metasploit | 30cb4b61563bd49db7d74d18c532ed48409cebf9d8c827b24363537c14cdd124

General

Target

1df2404b219f379389a6297cfb1d53fa.exe
Size

149KB
MD5

1df2404b219f379389a6297cfb1d53fa
SHA1

d7847a487795efd429428012a935c447e75b4040
SHA256

30cb4b61563bd49db7d74d18c532ed48409cebf9d8c827b24363537c14cdd124
SHA512

3bb8f84885777f04a1081614f0f9dfced8b97389406b908abf581b062b588872ab012fdddbb7d41e2ce690f91ee3f6d713f4047af56f35d3d7584f4619cd6dfd
SSDEEP

3072:eliUPXC8k1nJrX+fNTBf7iAT2Rc2Y7zBTLwYQbOSD12VgF:ezBkLL2NTBTiYCc2YfBISSD12V

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_winhttp

C2

https://103.129.196.29:23351/uhxeugBw/4pV-7FpcH2Huc-9yjo632Q2HkuwXDsb3zHxqqkPeP003czr_e

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	1df2404b219f379389a6297cfb1d53fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1388	1516	1df2404b219f379389a6297cfb1d53fa.exe	91
PID 1516 wrote to memory of 1388	1516	1df2404b219f379389a6297cfb1d53fa.exe	91
PID 1388 wrote to memory of 3032	1388	cmd.exe	94
PID 1388 wrote to memory of 3032	1388	cmd.exe	94
PID 1388 wrote to memory of 4788	1388	cmd.exe	95
PID 1388 wrote to memory of 4788	1388	cmd.exe	95
PID 4788 wrote to memory of 1796	4788	WScript.exe	98
PID 4788 wrote to memory of 1796	4788	WScript.exe	98
PID 4788 wrote to memory of 1796	4788	WScript.exe	98
PID 4788 wrote to memory of 1796	4788	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\1df2404b219f379389a6297cfb1d53fa.exe
"C:\Users\Admin\AppData\Local\Temp\1df2404b219f379389a6297cfb1d53fa.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B834.tmp\B835.tmp\B836.bat C:\Users\Admin\AppData\Local\Temp\1df2404b219f379389a6297cfb1d53fa.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\system32\certutil.exe
    certutil -decode x "C:\Users\Admin\AppData\Roaming\x.js"
    3⤵
    PID:3032
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\x.js"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe"
      4⤵
      PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B834.tmp\B835.tmp\B836.bat

Filesize
58KB

MD5
dff8827e630bfb9ce9f0066fcb971cca

SHA1
df6185a4e9f54e218b98d17d4e119474f4ec69b6

SHA256
74b33f1a8cb4de2e3d02c7b4ac1cccfe19a1b305607a5f36fdd6220b2c3354e3

SHA512
34e3e1123293d1b95ac5bbac43556cb2b1960cda0f64abe551a6dab761ad8ac2803f3627513dc85493f91fed1c022c7f1ea0afc4db7a7d5625cc03bcf8307272

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
1KB

MD5
8995b42570b4dc841d7f26107613e59a

SHA1
a7061a309c11ba4bf6b4c72348d21dcb3e2c5de9

SHA256
24cc5f51754ab59bc3e3002c3c50e8ae6d25eaae63b6625c0aff12abc6138b73

SHA512
41bf16bf46cb4c124ffb81adf8fbae2f9bf7603dceaf4e90060b4ccc5653129da03c8e15cfbd9a6557612fa861dcbff02faeae158899be32213777b509faf56c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
3KB

MD5
44c713c3e0de40256154f28c31040540

SHA1
89b40e3cfed10487f997c62b63f487fb8e1cc3e6

SHA256
aa93eba1c7ca5dff6abffe1c725e46cc1d0e13c7403842ad15f0c03aa74be9c4

SHA512
070a416a2958073d308a77fa69bb87c6dd2dd18ccd0c1bd9522d263921b8ea0f41af52d70b4f915c087987c4f721db55523293704440d8414c6ab52cec2583c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
4KB

MD5
e42667c9b9efa03cc3a4a236015622fd

SHA1
596249cae7bba6cb2e651268ba25299098437f93

SHA256
ae38620136fae3abb23d3fd6b26b6177268351821784aa98df46c607b9efcf5e

SHA512
85a35da35e604b8feed50669ee9cc1edcddcbe5199bc82593ac61c857144cc5f59c5dd62c796bd827bd0df84f909cd49abc79ec9f0637b177bfff6d578c3b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
1KB

MD5
ea3620081f0af32a629ffaff4ddc4aa3

SHA1
f62731a9335e39b5c85974902b1a096f8b79a94e

SHA256
907d4364a440b669febf70c5aca7db9612f6bf15a50c507031e094231bb92eec

SHA512
94c58d8f91dce0fdb9b40ba3ec206e2bcdda20ca593c0645edf9ebb8f99f2b2c64cedefaba6aab8547a318444d40797176c72e92efb4c286ad98b6bf24efb029

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
53KB

MD5
e943c11fb5cac8cdae665d8930c79c44

SHA1
0bdb943d195ccce358d3221fb61b6ddeef6452f0

SHA256
2fcd1200bc020ceb36d2b8a08148e2c168ee99e23b0fa1a1ea23583803d91efb

SHA512
dd38742acfd6b87410d484ea9405a57dc64813f4889cafcbce144982689ed6dad1392368386f2d0c94e2902cf112175c07b1e87f12955a8bafe9d793c9939ea0

Download Submit
C:\Users\Admin\AppData\Roaming\x.js

Filesize
38KB

MD5
4542c1a33fce34b2f5df7f293430ea9c

SHA1
c7a66538ed158d236e869a8c3082228c1a85b23e

SHA256
3e4b33f7d2f3646016dfdd4f820811036e8c91a7b9918dcaf3dd37a092f6a6fa

SHA512
7d5aa4d102b8bad759d7c1078f90bf531b93b40e7ccae870a19cdf492548c1a135b35aaefff18cb24586590c0bc1f4f5d200f393cff47d90267a4b76485b5c59

Download Submit
memory/1796-712-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/4788-707-0x00007FF976A40000-0x00007FF9773E1000-memory.dmp

Filesize
9.6MB

Download
memory/4788-708-0x0000020877090000-0x00000208770A0000-memory.dmp

Filesize
64KB

Download
memory/4788-709-0x00007FF976A40000-0x00007FF9773E1000-memory.dmp

Filesize
9.6MB

Download
memory/4788-710-0x0000020877B20000-0x0000020877D1A000-memory.dmp

Filesize
2.0MB

Download
memory/4788-711-0x0000020876E70000-0x0000020876E78000-memory.dmp

Filesize
32KB

Download
memory/4788-713-0x0000020877090000-0x00000208770A0000-memory.dmp

Filesize
64KB

Download
memory/4788-715-0x00007FF976A40000-0x00007FF9773E1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing