metasploit | 27a1143fbf26ee210e3bf00181227bd7ce1bfd11179a6288d4f66c25824c59b6

General

Target

41207706cf37b8cbef2f1278c70c08cf.exe
Size

144KB
MD5

41207706cf37b8cbef2f1278c70c08cf
SHA1

3561a9a0d49e03031fc06f20d5050623cdf110c4
SHA256

27a1143fbf26ee210e3bf00181227bd7ce1bfd11179a6288d4f66c25824c59b6
SHA512

03f1ca1c7f4e96d69abae2926eb13b4c7b226ea12b9d8292d9811e2b906bc09f15d10f3db8eeda780fcd2ee7708331073432b394087e2a861ddc0237119cd639
SSDEEP

3072:Bpg77mW1Z3Tv7BcUBY9CZ7LBp74AXJFore2/zdWpP3sUhy2bq:K9LBp74AXH0/WlIU

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 2 IoCs

pid	Process
1780	csrss.exe
2612	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remote Registry Service = "csrss.exe"	41207706cf37b8cbef2f1278c70c08cf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 780 set thread context of 2408	780	41207706cf37b8cbef2f1278c70c08cf.exe	19
PID 1780 set thread context of 2612	1780	csrss.exe	17

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\csrss.exe	41207706cf37b8cbef2f1278c70c08cf.exe
File opened for modification	C:\Windows\csrss.exe	41207706cf37b8cbef2f1278c70c08cf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
780	41207706cf37b8cbef2f1278c70c08cf.exe
1780	csrss.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2408	780	41207706cf37b8cbef2f1278c70c08cf.exe	19
PID 780 wrote to memory of 2408	780	41207706cf37b8cbef2f1278c70c08cf.exe	19
PID 780 wrote to memory of 2408	780	41207706cf37b8cbef2f1278c70c08cf.exe	19
PID 780 wrote to memory of 2408	780	41207706cf37b8cbef2f1278c70c08cf.exe	19
PID 780 wrote to memory of 2408	780	41207706cf37b8cbef2f1278c70c08cf.exe	19
PID 780 wrote to memory of 2408	780	41207706cf37b8cbef2f1278c70c08cf.exe	19
PID 780 wrote to memory of 2408	780	41207706cf37b8cbef2f1278c70c08cf.exe	19
PID 780 wrote to memory of 2408	780	41207706cf37b8cbef2f1278c70c08cf.exe	19
PID 780 wrote to memory of 2408	780	41207706cf37b8cbef2f1278c70c08cf.exe	19
PID 2408 wrote to memory of 1780	2408	41207706cf37b8cbef2f1278c70c08cf.exe	18
PID 2408 wrote to memory of 1780	2408	41207706cf37b8cbef2f1278c70c08cf.exe	18
PID 2408 wrote to memory of 1780	2408	41207706cf37b8cbef2f1278c70c08cf.exe	18
PID 2408 wrote to memory of 1780	2408	41207706cf37b8cbef2f1278c70c08cf.exe	18
PID 1780 wrote to memory of 2612	1780	csrss.exe	17
PID 1780 wrote to memory of 2612	1780	csrss.exe	17
PID 1780 wrote to memory of 2612	1780	csrss.exe	17
PID 1780 wrote to memory of 2612	1780	csrss.exe	17
PID 1780 wrote to memory of 2612	1780	csrss.exe	17
PID 1780 wrote to memory of 2612	1780	csrss.exe	17
PID 1780 wrote to memory of 2612	1780	csrss.exe	17
PID 1780 wrote to memory of 2612	1780	csrss.exe	17
PID 1780 wrote to memory of 2612	1780	csrss.exe	17

C:\Users\Admin\AppData\Local\Temp\41207706cf37b8cbef2f1278c70c08cf.exe
"C:\Users\Admin\AppData\Local\Temp\41207706cf37b8cbef2f1278c70c08cf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\41207706cf37b8cbef2f1278c70c08cf.exe
  "C:\Users\Admin\AppData\Local\Temp\41207706cf37b8cbef2f1278c70c08cf.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2408

C:\Windows\csrss.exe
"C:\Windows\csrss.exe"
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\csrss.exe
"C:\Windows\csrss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\csrss.exe

Filesize
6KB

MD5
92f7631f35115f66c5519cbc03ff0276

SHA1
5b5e989ca904cd65d1e0a134a6ead3e231b7950b

SHA256
cf7e3f82cc2f54456cc85451362ebd5fdc613c211cb5191f869c9b9b9e363391

SHA512
482a0536b67933ac4c3006066cbd942053dae2880db6c85af4b4dff5c452dfc0fb9cfb99732a28ea4ec3fd578dbdc2d3d3bfcc8aaffc02540f3c93e38db988e5

Download Submit
C:\Windows\csrss.exe

Filesize
6KB

MD5
7e5fd32acb3a14bbc99636e590080352

SHA1
47f03f80e3cdbc78cad5116b8e3f49856d19b998

SHA256
dd6536e80148f7b2e071ee7bfa5e8cc8e4fac2b9a4ee03fb0dd5898891b9e6b4

SHA512
b2eab9efc1580002f113d382b97648a32f531b737742470736b33cce92729f858c901f0224e5f83cae2fd53326d5d214deef5e0a0ed33b571dacb5f542b8bdf9

Download Submit
C:\Windows\csrss.exe

Filesize
15KB

MD5
1dddda7cf3434bc59a5a0c8b060b736a

SHA1
f8ba05430ef5f98f6922c2479782aff50b50e33f

SHA256
6b7c3794599d7b65148ae2ac7928e11b7e04e1ee2711294c4be33eb2c28e4f99

SHA512
47db76ffb8172e693625397bb51d2309806fe058d0f7f2bc9257be9344d47b7b03e2a89fa2b37a32e451065a210af4647b36aacee4c07d55cb2468354cd55cdb

Download Submit
memory/2408-41-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2408-10-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2408-2-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2408-6-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2408-14-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2408-13-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2408-11-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2408-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2408-8-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2612-40-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2612-39-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2612-43-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2612-46-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2612-49-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2612-50-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads