metasploit | a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39

General

Target

a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe
Size

113KB
MD5

02e0668f017f0711939c94764db95630
SHA1

9b69609f4de18be43d8125f5682f47d5bcd5cb2b
SHA256

a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39
SHA512

3a67bc3539f2bc87140e297257d6e099c20195d2e2efc26e41683a780b0f573d8225edfcddad61c1f55d5cb5a8a30ba0f7b59fdb3dd3487cc922cb32c8f41f8d
SSDEEP

3072:S5PIHFgyac5NC720rQ1rtnGUQ8yJfX6Q2vaEsy:uQeINClrAaJ/6Lt

Score

10^/10

metasploit aspackv2 backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a000000022df2-138.dat	aspack_v212_v242
behavioral2/files/0x000a000000022df2-139.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1528	cfmon.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cfmon.exe	a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe
File opened for modification	C:\Windows\SysWOW64\cfmon.exe	a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3496	regedit.exe
4032	regedit.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4996	2396	a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe	82
PID 2396 wrote to memory of 4996	2396	a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe	82
PID 2396 wrote to memory of 4996	2396	a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe	82
PID 4996 wrote to memory of 3496	4996	cmd.exe	83
PID 4996 wrote to memory of 3496	4996	cmd.exe	83
PID 4996 wrote to memory of 3496	4996	cmd.exe	83
PID 2396 wrote to memory of 1528	2396	a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe	84
PID 2396 wrote to memory of 1528	2396	a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe	84
PID 2396 wrote to memory of 1528	2396	a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe	84
PID 1528 wrote to memory of 4264	1528	cfmon.exe	85
PID 1528 wrote to memory of 4264	1528	cfmon.exe	85
PID 1528 wrote to memory of 4264	1528	cfmon.exe	85
PID 4264 wrote to memory of 4032	4264	cmd.exe	86
PID 4264 wrote to memory of 4032	4264	cmd.exe	86
PID 4264 wrote to memory of 4032	4264	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe
"C:\Users\Admin\AppData\Local\Temp\a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - Runs .reg file with regedit
    PID:3496
- C:\Windows\SysWOW64\cfmon.exe
  C:\Windows\system32\cfmon.exe 1168 "C:\Users\Admin\AppData\Local\Temp\a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\a.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      Runs .reg file with regedit
      PID:4032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Windows\SysWOW64\cfmon.exe

Filesize
113KB

MD5
02e0668f017f0711939c94764db95630

SHA1
9b69609f4de18be43d8125f5682f47d5bcd5cb2b

SHA256
a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39

SHA512
3a67bc3539f2bc87140e297257d6e099c20195d2e2efc26e41683a780b0f573d8225edfcddad61c1f55d5cb5a8a30ba0f7b59fdb3dd3487cc922cb32c8f41f8d

Download Submit
C:\Windows\SysWOW64\cfmon.exe

Filesize
113KB

MD5
02e0668f017f0711939c94764db95630

SHA1
9b69609f4de18be43d8125f5682f47d5bcd5cb2b

SHA256
a85df6ff37ee8e74c71a22e4c6e4f6575748b1c225e67f39618e5d52d2e9bb39

SHA512
3a67bc3539f2bc87140e297257d6e099c20195d2e2efc26e41683a780b0f573d8225edfcddad61c1f55d5cb5a8a30ba0f7b59fdb3dd3487cc922cb32c8f41f8d

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/1528-137-0x0000000000000000-mapping.dmp

Download
memory/1528-142-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2396-132-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2396-145-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3496-135-0x0000000000000000-mapping.dmp

Download
memory/4032-143-0x0000000000000000-mapping.dmp

Download
memory/4264-140-0x0000000000000000-mapping.dmp

Download
memory/4996-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing