metasploit | 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a

General

Target

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
Size

177KB
MD5

702419ffd5e768b22037a84c7bad88cd
SHA1

13b3b0dcd128f6574b7392385419ce680efce036
SHA256

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a
SHA512

363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192
SSDEEP

3072:rEEkpajNuqwjuwMROeSP4SY5fl2+dGYAo9RK1gz9Koc7yQOiOy2D9OlCSXzGsue8:rEDajNuJjujoeSP4SY5fl2+dGYAo9RKg

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 2 IoCs

Processes:

csrss.execsrss.exe

pid process

5104 csrss.exe
4304 csrss.exe

pid	process
5104	csrss.exe
4304	csrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remote Registry Service = "csrss.exe"	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.execsrss.exe

description	pid	process	target process
PID 1336 set thread context of 1044	1336	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 5104 set thread context of 4304	5104	csrss.exe	csrss.exe

Drops file in Windows directory 2 IoCs

Processes:

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe

description	ioc	process
File created	C:\Windows\csrss.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
File opened for modification	C:\Windows\csrss.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.execsrss.exe

pid process

1336 33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
5104 csrss.exe

pid	process
1336	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
5104	csrss.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.execsrss.exe

description	pid	process	target process
PID 1336 wrote to memory of 1044	1336	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1336 wrote to memory of 1044	1336	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1336 wrote to memory of 1044	1336	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1336 wrote to memory of 1044	1336	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1336 wrote to memory of 1044	1336	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1336 wrote to memory of 1044	1336	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1336 wrote to memory of 1044	1336	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1336 wrote to memory of 1044	1336	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1336 wrote to memory of 1044	1336	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
PID 1044 wrote to memory of 5104	1044	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	csrss.exe
PID 1044 wrote to memory of 5104	1044	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	csrss.exe
PID 1044 wrote to memory of 5104	1044	33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe	csrss.exe
PID 5104 wrote to memory of 4304	5104	csrss.exe	csrss.exe
PID 5104 wrote to memory of 4304	5104	csrss.exe	csrss.exe
PID 5104 wrote to memory of 4304	5104	csrss.exe	csrss.exe
PID 5104 wrote to memory of 4304	5104	csrss.exe	csrss.exe
PID 5104 wrote to memory of 4304	5104	csrss.exe	csrss.exe
PID 5104 wrote to memory of 4304	5104	csrss.exe	csrss.exe
PID 5104 wrote to memory of 4304	5104	csrss.exe	csrss.exe
PID 5104 wrote to memory of 4304	5104	csrss.exe	csrss.exe
PID 5104 wrote to memory of 4304	5104	csrss.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
"C:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
C:\Users\Admin\AppData\Local\Temp\33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a.exe
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\csrss.exe
"C:\Windows\csrss.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\csrss.exe
C:\Windows\csrss.exe
4⤵
- Executes dropped EXE
PID:4304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\csrss.exe

Filesize
177KB

MD5
702419ffd5e768b22037a84c7bad88cd

SHA1
13b3b0dcd128f6574b7392385419ce680efce036

SHA256
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a

SHA512
363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192

Download Submit
C:\Windows\csrss.exe

Filesize
177KB

MD5
702419ffd5e768b22037a84c7bad88cd

SHA1
13b3b0dcd128f6574b7392385419ce680efce036

SHA256
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a

SHA512
363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192

Download Submit
C:\Windows\csrss.exe

Filesize
177KB

MD5
702419ffd5e768b22037a84c7bad88cd

SHA1
13b3b0dcd128f6574b7392385419ce680efce036

SHA256
33294012b64123cecd4b1f21404e0b0cad9cd7556c6efb5a41c43f80b775ca1a

SHA512
363b81444e2de13c26fc14950d4760a0845f5724eade322bae73bb04ca60396c7c6ff3be577b2c4cfde4cff40e78f722a9744ab46a571536f3bc0985ab9ad192

Download Submit
memory/1044-134-0x0000000000000000-mapping.dmp

Download
memory/1044-135-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1044-137-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1044-138-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1044-149-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4304-144-0x0000000000000000-mapping.dmp

Download
memory/4304-150-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4304-151-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5104-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads