metasploit | bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2023, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe
Size

756KB
MD5

d7be2192fc7cb22db8a2acdbf4bbdafe
SHA1

89d97962f8d193fcb91402574046304fbfe2e89f
SHA256

bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324
SHA512

e0da02125907eade276c6489af7bccfae29ab6d07a7936dc59d3fd041d723e2840a57197fea5ba11425c37f6fe0f36570610e13ce2d7ace7823955416de6d799
SSDEEP

12288:FNpszYhvXWSVJdMae3mUJUTOMsa+0zNOabK3ghMZtc6NS+0Ulk287/k/MjuLle:7hvJVJdMa1+wOmK3gglSjUlkVzuLs

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

103.116.46.219:25566

218.89.171.148:55472

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	file.com.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	file.com

Executes dropped EXE 4 IoCs

pid	Process
5048	file.com.exe
2308	file.com
3900	Windows.exe
1492	dllconfig.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023246-186.dat	upx
behavioral2/memory/3900-187-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/files/0x0008000000023247-190.dat	upx
behavioral2/memory/1492-192-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/3900-195-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1492-196-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2532	1148	bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe	92
PID 1148 wrote to memory of 2532	1148	bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe	92
PID 1148 wrote to memory of 2532	1148	bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe	92
PID 2532 wrote to memory of 5084	2532	cmd.exe	95
PID 2532 wrote to memory of 5084	2532	cmd.exe	95
PID 2532 wrote to memory of 5084	2532	cmd.exe	95
PID 2532 wrote to memory of 1852	2532	cmd.exe	96
PID 2532 wrote to memory of 1852	2532	cmd.exe	96
PID 2532 wrote to memory of 1852	2532	cmd.exe	96
PID 1552 wrote to memory of 5048	1552	explorer.exe	99
PID 1552 wrote to memory of 5048	1552	explorer.exe	99
PID 1552 wrote to memory of 5048	1552	explorer.exe	99
PID 5048 wrote to memory of 3808	5048	file.com.exe	100
PID 5048 wrote to memory of 3808	5048	file.com.exe	100
PID 5048 wrote to memory of 3808	5048	file.com.exe	100
PID 3808 wrote to memory of 2760	3808	cmd.exe	103
PID 3808 wrote to memory of 2760	3808	cmd.exe	103
PID 3808 wrote to memory of 2760	3808	cmd.exe	103
PID 3808 wrote to memory of 4636	3808	cmd.exe	104
PID 3808 wrote to memory of 4636	3808	cmd.exe	104
PID 3808 wrote to memory of 4636	3808	cmd.exe	104
PID 3260 wrote to memory of 2308	3260	explorer.exe	106
PID 3260 wrote to memory of 2308	3260	explorer.exe	106
PID 3260 wrote to memory of 2308	3260	explorer.exe	106
PID 2308 wrote to memory of 3936	2308	file.com	107
PID 2308 wrote to memory of 3936	2308	file.com	107
PID 2308 wrote to memory of 3936	2308	file.com	107
PID 3936 wrote to memory of 3900	3936	cmd.exe	109
PID 3936 wrote to memory of 3900	3936	cmd.exe	109
PID 3936 wrote to memory of 3900	3936	cmd.exe	109
PID 3936 wrote to memory of 1492	3936	cmd.exe	110
PID 3936 wrote to memory of 1492	3936	cmd.exe	110
PID 3936 wrote to memory of 1492	3936	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe
"C:\Users\Admin\AppData\Local\Temp\bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.com.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\certutil.exe
    certutil -f -decode t "C:\Users\Admin\AppData\Local\Temp\file.com.exe"
    3⤵
    - Manipulates Digital Signatures
    PID:5084
- - C:\Windows\SysWOW64\explorer.exe
    explorer "C:\Users\Admin\AppData\Local\Temp\file.com.exe"
    3⤵
    PID:1852

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\file.com.exe
  "C:\Users\Admin\AppData\Local\Temp\file.com.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.com.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -f -decode t "C:\Users\Admin\AppData\Local\Temp\file.com"
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\explorer.exe
      explorer "C:\Users\Admin\AppData\Local\Temp\file.com"
      4⤵
      PID:4636

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\file.com
  "C:\Users\Admin\AppData\Local\Temp\file.com"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\run.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Windows.exe
      windows.exe
      4⤵
      Executes dropped EXE
      PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\dllconfig.exe
      dllconfig.exe
      4⤵
      Executes dropped EXE
      PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.com.exe.bat

Filesize
751KB

MD5
3726d753ff0d8eff5ed191dd3e691cdb

SHA1
6f92ea3e223d0e0f83e3c9482d521c57cb675792

SHA256
3101c401613b73efc4f018bcd7067c90a4eb2100808e2f5c405783cb04783c3d

SHA512
694bbdc04ffb60ad9e5ba3611114294495ec739fa0ee2db8b550f8629aa18c19a85643f0b17cdebae28f73434be817b0e4da256167e46d7341a0aae6152cab9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\t

Filesize
367KB

MD5
67c8e63deb6c078d21d5b51cc352d1ca

SHA1
0320d0d2ae3695210c9b73fc42ed6111572832e4

SHA256
3cd1532c0bf43cd22485796bd2d4c567162cfa66c2b21b1ae0412a042ec63df3

SHA512
7abad340e1ebb72ecb58c2c9773651e41bf1323ab8efe10de635e4f9c07c325fea46767e78b225b7bf75ff407e06c1788431ae23e75843b7afa9d49ca05a1053

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\t

Filesize
749KB

MD5
52feed6878ee4648dbe6fe21671782b3

SHA1
9bfedc2898e0904291b3294c8c2fbd328d6e7592

SHA256
1a6aba3bdad682a3d67e655daee95b7635715b82ebaad9bc3e95223bbb2003a6

SHA512
fb5588e0a59aeb0f4219da6f666e289d911ab0cde488c9ca8baff1885ef94ad17b90f3c924a2ca3b5b023258bca34a2ed8f758fd687566d191a531fcc2a66af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.com.cmd

Filesize
499KB

MD5
683f6a743715e2304c53a8216f54da97

SHA1
8d059b0c1d1ff7fe33591aa2de99f97b4555a452

SHA256
a35f181237e0c0d58190273ba28d2b16ad59e219be2d30ee899e59a987141e2f

SHA512
c2db4926ae4bb2e747c0c0d14c6ba6355c0f16fe1d00d9808d56984d2200f5a6270030c3c45065d95b1613db78c979ead237fb314509ee326e0c2af51a1bd764

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\t

Filesize
499KB

MD5
fd1fe327e8242e77b8f3b039bd242dd4

SHA1
9ea5fce9835cdabae4793270d0c5a8bf30f30923

SHA256
aa01cf95e330e3b70ec26b55037e89a25dfd252e17a72212fc95a07ec4670a87

SHA512
76d292babf665af7d9d674357d017ff56e717f9dea92d4528f776c90844a3a94d01ed3684450793e144d822a530eecd357205182c0e01e8e62325fec4cfdaa44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Windows.exe

Filesize
46KB

MD5
142939c71fb5bb7f9b43cfb38ccf8729

SHA1
4065f081a84aff314de93c731f5f9d86dc0296dd

SHA256
fd1e05704a4a3aa355d6b59fd59a67258d7e86ffebe1de9827f29bf7f9ed8745

SHA512
1792957fb4677d343074cae9483fac221ab056ab1206e6f0a79e8c7d390f93ef3932e1acaac31f2eb7a62ba1a18d5800f2532ed8c4206c386693fc5beb4990d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\dllconfig.exe

Filesize
47KB

MD5
65cb5055b52b89de9fc06d9679bb860d

SHA1
0e410332ecfe02b8391f2d373c89f7329a74fa51

SHA256
b03f2f13751ea9600df21aa695180640224c78d37b49101711c0f725a798238c

SHA512
861696f02856ae6a35b29b4e5c23a4cdaaf82086f8d59a32b1c6fed7dedc9c1162020dc91392b187c05ae774ab7a81cb5f8ff37d86ea20dd58023cf755375e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\run.cmd

Filesize
79B

MD5
c2f14c0bfe13eab879fa3eaefc4dff8a

SHA1
89e463f1204b5dd8615c45a8ee1f1f960a91ac1e

SHA256
57dbff3fb9b8241c8f5dedaac6b5d9c4b74740636be861ed40a56033f08874a0

SHA512
a7ebc4bd37bcc0d41a3d4d55485182e97d0a1fcc1a19c71a24a1a9c457efeb1650bc5dc974b7c73ba47944cb65b966e843c8f5b084763dc6efd4e0b08067f124

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.com

Filesize
374KB

MD5
c506d5cf8cb8a67ca80e423dd7d917ce

SHA1
efe86b94dbb383c406bfd4264b5edf14563336fb

SHA256
cdc0053912e880b4a31e8eb6da01cf65be7271c30a9a67bdb1626c2134920ee6

SHA512
bb3046fcc87566bf781dd23752cea03fd7f0f6e3d9a4b3fd4172d9d011d3b61850f6c6eb978801b49a6109a2b25d9bbd5c0169eb842d088758bf25f45fe2b21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.com.exe

Filesize
562KB

MD5
89c2e2e6a0b38063c3e2eebd9f232d03

SHA1
e7a9f62bb388be0907ac6f164fae30ac5d28f014

SHA256
63b69c5d87b82422864376aa2d1a7e3e8bc90891ace200f33ccc0da7e3f680d2

SHA512
6bfbcaa3cd0ad82ed7d08bc7948231ffb778b93a40604bc53adc8c58344a1cc2adbc80ea42b613ffe5f0c923e50475a5d9e4ba4cff4cb65a98ea698d5348a715

Download Submit
memory/1492-192-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1492-193-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1492-196-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3900-187-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3900-188-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3900-195-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads