metasploit | 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a

General

Target

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
Size

177KB
MD5

702419ffd5e768b22037a84c7bad88cd
SHA1

13b3b0dcd128f6574b7392385419ce680efce036
SHA256

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a
SHA512

363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192
SSDEEP

3072:rEEkpajNuqwjuwMROeSP4SY5fl2+dGYAo9RK1gz9Koc7yQOiOy2D9OlCSXzGsue8:rEDajNuJjujoeSP4SY5fl2+dGYAo9RKg

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 2 IoCs

Processes:

csrss.execsrss.exe

pid process

1756 csrss.exe
1988 csrss.exe

pid	process
1756	csrss.exe
1988	csrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remote Registry Service = "csrss.exe"	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.execsrss.exe

description	pid	process	target process
PID 1784 set thread context of 1624	1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1756 set thread context of 1988	1756	csrss.exe	csrss.exe

Drops file in Windows directory 2 IoCs

Processes:

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe

description	ioc	process
File opened for modification	C:\Windows\csrss.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
File created	C:\Windows\csrss.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.execsrss.exe

pid process

1784 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
1756 csrss.exe

pid	process
1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
1756	csrss.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.execsrss.exe

description	pid	process	target process
PID 1784 wrote to memory of 1624	1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1784 wrote to memory of 1624	1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1784 wrote to memory of 1624	1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1784 wrote to memory of 1624	1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1784 wrote to memory of 1624	1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1784 wrote to memory of 1624	1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1784 wrote to memory of 1624	1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1784 wrote to memory of 1624	1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1784 wrote to memory of 1624	1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1784 wrote to memory of 1624	1784	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1624 wrote to memory of 1756	1624	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	csrss.exe
PID 1624 wrote to memory of 1756	1624	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	csrss.exe
PID 1624 wrote to memory of 1756	1624	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	csrss.exe
PID 1624 wrote to memory of 1756	1624	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	csrss.exe
PID 1756 wrote to memory of 1988	1756	csrss.exe	csrss.exe
PID 1756 wrote to memory of 1988	1756	csrss.exe	csrss.exe
PID 1756 wrote to memory of 1988	1756	csrss.exe	csrss.exe
PID 1756 wrote to memory of 1988	1756	csrss.exe	csrss.exe
PID 1756 wrote to memory of 1988	1756	csrss.exe	csrss.exe
PID 1756 wrote to memory of 1988	1756	csrss.exe	csrss.exe
PID 1756 wrote to memory of 1988	1756	csrss.exe	csrss.exe
PID 1756 wrote to memory of 1988	1756	csrss.exe	csrss.exe
PID 1756 wrote to memory of 1988	1756	csrss.exe	csrss.exe
PID 1756 wrote to memory of 1988	1756	csrss.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
"C:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
C:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\csrss.exe
"C:\Windows\csrss.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\csrss.exe
C:\Windows\csrss.exe
4⤵
- Executes dropped EXE
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\csrss.exe

Filesize
177KB

MD5
702419ffd5e768b22037a84c7bad88cd

SHA1
13b3b0dcd128f6574b7392385419ce680efce036

SHA256
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a

SHA512
363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192

Download Submit
C:\Windows\csrss.exe

Filesize
177KB

MD5
702419ffd5e768b22037a84c7bad88cd

SHA1
13b3b0dcd128f6574b7392385419ce680efce036

SHA256
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a

SHA512
363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192

Download Submit
C:\Windows\csrss.exe

Filesize
177KB

MD5
702419ffd5e768b22037a84c7bad88cd

SHA1
13b3b0dcd128f6574b7392385419ce680efce036

SHA256
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a

SHA512
363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192

Download Submit
memory/1624-56-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1624-57-0x000000000040ACE5-mapping.dmp

Download
memory/1624-59-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1624-60-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1624-72-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1624-74-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1756-61-0x0000000000000000-mapping.dmp

Download
memory/1988-67-0x000000000040ACE5-mapping.dmp

Download
memory/1988-73-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads