metasploit | 4564ca0c436fde9e76f5fa65cbcf483adf1fbfa3d7369b7bb67d2c95457f6bc5

General

Target

4564ca0c436fde9e76f5fa65cbcf483adf1fbfa3d7369b7bb67d2c95457f6bc5.dll
Size

80KB
MD5

cb204f1ca7725d54847b1dc0bad7c6dd
SHA1

eb5916c3301d3c0c1d881484c1bcef090f65bf30
SHA256

4564ca0c436fde9e76f5fa65cbcf483adf1fbfa3d7369b7bb67d2c95457f6bc5
SHA512

bc8e03da8b23160ea6fc40267063831b30e10f19dc357b4c381bf3ce196a60686123528f849cf0f525483818b9fd26e5dbadf6fb5574a5eb198ed9943213c91c

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://powershell.services:443/components/massaction.png

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.execmd.exeMSBuild.execsc.exe

description	pid	process	target process
PID 4884 wrote to memory of 1640	4884	rundll32.exe	cmd.exe
PID 4884 wrote to memory of 1640	4884	rundll32.exe	cmd.exe
PID 1640 wrote to memory of 1740	1640	cmd.exe	MSBuild.exe
PID 1640 wrote to memory of 1740	1640	cmd.exe	MSBuild.exe
PID 1640 wrote to memory of 1740	1640	cmd.exe	MSBuild.exe
PID 1740 wrote to memory of 4344	1740	MSBuild.exe	csc.exe
PID 1740 wrote to memory of 4344	1740	MSBuild.exe	csc.exe
PID 1740 wrote to memory of 4344	1740	MSBuild.exe	csc.exe
PID 4344 wrote to memory of 4516	4344	csc.exe	cvtres.exe
PID 4344 wrote to memory of 4516	4344	csc.exe	cvtres.exe
PID 4344 wrote to memory of 4516	4344	csc.exe	cvtres.exe
PID 1740 wrote to memory of 3548	1740	MSBuild.exe	svchost.exe
PID 1740 wrote to memory of 3548	1740	MSBuild.exe	svchost.exe
PID 1740 wrote to memory of 3548	1740	MSBuild.exe	svchost.exe
PID 1740 wrote to memory of 3548	1740	MSBuild.exe	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4564ca0c436fde9e76f5fa65cbcf483adf1fbfa3d7369b7bb67d2c95457f6bc5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\11159247-userSettings.xml && move e.exe C:\ProgramData\HDAudio.exe && reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HighDefinitionAudio /t REG_SZ /f /d "C:\ProgramData\HDAudio.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /nologo /noconsolelogger /verbosity:quiet C:\ProgramData\11159247-userSettings.xml
3⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lpgecn4c\lpgecn4c.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2059.tmp" "c:\Users\Admin\AppData\Local\Temp\lpgecn4c\CSC57F845BA78064F0CB1594779C514A4B.TMP"
5⤵
PID:4516

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:3548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\11159247-userSettings.xml
Filesize
8KB

MD5
4020e3b9f8e078e068634f445882eb26

SHA1
51e49b80116dffa6d696cb78088e631a4f13537c

SHA256
83b5c6d73f3fc893dbd7effa7c50dc9b2455ec053aa9c51d70e13305ecf21fa4

SHA512
8a29936d74be11697dc836f482ed3833869a4afbd96ae6bb056873accd22a17c0c2d43b37036ea93d715232395289f9e7b276d8e6146c5b5126148eeb7b8c50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2059.tmp
Filesize
1KB

MD5
dd7d6b67a9aca46986be46e931b85b3e

SHA1
266d1f5759f63670fd8849889ddfad98b4523cc2

SHA256
2b95a7eaa0fbfa469682a27b3a03c1a17b6baafe0ebac5bf2c20bc3e3fa08adc

SHA512
2db5b1c4f314d406cb70d0a78bee99167f60b8a00f8ade6954288805b63a643f1611608e3916ceb01267c6047ddf7546101bc1809e701a8f1f62b016e2ecbf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpgecn4c\lpgecn4c.dll
Filesize
9KB

MD5
293d54f1c718144f7d55a21b26ce096e

SHA1
bd99f0e9e2a78d7776b15e400b63905d985d32d5

SHA256
b94a4f41940cb2028c2c1c92f6651db2ddfc611d1e237d42421b923285a4c420

SHA512
5afd77a1c786ce147e7d0553d22182d4eba75e4cce16e5b974a9fabef3a043c2421206b934fecc5e52fccbfe6ee9765e4a9b7b6dfd28e7fa8d9f0adc98d19ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpgecn4c\lpgecn4c.pdb
Filesize
11KB

MD5
d73d8c47a4a9e1644144636a76d5b0dc

SHA1
cb338e51a5889d6044aa45da30b5af6c9de4044d

SHA256
94e8bbdc8614d4228a03f631fe6419e4da57b10cd4f1bb89f06b5b5584cd4bfd

SHA512
804296dda277dd29de3e5bfcac7295a1256c53662074c5d25fd03f8ab6fcba3eb93f2e9ef368cd4fa1a0a38b0cc7582adb2db2d520751d48c4c590e6772f4982

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lpgecn4c\CSC57F845BA78064F0CB1594779C514A4B.TMP
Filesize
652B

MD5
a1e1e51f77dac753f430f5c9291b703b

SHA1
5f4f038185e54e5404a50523107d7d556ea312d4

SHA256
91fb7f1c5f5f70eb560370736ebc349d09660bfe1cc02aa9b60e5ea590ee52ff

SHA512
4d3dd10146dabcba47fb1d174ca421a03eb33bedd0956cb5cd6aca913358fc9bf1240ebb0c392d4914737a84b676feece0a9ee877c3deb63eea5364ebe25fac7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lpgecn4c\lpgecn4c.0.cs
Filesize
7KB

MD5
d887eedf14f60f23599ca2c02fd31297

SHA1
a046c6902d0d1f63b31c9456cdfe8dc5568e99f1

SHA256
144174f60609c291156dcd69e54c6390832a2e8fabe677aa9064e4d4191557db

SHA512
b01314ac2b54683399d677dca63e144645b7073debac824b1a61157ec52db92ba85771471ce33c3789096931b9f72009099e82e824992b3522ef49c2148c0e58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lpgecn4c\lpgecn4c.cmdline
Filesize
660B

MD5
f21e2b4af2636bbd4b3d5a748e72205a

SHA1
ea31381631d6044e8b3f62214517ce52d25c6b5c

SHA256
1568d3d69d43091844503d3e696cda1fae1c05a80c17cd43b7adbcb9f5e9ff86

SHA512
150b107fa3dac60a0ac8ec9c16821d56d205fd32a3240b18c53a9d5d15e796eb80fb6e9f2f6ac2c74edc2c54ef7f40a3e1f855544ae0dafacc34cf983040e902

Download Submit
memory/1640-130-0x0000000000000000-mapping.dmp

Download
memory/1740-135-0x0000000004EE0000-0x0000000004F10000-memory.dmp

Filesize
192KB

Download
memory/1740-139-0x0000000005DB0000-0x0000000005F2C000-memory.dmp

Filesize
1.5MB

Download
memory/1740-140-0x0000000006120000-0x0000000006486000-memory.dmp

Filesize
3.4MB

Download
memory/1740-138-0x0000000005A70000-0x0000000005AB4000-memory.dmp

Filesize
272KB

Download
memory/1740-137-0x0000000005B50000-0x0000000005C72000-memory.dmp

Filesize
1.1MB

Download
memory/1740-134-0x0000000005000000-0x000000000515A000-memory.dmp

Filesize
1.4MB

Download
memory/1740-133-0x0000000002880000-0x000000000289A000-memory.dmp

Filesize
104KB

Download
memory/1740-132-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/1740-131-0x0000000000000000-mapping.dmp

Download
memory/3548-150-0x0000000000000000-mapping.dmp

Download
memory/3548-149-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/4344-141-0x0000000000000000-mapping.dmp

Download
memory/4516-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing