metasploit | bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

General

Target

bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Size

272KB
MD5

42336081866631ea1d378881a4f99a7a
SHA1

afdde5642b71a34564251ed4e166cf195ba11465
SHA256

bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f
SHA512

ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943
SSDEEP

6144:B9FYQeeMiVusHFTtIM602a108XEWxLYAoanrxB7n2NP0ZQKcqTd/dJBuM7JKuDea:B9x31EWLkwjsAUJa

Score

10^/10

metasploit backdoor persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 2 IoCs

pid	Process
812	scvhost.exe
1632	scvhost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}\StubPath = "\\zip.exe"	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}\StubPath = "\\zip.exe"	scvhost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}\StubPath = "\\zip.exe"	scvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}\StubPath = "\\zip.exe"	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{UCDCEFUN-JZDV-QDAK-ZX3F-TYVZHGI2TQGT}	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1228-135-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1228-137-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1228-138-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1228-139-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1228-146-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1632-155-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1632-158-0x0000000000400000-0x000000000045E000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	scvhost.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Data Serivce = "scvhost.exe"	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZipCheck = "\\zip.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZipCheck = "\\zip.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZipCheck = "\\zip.exe"	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZipCheck = "\\zip.exe"	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	scvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	scvhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 1228	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	83
PID 812 set thread context of 1632	812	scvhost.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
812	scvhost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1228	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	83
PID 5072 wrote to memory of 1228	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	83
PID 5072 wrote to memory of 1228	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	83
PID 5072 wrote to memory of 1228	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	83
PID 5072 wrote to memory of 1228	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	83
PID 5072 wrote to memory of 1228	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	83
PID 5072 wrote to memory of 1228	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	83
PID 5072 wrote to memory of 1228	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	83
PID 1228 wrote to memory of 812	1228	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	84
PID 1228 wrote to memory of 812	1228	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	84
PID 1228 wrote to memory of 812	1228	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	84
PID 5072 wrote to memory of 2148	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	85
PID 5072 wrote to memory of 2148	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	85
PID 5072 wrote to memory of 2148	5072	bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe	85
PID 812 wrote to memory of 1632	812	scvhost.exe	87
PID 812 wrote to memory of 1632	812	scvhost.exe	87
PID 812 wrote to memory of 1632	812	scvhost.exe	87
PID 812 wrote to memory of 1632	812	scvhost.exe	87
PID 812 wrote to memory of 1632	812	scvhost.exe	87
PID 812 wrote to memory of 1632	812	scvhost.exe	87
PID 812 wrote to memory of 1632	812	scvhost.exe	87
PID 812 wrote to memory of 1632	812	scvhost.exe	87
PID 812 wrote to memory of 2352	812	scvhost.exe	88
PID 812 wrote to memory of 2352	812	scvhost.exe	88
PID 812 wrote to memory of 2352	812	scvhost.exe	88

C:\Users\Admin\AppData\Local\Temp\bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
"C:\Users\Admin\AppData\Local\Temp\bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe"
1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe
  "C:\Users\Admin\AppData\Local\Temp\bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Users\Admin\AppData\Roaming\scvhost.exe
    "C:\Users\Admin\AppData\Roaming\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Users\Admin\AppData\Roaming\scvhost.exe
      "C:\Users\Admin\AppData\Roaming\scvhost.exe"
      4⤵
      Executes dropped EXE
      PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AB5vXCpSoD0L3whxk.bat" "
      4⤵
      PID:2352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AB5vXCpSoD0L3whxk.bat" "
  2⤵
  PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AB5vXCpSoD0L3whxk.bat

Filesize
216B

MD5
f52c6aef27e551fa3bb6a781d5f8e7b1

SHA1
9b4bbd64d78c9d9d8bc61b5ef00cc5173cca78f1

SHA256
2d110c587b26812f7565096a4cf5c19e0ec697595126189d234bde057fd49189

SHA512
9037b9828aea7e11f69f8560192457fccec7e6e61e0e392cd40d5591460491686420feafea698a9fa733f27b8d4ab50914342538290af5d49e8467adf0cc67fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB5vXCpSoD0L3whxk.bat

Filesize
156B

MD5
86129a6a8940c1f85adc8d32b3c13e24

SHA1
8d8537884e155c0ab2ceda253d2bd01e7e796554

SHA256
7a1818626c5ca51868028505e384f6f9c0592682e576f95f71e11cffe4f0ce75

SHA512
c4c9e278b2a84ee9772282268cf6f09ead5ae4204efadc981fcc6caf5c35646001452f316f17d36922cf6ac69ef7831f0cee3a009138dbd48e8775b4e530f2cb

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
272KB

MD5
42336081866631ea1d378881a4f99a7a

SHA1
afdde5642b71a34564251ed4e166cf195ba11465

SHA256
bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

SHA512
ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
272KB

MD5
42336081866631ea1d378881a4f99a7a

SHA1
afdde5642b71a34564251ed4e166cf195ba11465

SHA256
bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

SHA512
ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
272KB

MD5
42336081866631ea1d378881a4f99a7a

SHA1
afdde5642b71a34564251ed4e166cf195ba11465

SHA256
bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

SHA512
ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943

Download Submit
C:\zip.exe

Filesize
272KB

MD5
42336081866631ea1d378881a4f99a7a

SHA1
afdde5642b71a34564251ed4e166cf195ba11465

SHA256
bd264dc9338106147892b6862bce81c7aee17227771740cba364050bbbe92e2f

SHA512
ffbdeac9043cda0ab6f063225b6a536b2457b64dac78827a3a3c12790c4f1250c8c63b967664afa23e69a7e13c0baaacce137b6084b62a84d0fc4d5cce1cb943

Download Submit
memory/1228-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1228-139-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1228-146-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1228-137-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1228-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1632-155-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1632-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads