metasploit | bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

Analysis

max time kernel
147s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Size

272KB
MD5

42336081866631ea1d378881a4f99a7a
SHA1

afdde5642b71a34564251ed4e166cf195ba11465
SHA256

bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f
SHA512

ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943
SSDEEP

6144:B9FYQeeMiVusHFTtIM602a108XEWxLYAoanrxB7n2NP0ZQKcqTd/dJBuM7JKuDea:B9x31EWLkwjsAUJa

Score

10^/10

metasploit backdoor persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 2 IoCs

pid	Process
1504	scvhost.exe
1472	scvhost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}\StubPath = "\\zip.exe"	scvhost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}\StubPath = "\\zip.exe"	scvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}\StubPath = "\\zip.exe"	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}\StubPath = "\\zip.exe"	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1368-57-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/memory/1368-60-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/memory/1368-62-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/memory/1368-72-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/memory/1472-81-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/memory/1472-82-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/memory/1472-86-0x0000000000400000-0x000000000045E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1368	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
1368	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZipCheck = "\\zip.exe"	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZipCheck = "\\zip.exe"	scvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Data Serivce = "scvhost.exe"	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZipCheck = "\\zip.exe"	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZipCheck = "\\zip.exe"	scvhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 1368	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	28
PID 1504 set thread context of 1472	1504	scvhost.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
1504	scvhost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1368	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	28
PID 1760 wrote to memory of 1368	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	28
PID 1760 wrote to memory of 1368	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	28
PID 1760 wrote to memory of 1368	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	28
PID 1760 wrote to memory of 1368	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	28
PID 1760 wrote to memory of 1368	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	28
PID 1760 wrote to memory of 1368	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	28
PID 1760 wrote to memory of 1368	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	28
PID 1760 wrote to memory of 1368	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	28
PID 1368 wrote to memory of 1504	1368	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	29
PID 1368 wrote to memory of 1504	1368	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	29
PID 1368 wrote to memory of 1504	1368	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	29
PID 1368 wrote to memory of 1504	1368	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	29
PID 1760 wrote to memory of 1172	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	30
PID 1760 wrote to memory of 1172	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	30
PID 1760 wrote to memory of 1172	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	30
PID 1760 wrote to memory of 1172	1760	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	30
PID 1504 wrote to memory of 1472	1504	scvhost.exe	32
PID 1504 wrote to memory of 1472	1504	scvhost.exe	32
PID 1504 wrote to memory of 1472	1504	scvhost.exe	32
PID 1504 wrote to memory of 1472	1504	scvhost.exe	32
PID 1504 wrote to memory of 1472	1504	scvhost.exe	32
PID 1504 wrote to memory of 1472	1504	scvhost.exe	32
PID 1504 wrote to memory of 1472	1504	scvhost.exe	32
PID 1504 wrote to memory of 1472	1504	scvhost.exe	32
PID 1504 wrote to memory of 1472	1504	scvhost.exe	32
PID 1504 wrote to memory of 768	1504	scvhost.exe	33
PID 1504 wrote to memory of 768	1504	scvhost.exe	33
PID 1504 wrote to memory of 768	1504	scvhost.exe	33
PID 1504 wrote to memory of 768	1504	scvhost.exe	33

C:\Users\Admin\AppData\Local\Temp\bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
"C:\Users\Admin\AppData\Local\Temp\bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe"
1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
  "C:\Users\Admin\AppData\Local\Temp\bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Roaming\scvhost.exe
    "C:\Users\Admin\AppData\Roaming\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Roaming\scvhost.exe
      "C:\Users\Admin\AppData\Roaming\scvhost.exe"
      4⤵
      Executes dropped EXE
      PID:1472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\AB5vXCpSoD0L3whxk.bat" "
      4⤵
      PID:768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AB5vXCpSoD0L3whxk.bat" "
  2⤵
  PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AB5vXCpSoD0L3whxk.bat

Filesize
156B

MD5
86129a6a8940c1f85adc8d32b3c13e24

SHA1
8d8537884e155c0ab2ceda253d2bd01e7e796554

SHA256
7a1818626c5ca51868028505e384f6f9c0592682e576f95f71e11cffe4f0ce75

SHA512
c4c9e278b2a84ee9772282268cf6f09ead5ae4204efadc981fcc6caf5c35646001452f316f17d36922cf6ac69ef7831f0cee3a009138dbd48e8775b4e530f2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB5vXCpSoD0L3whxk.bat

Filesize
216B

MD5
f52c6aef27e551fa3bb6a781d5f8e7b1

SHA1
9b4bbd64d78c9d9d8bc61b5ef00cc5173cca78f1

SHA256
2d110c587b26812f7565096a4cf5c19e0ec697595126189d234bde057fd49189

SHA512
9037b9828aea7e11f69f8560192457fccec7e6e61e0e392cd40d5591460491686420feafea698a9fa733f27b8d4ab50914342538290af5d49e8467adf0cc67fe

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
272KB

MD5
42336081866631ea1d378881a4f99a7a

SHA1
afdde5642b71a34564251ed4e166cf195ba11465

SHA256
bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

SHA512
ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
272KB

MD5
42336081866631ea1d378881a4f99a7a

SHA1
afdde5642b71a34564251ed4e166cf195ba11465

SHA256
bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

SHA512
ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
272KB

MD5
42336081866631ea1d378881a4f99a7a

SHA1
afdde5642b71a34564251ed4e166cf195ba11465

SHA256
bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

SHA512
ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943

Download Submit
C:\zip.exe

Filesize
272KB

MD5
42336081866631ea1d378881a4f99a7a

SHA1
afdde5642b71a34564251ed4e166cf195ba11465

SHA256
bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

SHA512
ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943

Download Submit
\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
272KB

MD5
42336081866631ea1d378881a4f99a7a

SHA1
afdde5642b71a34564251ed4e166cf195ba11465

SHA256
bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

SHA512
ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943

Download Submit
\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
272KB

MD5
42336081866631ea1d378881a4f99a7a

SHA1
afdde5642b71a34564251ed4e166cf195ba11465

SHA256
bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

SHA512
ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943

Download Submit
memory/1368-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1368-72-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1368-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1368-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1368-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1472-81-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1472-82-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1472-86-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1760-61-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads