metasploit | 30cb4b61563bd49db7d74d18c532ed48409cebf9d8c827b24363537c14cdd124

General

Target

1df2404b219f379389a6297cfb1d53fa.exe
Size

149KB
MD5

1df2404b219f379389a6297cfb1d53fa
SHA1

d7847a487795efd429428012a935c447e75b4040
SHA256

30cb4b61563bd49db7d74d18c532ed48409cebf9d8c827b24363537c14cdd124
SHA512

3bb8f84885777f04a1081614f0f9dfced8b97389406b908abf581b062b588872ab012fdddbb7d41e2ce690f91ee3f6d713f4047af56f35d3d7584f4619cd6dfd
SSDEEP

3072:eliUPXC8k1nJrX+fNTBf7iAT2Rc2Y7zBTLwYQbOSD12VgF:ezBkLL2NTBTiYCc2YfBISSD12V

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_winhttp

C2

https://103.129.196.29:23351/uhxeugBw/4pV-7FpcH2Huc-9yjo632Q2HkuwXDsb3zHxqqkPeP003czr_e

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1352	2132	1df2404b219f379389a6297cfb1d53fa.exe	28
PID 2132 wrote to memory of 1352	2132	1df2404b219f379389a6297cfb1d53fa.exe	28
PID 2132 wrote to memory of 1352	2132	1df2404b219f379389a6297cfb1d53fa.exe	28
PID 2132 wrote to memory of 1352	2132	1df2404b219f379389a6297cfb1d53fa.exe	28
PID 1352 wrote to memory of 1148	1352	cmd.exe	30
PID 1352 wrote to memory of 1148	1352	cmd.exe	30
PID 1352 wrote to memory of 1148	1352	cmd.exe	30
PID 1352 wrote to memory of 2552	1352	cmd.exe	31
PID 1352 wrote to memory of 2552	1352	cmd.exe	31
PID 1352 wrote to memory of 2552	1352	cmd.exe	31
PID 2552 wrote to memory of 2096	2552	WScript.exe	32
PID 2552 wrote to memory of 2096	2552	WScript.exe	32
PID 2552 wrote to memory of 2096	2552	WScript.exe	32
PID 2552 wrote to memory of 2096	2552	WScript.exe	32
PID 2552 wrote to memory of 2096	2552	WScript.exe	32
PID 2552 wrote to memory of 2096	2552	WScript.exe	32
PID 2552 wrote to memory of 2096	2552	WScript.exe	32
PID 2552 wrote to memory of 2096	2552	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\1df2404b219f379389a6297cfb1d53fa.exe
"C:\Users\Admin\AppData\Local\Temp\1df2404b219f379389a6297cfb1d53fa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\843D.tmp\843E.tmp\843F.bat C:\Users\Admin\AppData\Local\Temp\1df2404b219f379389a6297cfb1d53fa.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\system32\certutil.exe
    certutil -decode x "C:\Users\Admin\AppData\Roaming\x.js"
    3⤵
    PID:1148
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\x.js"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe"
      4⤵
      PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\843D.tmp\843E.tmp\843F.bat

Filesize
58KB

MD5
dff8827e630bfb9ce9f0066fcb971cca

SHA1
df6185a4e9f54e218b98d17d4e119474f4ec69b6

SHA256
74b33f1a8cb4de2e3d02c7b4ac1cccfe19a1b305607a5f36fdd6220b2c3354e3

SHA512
34e3e1123293d1b95ac5bbac43556cb2b1960cda0f64abe551a6dab761ad8ac2803f3627513dc85493f91fed1c022c7f1ea0afc4db7a7d5625cc03bcf8307272

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
4KB

MD5
3911e4e682837edd8b2a465b3889c891

SHA1
b2fb777a38820f2af22438524b7f312b3d007ee1

SHA256
16fe6bb7539eab2df2644bdaf686a1da8a1ced3dc42cae10060b17de0d84dbfe

SHA512
2d85d72bd903e4ed4da981eed1b816a15b32f5d4f1043fede5959da78e4197354e01c3cac9df42e92e349d695a0a646d582ffac383f7249777b8f106958d7d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
53KB

MD5
e943c11fb5cac8cdae665d8930c79c44

SHA1
0bdb943d195ccce358d3221fb61b6ddeef6452f0

SHA256
2fcd1200bc020ceb36d2b8a08148e2c168ee99e23b0fa1a1ea23583803d91efb

SHA512
dd38742acfd6b87410d484ea9405a57dc64813f4889cafcbce144982689ed6dad1392368386f2d0c94e2902cf112175c07b1e87f12955a8bafe9d793c9939ea0

Download Submit
C:\Users\Admin\AppData\Roaming\x.js

Filesize
38KB

MD5
4542c1a33fce34b2f5df7f293430ea9c

SHA1
c7a66538ed158d236e869a8c3082228c1a85b23e

SHA256
3e4b33f7d2f3646016dfdd4f820811036e8c91a7b9918dcaf3dd37a092f6a6fa

SHA512
7d5aa4d102b8bad759d7c1078f90bf531b93b40e7ccae870a19cdf492548c1a135b35aaefff18cb24586590c0bc1f4f5d200f393cff47d90267a4b76485b5c59

Download Submit
memory/2096-734-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2096-736-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2552-733-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2552-737-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-738-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-739-0x00000000040B0000-0x0000000004130000-memory.dmp

Filesize
512KB

Download
memory/2552-740-0x00000000040B0000-0x0000000004130000-memory.dmp

Filesize
512KB

Download
memory/2552-741-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing