metasploit | 27a1143fbf26ee210e3bf00181227bd7ce1bfd11179a6288d4f66c25824c59b6

General

Target

41207706cf37b8cbef2f1278c70c08cf.exe
Size

144KB
MD5

41207706cf37b8cbef2f1278c70c08cf
SHA1

3561a9a0d49e03031fc06f20d5050623cdf110c4
SHA256

27a1143fbf26ee210e3bf00181227bd7ce1bfd11179a6288d4f66c25824c59b6
SHA512

03f1ca1c7f4e96d69abae2926eb13b4c7b226ea12b9d8292d9811e2b906bc09f15d10f3db8eeda780fcd2ee7708331073432b394087e2a861ddc0237119cd639
SSDEEP

3072:Bpg77mW1Z3Tv7BcUBY9CZ7LBp74AXJFore2/zdWpP3sUhy2bq:K9LBp74AXH0/WlIU

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 2 IoCs

pid	Process
2760	csrss.exe
3532	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remote Registry Service = "csrss.exe"	41207706cf37b8cbef2f1278c70c08cf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4944 set thread context of 3156	4944	41207706cf37b8cbef2f1278c70c08cf.exe	49
PID 2760 set thread context of 3532	2760	csrss.exe	60

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\csrss.exe	41207706cf37b8cbef2f1278c70c08cf.exe
File opened for modification	C:\Windows\csrss.exe	41207706cf37b8cbef2f1278c70c08cf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4944	41207706cf37b8cbef2f1278c70c08cf.exe
2760	csrss.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3156	4944	41207706cf37b8cbef2f1278c70c08cf.exe	49
PID 4944 wrote to memory of 3156	4944	41207706cf37b8cbef2f1278c70c08cf.exe	49
PID 4944 wrote to memory of 3156	4944	41207706cf37b8cbef2f1278c70c08cf.exe	49
PID 4944 wrote to memory of 3156	4944	41207706cf37b8cbef2f1278c70c08cf.exe	49
PID 4944 wrote to memory of 3156	4944	41207706cf37b8cbef2f1278c70c08cf.exe	49
PID 4944 wrote to memory of 3156	4944	41207706cf37b8cbef2f1278c70c08cf.exe	49
PID 4944 wrote to memory of 3156	4944	41207706cf37b8cbef2f1278c70c08cf.exe	49
PID 4944 wrote to memory of 3156	4944	41207706cf37b8cbef2f1278c70c08cf.exe	49
PID 3156 wrote to memory of 2760	3156	41207706cf37b8cbef2f1278c70c08cf.exe	59
PID 3156 wrote to memory of 2760	3156	41207706cf37b8cbef2f1278c70c08cf.exe	59
PID 3156 wrote to memory of 2760	3156	41207706cf37b8cbef2f1278c70c08cf.exe	59
PID 2760 wrote to memory of 3532	2760	csrss.exe	60
PID 2760 wrote to memory of 3532	2760	csrss.exe	60
PID 2760 wrote to memory of 3532	2760	csrss.exe	60
PID 2760 wrote to memory of 3532	2760	csrss.exe	60
PID 2760 wrote to memory of 3532	2760	csrss.exe	60
PID 2760 wrote to memory of 3532	2760	csrss.exe	60
PID 2760 wrote to memory of 3532	2760	csrss.exe	60
PID 2760 wrote to memory of 3532	2760	csrss.exe	60

C:\Users\Admin\AppData\Local\Temp\41207706cf37b8cbef2f1278c70c08cf.exe
"C:\Users\Admin\AppData\Local\Temp\41207706cf37b8cbef2f1278c70c08cf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\41207706cf37b8cbef2f1278c70c08cf.exe
  "C:\Users\Admin\AppData\Local\Temp\41207706cf37b8cbef2f1278c70c08cf.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\csrss.exe
    "C:\Windows\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\csrss.exe
      "C:\Windows\csrss.exe"
      4⤵
      Executes dropped EXE
      PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\csrss.exe

Filesize
14KB

MD5
b6a8da864e1b8f9b522018fd8299ecc6

SHA1
d09b0f9c89d160a5b66958d8253ce2012e7bcf9b

SHA256
236c344c50dfec394ec5c561b423ab6263b4b6b1dc5a02e40b195bf6ba673ba9

SHA512
168eef7be948b8e1b525d02f393c775aaf898ef0e208e8ccd7194c8858f77e8154d5cc75930256be4ce0ffc841a765c93576830584c5b3d8be33feb490d59f1a

Download Submit
C:\Windows\csrss.exe

Filesize
63KB

MD5
b8e2b5a7b01e8f95e954df9ffb7032d5

SHA1
1ee6b7ac4d91eb7559381fe84101e7bfdd3a2622

SHA256
546fd0b351da895244d0f1cde72957a5debf23a795231906a2eff001396788c4

SHA512
7bfa6767f4ecf5372f56c632eddc2f69596e650e88faca9285f2aaf01838480b19285e4c16e16489974b2daaba361d4babebeb2fd62b042c0b6869243d103def

Download Submit
C:\Windows\csrss.exe

Filesize
5KB

MD5
67d3ff463044c0fa6b953b44fadec815

SHA1
4e013bf9bff29e38af398c8b9f4a2a649a974c19

SHA256
9929b01340ef22fd943ce930321f19974d49d50760f64ef005c274d4b8e92f83

SHA512
20140f19ae6d75d24e7c48edd1cd5b4e4c9094c6df48e4dffae1fe3965c1aaf35c4142cce1f2f8b4b2f93ac1635d53fe517de33073a7ab98615f2990f02207b1

Download Submit
memory/3156-19-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3156-5-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3156-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3156-2-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-13-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-18-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-16-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-17-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-21-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-23-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-24-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-25-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-27-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-28-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-32-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-33-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3532-34-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads