metasploit | 18f44d62d834ed3251785a9b16a6666601f8f1839c9cdd58a4c43972b2a549e1

General

Target

1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe
Size

72KB
MD5

b5f1e89070c0c5eef7d8fa9950f38eda
SHA1

95c3de2290b6f1963fae2c0a3ed71d3b3e50a616
SHA256

1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb
SHA512

d0e4d5b4b0d1dd3ed84abeef29893167500b5cbcd6b36b2bf86f2a7e1375ab168e9285322c547fed3457df697e0ce40612dbde109a612a74e8d80bd3ac8ed10c
SSDEEP

1536:IETSxY+T+L5p2xWqfP/X2LPIQBethIBMb+KR0Nc8QsJq39:bGC+qL3uv/XePIee/IBe0Nc8QsC9

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

3.141.204.47:28193

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe
1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe
1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe
1884	notepad.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe
Token: SeDebugPrivilege	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe
Token: SeDebugPrivilege	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe
Token: SeDebugPrivilege	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe
Token: SeDebugPrivilege	1884	notepad.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1884	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe	26
PID 1676 wrote to memory of 1884	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe	26
PID 1676 wrote to memory of 1884	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe	26
PID 1676 wrote to memory of 1884	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe	26
PID 1676 wrote to memory of 1884	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe	26
PID 1676 wrote to memory of 1884	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe	26
PID 1676 wrote to memory of 1884	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe	26
PID 1676 wrote to memory of 1884	1676	1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe	26

C:\Users\Admin\AppData\Local\Temp\1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe
"C:\Users\Admin\AppData\Local\Temp\1ab3517feb46b2eca39547915f8f6565b05011ce8674e784d96e2484df39c8bb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1676-113-0x0000000000420000-0x0000000000451000-memory.dmp

Filesize
196KB

Download
memory/1676-114-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/1676-56-0x00000000002F0000-0x000000000031B000-memory.dmp

Filesize
172KB

Download
memory/1676-55-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1676-58-0x0000000000420000-0x0000000000451000-memory.dmp

Filesize
196KB

Download
memory/1676-65-0x00000000021C0000-0x000000000221F000-memory.dmp

Filesize
380KB

Download
memory/1676-66-0x0000000000420000-0x0000000000451000-memory.dmp

Filesize
196KB

Download
memory/1676-81-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/1676-82-0x0000000000420000-0x0000000000451000-memory.dmp

Filesize
196KB

Download
memory/1676-96-0x0000000000420000-0x0000000000451000-memory.dmp

Filesize
196KB

Download
memory/1676-105-0x00000000021C0000-0x000000000221F000-memory.dmp

Filesize
380KB

Download
memory/1676-54-0x0000000000420000-0x0000000000451000-memory.dmp

Filesize
196KB

Download
memory/1676-57-0x0000000000420000-0x0000000000451000-memory.dmp

Filesize
196KB

Download
memory/1884-130-0x0000000000290000-0x00000000002C1000-memory.dmp

Filesize
196KB

Download
memory/1884-118-0x0000000000290000-0x00000000002C1000-memory.dmp

Filesize
196KB

Download
memory/1884-107-0x00000000001D0000-0x00000000001FB000-memory.dmp

Filesize
172KB

Download
memory/1884-110-0x00000000001D0000-0x00000000001FB000-memory.dmp

Filesize
172KB

Download
memory/1884-112-0x0000000000290000-0x00000000002C1000-memory.dmp

Filesize
196KB

Download
memory/1884-108-0x00000000001D0000-0x00000000001FB000-memory.dmp

Filesize
172KB

Download
memory/1884-115-0x0000000000290000-0x00000000002C1000-memory.dmp

Filesize
196KB

Download
memory/1884-111-0x00000000001D0000-0x00000000001FB000-memory.dmp

Filesize
172KB

Download
memory/1884-117-0x00000000001D0000-0x00000000001FB000-memory.dmp

Filesize
172KB

Download
memory/1884-122-0x00000000029A0000-0x00000000029FF000-memory.dmp

Filesize
380KB

Download
memory/1884-123-0x0000000000290000-0x00000000002C1000-memory.dmp

Filesize
196KB

Download
memory/1884-109-0x00000000001D0000-0x00000000001FB000-memory.dmp

Filesize
172KB

Download
memory/1884-131-0x0000000002910000-0x0000000002930000-memory.dmp

Filesize
128KB

Download
memory/1884-137-0x00000000029A0000-0x00000000029FF000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing