MD5
c6f520d42bbda523198fc51f3875d603

SHA1
d321ff9658d42870533a88755637d2ef77918c5b

SHA256
61ad2d3494b337c8c945a8fa4821024138a573b0903f033aafccfb1634a36e7e

SHA512
1da2c0d6e8d83224ccc99dd2c14ad4ef94bb3b7e3a52a1588e27e79d920b221799c05cef6b8803a76942a0ba7ccd0ac26e7036dfefe86fa201bce0cd5d3f657b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxyrdkxg\wxyrdkxg.dll
Filesize
9KB

MD5
c1d8686863bef3c43beb296a90f0a4bb

SHA1
5be616e77b4caaaeb57e5024d1a95cfef17b5bb2

SHA256
21f822038aab1dfc2ba52ed2654ddb17bd563793d2cbcc656ca35f32bd9f0110

SHA512
424e20ef2ff114a0ef82304dd5e2d7e794d5ee298905ab09045bb8b448cc52cea1dddcb5b99bed0aa29be2b38dad855d6fe091275ec5a62beff1792d1af227b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxyrdkxg\wxyrdkxg.pdb
Filesize
11KB

MD5
88884fd0870b2697384a500ef7e82c90

SHA1
ef9402c13aa130921e90eb9d45c7db3a541226d2

SHA256
af73254b6e1aea41aa803ee6798e6e770d923ec8dc85e7714129db254b3fe41b

SHA512
aad0f56848101c8bd2a90cbaa14188bb4b2f5b44bcd2bf3a199ce5010036c82324c1fe82b5070e53e6469eb2537a4b43860a408b6fba60f3d3db9fe138d71ae6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wxyrdkxg\CSC1A6AC73DB89449C5A695EEC9AA3CE5A8.TMP
Filesize
652B

MD5
c023cb35b391d8d3badd7e1caf13a7fe

SHA1
ab72043cc496fabf2a6baa8bc89f3334abf18999

SHA256
8f1d14c82fec507e5376757770ba7940cf1a20fef81ee01b25121487bfbf1e60

SHA512
fe98f5daf9e8ce9a084eade973ce088456c78a21978a9f0a6a2a384eba4f0769561fd443c69c817f81dbd7787f3ee3f82755467b320ca0825cce997ddcefe453

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wxyrdkxg\wxyrdkxg.0.cs
Filesize
7KB

MD5
d887eedf14f60f23599ca2c02fd31297

SHA1
a046c6902d0d1f63b31c9456cdfe8dc5568e99f1

SHA256
144174f60609c291156dcd69e54c6390832a2e8fabe677aa9064e4d4191557db

SHA512
b01314ac2b54683399d677dca63e144645b7073debac824b1a61157ec52db92ba85771471ce33c3789096931b9f72009099e82e824992b3522ef49c2148c0e58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wxyrdkxg\wxyrdkxg.cmdline
Filesize
660B

MD5
c135108f36653b915f77d7b772ae52f9

SHA1
4e94454fa50b7b6d50cc8d64bfb6700bd2391cfc

SHA256
5c607b4df3acc8aaad52b1056236301daeebc99e22178600bf5a73d068171027

SHA512
a1bcb27faa772baf656e15ae85dee5e8d3db4a5feed87e378eeb9bcc55bc83366c8ccb8bce9365b91639da32275b580023dba1653f42c856df2ed2bd0a219694

Download Submit
memory/1228-54-0x0000000000000000-mapping.dmp

Download
memory/1236-59-0x0000000005000000-0x0000000005122000-memory.dmp

Filesize
1.1MB

Download
memory/1236-60-0x0000000005260000-0x0000000005382000-memory.dmp

Filesize
1.1MB

Download
memory/1236-64-0x0000000005260000-0x00000000055C4000-memory.dmp

Filesize
3.4MB

Download
memory/1236-73-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/1236-62-0x00000000005D0000-0x00000000005EA000-memory.dmp

Filesize
104KB

Download
memory/1236-61-0x00000000005D0000-0x0000000000614000-memory.dmp

Filesize
272KB

Download
memory/1236-55-0x0000000000000000-mapping.dmp

Download
memory/1236-63-0x0000000005260000-0x00000000053DA000-memory.dmp

Filesize
1.5MB

Download
memory/1236-57-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1236-56-0x0000000000F10000-0x0000000000F50000-memory.dmp

Filesize
256KB

Download
memory/1264-65-0x0000000000000000-mapping.dmp

Download
memory/1884-74-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1884-75-0x0000000000000000-mapping.dmp

Download
memory/2028-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing