metasploit | b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6

General

Target

b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
Size

235KB
MD5

1f7f6928534ff002dbe843380d619e45
SHA1

5712a3cd5c72e2cfb648135a97850637ac9c4681
SHA256

b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6
SHA512

8ec6d3bd9d30f9b659bcf22d23e6985e5e88b7ef5b719f7e23250a18b267218bc0b62d5cf07b057fe5f3105228313385d33b3a63d75107ec44d7f519caf9a3b9

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.30.4.18:5555

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 2 IoCs

Processes:

drm.exedrm.exe

pid process

1100 drm.exe
964 drm.exe
Drops startup file 1 IoCs

Processes:

drm.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceSync.lnk drm.exe

pid	process
1100	drm.exe
964	drm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceSync.lnk	drm.exe

Loads dropped DLL 4 IoCs

Processes:

b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exedrm.exe

pid	process
1048	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
1048	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
1100	drm.exe
1100	drm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

drm.exe

description pid process target process

PID 1100 set thread context of 964 1100 drm.exe drm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1100 set thread context of 964	1100	drm.exe	drm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exedrm.exe

pid	process
1048	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
1048	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
1100	drm.exe
1100	drm.exe
1100	drm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

drm.exe

description	pid	process
Token: SeDebugPrivilege	1100	drm.exe
Token: SeDebugPrivilege	1100	drm.exe
Token: SeDebugPrivilege	1100	drm.exe
Token: SeDebugPrivilege	1100	drm.exe
Token: SeDebugPrivilege	1100	drm.exe
Token: SeDebugPrivilege	1100	drm.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exedrm.exe

description	pid	process	target process
PID 1048 wrote to memory of 1100	1048	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe	drm.exe
PID 1048 wrote to memory of 1100	1048	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe	drm.exe
PID 1048 wrote to memory of 1100	1048	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe	drm.exe
PID 1048 wrote to memory of 1100	1048	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe	drm.exe
PID 1100 wrote to memory of 964	1100	drm.exe	drm.exe
PID 1100 wrote to memory of 964	1100	drm.exe	drm.exe
PID 1100 wrote to memory of 964	1100	drm.exe	drm.exe
PID 1100 wrote to memory of 964	1100	drm.exe	drm.exe
PID 1100 wrote to memory of 964	1100	drm.exe	drm.exe
PID 1100 wrote to memory of 964	1100	drm.exe	drm.exe
PID 1100 wrote to memory of 964	1100	drm.exe	drm.exe
PID 1100 wrote to memory of 964	1100	drm.exe	drm.exe
PID 1100 wrote to memory of 964	1100	drm.exe	drm.exe

C:\Users\Admin\AppData\Local\Temp\b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
"C:\Users\Admin\AppData\Local\Temp\b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\drm.exe
"C:\Users\Admin\AppData\Local\Temp\drm.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\drm.exe
C:\Users\Admin\AppData\Local\Temp\drm.exe
3⤵
- Executes dropped EXE
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drm.exe
Filesize
38KB

MD5
103f7c56772b5463a51c4992d1a1289f

SHA1
5f533c02737904d12eea0e9f6042da1ed6691c27

SHA256
1787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc

SHA512
5e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\drm.exe
Filesize
38KB

MD5
103f7c56772b5463a51c4992d1a1289f

SHA1
5f533c02737904d12eea0e9f6042da1ed6691c27

SHA256
1787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc

SHA512
5e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\drm.exe
Filesize
38KB

MD5
103f7c56772b5463a51c4992d1a1289f

SHA1
5f533c02737904d12eea0e9f6042da1ed6691c27

SHA256
1787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc

SHA512
5e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33

Download Submit
\Users\Admin\AppData\Local\Temp\drm.exe
Filesize
38KB

MD5
103f7c56772b5463a51c4992d1a1289f

SHA1
5f533c02737904d12eea0e9f6042da1ed6691c27

SHA256
1787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc

SHA512
5e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33

Download Submit
\Users\Admin\AppData\Local\Temp\drm.exe
Filesize
38KB

MD5
103f7c56772b5463a51c4992d1a1289f

SHA1
5f533c02737904d12eea0e9f6042da1ed6691c27

SHA256
1787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc

SHA512
5e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33

Download Submit
\Users\Admin\AppData\Local\Temp\drm.exe
Filesize
38KB

MD5
103f7c56772b5463a51c4992d1a1289f

SHA1
5f533c02737904d12eea0e9f6042da1ed6691c27

SHA256
1787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc

SHA512
5e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33

Download Submit
\Users\Admin\AppData\Local\Temp\drm.exe
Filesize
38KB

MD5
103f7c56772b5463a51c4992d1a1289f

SHA1
5f533c02737904d12eea0e9f6042da1ed6691c27

SHA256
1787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc

SHA512
5e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33

Download Submit
memory/964-73-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/964-70-0x000000000040A4A1-mapping.dmp

Download
memory/964-69-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1048-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1100-57-0x0000000000000000-mapping.dmp

Download
memory/1100-64-0x0000000077090000-0x0000000077130000-memory.dmp

Filesize
640KB

Download
memory/1100-59-0x00000000757E0000-0x000000007588C000-memory.dmp

Filesize
688KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads