metasploit | d4840236585babf93f92d468982227ece68dee868f4fd0ec652e0174445ea523

Analysis

max time kernel
137s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 21:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1ca1d6990f84d7850e37ef989b4a4a36.exe
Size

127KB
MD5

1ca1d6990f84d7850e37ef989b4a4a36
SHA1

44328b63f079531e49a65bf013fb6ac225b28fcd
SHA256

d4840236585babf93f92d468982227ece68dee868f4fd0ec652e0174445ea523
SHA512

9e0876d78764ce53263eb322178633795231b6d998c987aa7f92cbf9a42cb3896a21628150a596e932321ad532c1af6477c24a61312a4f26f5ad9b6e1595f411
SSDEEP

3072:XL8qYm/aRh97pXPSIoJNHMRh3pJECgXreQ0F9X3F:XLOOaRL7TowECw0FxF

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
1920	csrrss.exe
2664	csrrss.exe
2464	csrrss.exe
2500	csrrss.exe
2192	csrrss.exe
1536	csrrss.exe
2016	csrrss.exe
2704	csrrss.exe
580	csrrss.exe
692	csrrss.exe

Loads dropped DLL 20 IoCs

pid	Process
2940	1ca1d6990f84d7850e37ef989b4a4a36.exe
2940	1ca1d6990f84d7850e37ef989b4a4a36.exe
1920	csrrss.exe
1920	csrrss.exe
2664	csrrss.exe
2664	csrrss.exe
2464	csrrss.exe
2464	csrrss.exe
2500	csrrss.exe
2500	csrrss.exe
2192	csrrss.exe
2192	csrrss.exe
1536	csrrss.exe
1536	csrrss.exe
2016	csrrss.exe
2016	csrrss.exe
2704	csrrss.exe
2704	csrrss.exe
580	csrrss.exe
580	csrrss.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File opened for modification	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File created	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File created	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File opened for modification	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File opened for modification	C:\Windows\SysWOW64\csrrss.exe	1ca1d6990f84d7850e37ef989b4a4a36.exe
File opened for modification	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File opened for modification	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File created	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File opened for modification	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File opened for modification	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File created	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File created	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File opened for modification	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File created	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File opened for modification	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File created	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File created	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File created	C:\Windows\SysWOW64\csrrss.exe	1ca1d6990f84d7850e37ef989b4a4a36.exe
File opened for modification	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File created	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe
File opened for modification	C:\Windows\SysWOW64\csrrss.exe	csrrss.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1920	2940	1ca1d6990f84d7850e37ef989b4a4a36.exe	28
PID 2940 wrote to memory of 1920	2940	1ca1d6990f84d7850e37ef989b4a4a36.exe	28
PID 2940 wrote to memory of 1920	2940	1ca1d6990f84d7850e37ef989b4a4a36.exe	28
PID 2940 wrote to memory of 1920	2940	1ca1d6990f84d7850e37ef989b4a4a36.exe	28
PID 1920 wrote to memory of 2664	1920	csrrss.exe	29
PID 1920 wrote to memory of 2664	1920	csrrss.exe	29
PID 1920 wrote to memory of 2664	1920	csrrss.exe	29
PID 1920 wrote to memory of 2664	1920	csrrss.exe	29
PID 2664 wrote to memory of 2464	2664	csrrss.exe	30
PID 2664 wrote to memory of 2464	2664	csrrss.exe	30
PID 2664 wrote to memory of 2464	2664	csrrss.exe	30
PID 2664 wrote to memory of 2464	2664	csrrss.exe	30
PID 2464 wrote to memory of 2500	2464	csrrss.exe	31
PID 2464 wrote to memory of 2500	2464	csrrss.exe	31
PID 2464 wrote to memory of 2500	2464	csrrss.exe	31
PID 2464 wrote to memory of 2500	2464	csrrss.exe	31
PID 2500 wrote to memory of 2192	2500	csrrss.exe	34
PID 2500 wrote to memory of 2192	2500	csrrss.exe	34
PID 2500 wrote to memory of 2192	2500	csrrss.exe	34
PID 2500 wrote to memory of 2192	2500	csrrss.exe	34
PID 2192 wrote to memory of 1536	2192	csrrss.exe	35
PID 2192 wrote to memory of 1536	2192	csrrss.exe	35
PID 2192 wrote to memory of 1536	2192	csrrss.exe	35
PID 2192 wrote to memory of 1536	2192	csrrss.exe	35
PID 1536 wrote to memory of 2016	1536	csrrss.exe	36
PID 1536 wrote to memory of 2016	1536	csrrss.exe	36
PID 1536 wrote to memory of 2016	1536	csrrss.exe	36
PID 1536 wrote to memory of 2016	1536	csrrss.exe	36
PID 2016 wrote to memory of 2704	2016	csrrss.exe	37
PID 2016 wrote to memory of 2704	2016	csrrss.exe	37
PID 2016 wrote to memory of 2704	2016	csrrss.exe	37
PID 2016 wrote to memory of 2704	2016	csrrss.exe	37
PID 2704 wrote to memory of 580	2704	csrrss.exe	38
PID 2704 wrote to memory of 580	2704	csrrss.exe	38
PID 2704 wrote to memory of 580	2704	csrrss.exe	38
PID 2704 wrote to memory of 580	2704	csrrss.exe	38
PID 580 wrote to memory of 692	580	csrrss.exe	39
PID 580 wrote to memory of 692	580	csrrss.exe	39
PID 580 wrote to memory of 692	580	csrrss.exe	39
PID 580 wrote to memory of 692	580	csrrss.exe	39

C:\Users\Admin\AppData\Local\Temp\1ca1d6990f84d7850e37ef989b4a4a36.exe
"C:\Users\Admin\AppData\Local\Temp\1ca1d6990f84d7850e37ef989b4a4a36.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\csrrss.exe
  C:\Windows\system32\csrrss.exe 488 "C:\Users\Admin\AppData\Local\Temp\1ca1d6990f84d7850e37ef989b4a4a36.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\csrrss.exe
    C:\Windows\system32\csrrss.exe 528 "C:\Windows\SysWOW64\csrrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\csrrss.exe
      C:\Windows\system32\csrrss.exe 532 "C:\Windows\SysWOW64\csrrss.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\csrrss.exe
        
        C:\Windows\system32\csrrss.exe 536 "C:\Windows\SysWOW64\csrrss.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\csrrss.exe
        
        C:\Windows\system32\csrrss.exe 552 "C:\Windows\SysWOW64\csrrss.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\csrrss.exe
        
        C:\Windows\system32\csrrss.exe 540 "C:\Windows\SysWOW64\csrrss.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\csrrss.exe
        
        C:\Windows\system32\csrrss.exe 560 "C:\Windows\SysWOW64\csrrss.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\csrrss.exe
        
        C:\Windows\system32\csrrss.exe 544 "C:\Windows\SysWOW64\csrrss.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\csrrss.exe
        
        C:\Windows\system32\csrrss.exe 576 "C:\Windows\SysWOW64\csrrss.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\csrrss.exe
        
        C:\Windows\system32\csrrss.exe 548 "C:\Windows\SysWOW64\csrrss.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\csrrss.exe

Filesize
127KB

MD5
1ca1d6990f84d7850e37ef989b4a4a36

SHA1
44328b63f079531e49a65bf013fb6ac225b28fcd

SHA256
d4840236585babf93f92d468982227ece68dee868f4fd0ec652e0174445ea523

SHA512
9e0876d78764ce53263eb322178633795231b6d998c987aa7f92cbf9a42cb3896a21628150a596e932321ad532c1af6477c24a61312a4f26f5ad9b6e1595f411

Download Submit
memory/580-59-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/580-53-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/692-58-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1536-44-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1536-38-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1920-19-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2016-49-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2016-43-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2192-33-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2192-39-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2464-29-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2464-23-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2500-34-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2500-28-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2664-24-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2664-18-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2704-48-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2704-54-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2940-0-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2940-14-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2940-11-0x0000000002940000-0x0000000002A3B000-memory.dmp

Filesize
1004KB

Download
memory/2940-5-0x0000000002940000-0x0000000002A3B000-memory.dmp

Filesize
1004KB

Download