metasploit | df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65

General

Target

df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
Size

564KB
MD5

0de094f08cdd761894f2ed9283a89db0
SHA1

14def521b5581a3bd10ac6c470c772e91b43e9c1
SHA256

df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65
SHA512

4d10774cfc9748c6699004cee066c744423fa56f00425a4f3c16dfe0fb8d74d883b2efc8b946031b4f7f5d6ac9faf7e51dfc48d7043633c7c96af155768f6248
SSDEEP

12288:03usG9pLi+twALZJZi3lDQoyazsf3bYF9kfLcTk3IW:0Up7tfZJZW5w/bKkww37

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 2 IoCs

Processes:

bestext.execmd.exe

pid process

1120 bestext.exe
1332 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exebestext.exe

pid process

960 df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
1120 bestext.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1120	bestext.exe
1332	cmd.exe

pid	process
960	df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
1120	bestext.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exebestext.exe

description	pid	process
Token: 33	960	df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
Token: SeIncBasePriorityPrivilege	960	df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
Token: 33	960	df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
Token: SeIncBasePriorityPrivilege	960	df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
Token: 33	960	df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
Token: SeIncBasePriorityPrivilege	960	df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
Token: 33	1120	bestext.exe
Token: SeIncBasePriorityPrivilege	1120	bestext.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exebestext.exe

description	pid	process	target process
PID 960 wrote to memory of 1120	960	df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe	bestext.exe
PID 960 wrote to memory of 1120	960	df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe	bestext.exe
PID 960 wrote to memory of 1120	960	df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe	bestext.exe
PID 960 wrote to memory of 1120	960	df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe	bestext.exe
PID 1120 wrote to memory of 1332	1120	bestext.exe	cmd.exe
PID 1120 wrote to memory of 1332	1120	bestext.exe	cmd.exe
PID 1120 wrote to memory of 1332	1120	bestext.exe	cmd.exe
PID 1120 wrote to memory of 1332	1120	bestext.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe
"C:\Users\Admin\AppData\Local\Temp\df97f34ffa197a340449120ee022812770a4ed9746e83a25716c91d3b8000b65.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\bestext.exe
"C:\Users\Admin\AppData\Local\Temp\bestext.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
cmd
3⤵
- Executes dropped EXE
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
Filesize
17KB

MD5
ae94a75a83cbe2307b932b3af492d5ce

SHA1
a5c3d44899c3d133815c1d74a0016190f5394999

SHA256
d111c6f792e77b3c81a1be1c3c95db71cd53bdd8fe5027cb8734f71315816407

SHA512
feabae30331f399767d5dfecca2a4d72cbae3f1dd234e18585ea12cde683fb169814627cd32b98ccfb8824ef33b34f121ecb4824715a12fef4719033d8ca969b

Download Submit
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\bestext.exe
Filesize
17KB

MD5
7eda08261d497c9d88bb92644e7a2cb2

SHA1
886253caf7b798bb277d7b2d04a0ef36c0ea75bb

SHA256
6c1b74850fec10db1c10058c4ff7cae129dd2444048b17669c129c79266e0ac1

SHA512
e66cd5593689b9d31a5a5972fc6a0db997fae723058c4a65d25c5dd80239af7c7b0e9d1533f44a13eb7eb45c7ef23bf5477f586cef59800aaaad24edd344a888

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Native\STUBEXE\8.0.1112\@SYSTEM@\cmd.exe
Filesize
17KB

MD5
ae94a75a83cbe2307b932b3af492d5ce

SHA1
a5c3d44899c3d133815c1d74a0016190f5394999

SHA256
d111c6f792e77b3c81a1be1c3c95db71cd53bdd8fe5027cb8734f71315816407

SHA512
feabae30331f399767d5dfecca2a4d72cbae3f1dd234e18585ea12cde683fb169814627cd32b98ccfb8824ef33b34f121ecb4824715a12fef4719033d8ca969b

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\PuTTY suite\Release 0.60\2013.09.17T13.25\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\bestext.exe
Filesize
17KB

MD5
7eda08261d497c9d88bb92644e7a2cb2

SHA1
886253caf7b798bb277d7b2d04a0ef36c0ea75bb

SHA256
6c1b74850fec10db1c10058c4ff7cae129dd2444048b17669c129c79266e0ac1

SHA512
e66cd5593689b9d31a5a5972fc6a0db997fae723058c4a65d25c5dd80239af7c7b0e9d1533f44a13eb7eb45c7ef23bf5477f586cef59800aaaad24edd344a888

Download Submit
memory/960-69-0x0000000000370000-0x00000000003E2000-memory.dmp

Filesize
456KB

Download
memory/960-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/960-60-0x0000000000370000-0x00000000003E2000-memory.dmp

Filesize
456KB

Download
memory/960-57-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/960-84-0x0000000000370000-0x00000000003E2000-memory.dmp

Filesize
456KB

Download
memory/960-58-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/960-55-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/960-59-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/960-56-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1120-66-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1120-68-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1120-70-0x0000000000460000-0x00000000004D2000-memory.dmp

Filesize
456KB

Download
memory/1120-67-0x0000000000460000-0x00000000004D2000-memory.dmp

Filesize
456KB

Download
memory/1120-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1120-62-0x0000000000000000-mapping.dmp

Download
memory/1120-83-0x0000000000460000-0x00000000004D2000-memory.dmp

Filesize
456KB

Download
memory/1332-76-0x000000004AD00000-0x000000004AD4C000-memory.dmp

Filesize
304KB

Download
memory/1332-77-0x000000004AD00000-0x000000004AD4C000-memory.dmp

Filesize
304KB

Download
memory/1332-79-0x000000004AD00000-0x000000004AD4C000-memory.dmp

Filesize
304KB

Download
memory/1332-78-0x000000004AD00000-0x000000004AD4C000-memory.dmp

Filesize
304KB

Download
memory/1332-80-0x000000004AD00000-0x000000004AD4C000-memory.dmp

Filesize
304KB

Download
memory/1332-81-0x000000004AD00000-0x000000004AD4C000-memory.dmp

Filesize
304KB

Download
memory/1332-82-0x0000000000230000-0x00000000002A2000-memory.dmp

Filesize
456KB

Download
memory/1332-75-0x000000004AD00000-0x000000004AD4C000-memory.dmp

Filesize
304KB

Download
memory/1332-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing