metasploit | 82ecbaa97f176fc0115ac32d7a7c4cfee4585bc84eb21cd6848a0d01248b2779

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 23:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4772c058861a05be7a7fd654931e3c25.exe
Size

374KB
MD5

4772c058861a05be7a7fd654931e3c25
SHA1

edf463fe1512dc7509203f519a4afcfb475088db
SHA256

82ecbaa97f176fc0115ac32d7a7c4cfee4585bc84eb21cd6848a0d01248b2779
SHA512

79179f20d97eb2ba40c3806cf93ad5d70ffcbb18209b4ec21a8d374abf627244c54ef73f0814b605dfd8bb02061645a2d8853df1915bc7c2b2a5672723c7da40
SSDEEP

6144:lDWHN0BEEbZX0Jz8RPR1iL/CW3e0dZfFgCZTdsmnElxEI8y8t7mJHbQ6rpMzgZYK:ciZX0JzSPRa1dTdxGmnOxH8TlaQww8tp

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
1256	wuauclt11.exe
796	wuauclt11.exe
2352	wuauclt11.exe
2120	wuauclt11.exe
1860	wuauclt11.exe
1036	wuauclt11.exe
1856	wuauclt11.exe
2756	wuauclt11.exe
2240	wuauclt11.exe
1404	wuauclt11.exe

Loads dropped DLL 20 IoCs

pid	Process
2848	4772c058861a05be7a7fd654931e3c25.exe
2848	4772c058861a05be7a7fd654931e3c25.exe
1256	wuauclt11.exe
1256	wuauclt11.exe
796	wuauclt11.exe
796	wuauclt11.exe
2352	wuauclt11.exe
2352	wuauclt11.exe
2120	wuauclt11.exe
2120	wuauclt11.exe
1860	wuauclt11.exe
1860	wuauclt11.exe
1036	wuauclt11.exe
1036	wuauclt11.exe
1856	wuauclt11.exe
1856	wuauclt11.exe
2756	wuauclt11.exe
2756	wuauclt11.exe
2240	wuauclt11.exe
2240	wuauclt11.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File created	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File created	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File created	C:\Windows\SysWOW64\wuauclt11.exe	4772c058861a05be7a7fd654931e3c25.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File created	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File created	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File created	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt11.exe	4772c058861a05be7a7fd654931e3c25.exe
File created	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File created	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File created	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File created	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File created	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt11.exe	wuauclt11.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1256	2848	4772c058861a05be7a7fd654931e3c25.exe	28
PID 2848 wrote to memory of 1256	2848	4772c058861a05be7a7fd654931e3c25.exe	28
PID 2848 wrote to memory of 1256	2848	4772c058861a05be7a7fd654931e3c25.exe	28
PID 2848 wrote to memory of 1256	2848	4772c058861a05be7a7fd654931e3c25.exe	28
PID 1256 wrote to memory of 796	1256	wuauclt11.exe	29
PID 1256 wrote to memory of 796	1256	wuauclt11.exe	29
PID 1256 wrote to memory of 796	1256	wuauclt11.exe	29
PID 1256 wrote to memory of 796	1256	wuauclt11.exe	29
PID 796 wrote to memory of 2352	796	wuauclt11.exe	30
PID 796 wrote to memory of 2352	796	wuauclt11.exe	30
PID 796 wrote to memory of 2352	796	wuauclt11.exe	30
PID 796 wrote to memory of 2352	796	wuauclt11.exe	30
PID 2352 wrote to memory of 2120	2352	wuauclt11.exe	33
PID 2352 wrote to memory of 2120	2352	wuauclt11.exe	33
PID 2352 wrote to memory of 2120	2352	wuauclt11.exe	33
PID 2352 wrote to memory of 2120	2352	wuauclt11.exe	33
PID 2120 wrote to memory of 1860	2120	wuauclt11.exe	34
PID 2120 wrote to memory of 1860	2120	wuauclt11.exe	34
PID 2120 wrote to memory of 1860	2120	wuauclt11.exe	34
PID 2120 wrote to memory of 1860	2120	wuauclt11.exe	34
PID 1860 wrote to memory of 1036	1860	wuauclt11.exe	35
PID 1860 wrote to memory of 1036	1860	wuauclt11.exe	35
PID 1860 wrote to memory of 1036	1860	wuauclt11.exe	35
PID 1860 wrote to memory of 1036	1860	wuauclt11.exe	35
PID 1036 wrote to memory of 1856	1036	wuauclt11.exe	36
PID 1036 wrote to memory of 1856	1036	wuauclt11.exe	36
PID 1036 wrote to memory of 1856	1036	wuauclt11.exe	36
PID 1036 wrote to memory of 1856	1036	wuauclt11.exe	36
PID 1856 wrote to memory of 2756	1856	wuauclt11.exe	37
PID 1856 wrote to memory of 2756	1856	wuauclt11.exe	37
PID 1856 wrote to memory of 2756	1856	wuauclt11.exe	37
PID 1856 wrote to memory of 2756	1856	wuauclt11.exe	37
PID 2756 wrote to memory of 2240	2756	wuauclt11.exe	38
PID 2756 wrote to memory of 2240	2756	wuauclt11.exe	38
PID 2756 wrote to memory of 2240	2756	wuauclt11.exe	38
PID 2756 wrote to memory of 2240	2756	wuauclt11.exe	38
PID 2240 wrote to memory of 1404	2240	wuauclt11.exe	39
PID 2240 wrote to memory of 1404	2240	wuauclt11.exe	39
PID 2240 wrote to memory of 1404	2240	wuauclt11.exe	39
PID 2240 wrote to memory of 1404	2240	wuauclt11.exe	39

C:\Users\Admin\AppData\Local\Temp\4772c058861a05be7a7fd654931e3c25.exe
"C:\Users\Admin\AppData\Local\Temp\4772c058861a05be7a7fd654931e3c25.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\wuauclt11.exe
  C:\Windows\system32\wuauclt11.exe 500 "C:\Users\Admin\AppData\Local\Temp\4772c058861a05be7a7fd654931e3c25.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\wuauclt11.exe
    C:\Windows\system32\wuauclt11.exe 524 "C:\Windows\SysWOW64\wuauclt11.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\SysWOW64\wuauclt11.exe
      C:\Windows\system32\wuauclt11.exe 528 "C:\Windows\SysWOW64\wuauclt11.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\wuauclt11.exe
        
        C:\Windows\system32\wuauclt11.exe 532 "C:\Windows\SysWOW64\wuauclt11.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Windows\SysWOW64\wuauclt11.exe
        
        C:\Windows\system32\wuauclt11.exe 536 "C:\Windows\SysWOW64\wuauclt11.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\wuauclt11.exe
        
        C:\Windows\system32\wuauclt11.exe 540 "C:\Windows\SysWOW64\wuauclt11.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\wuauclt11.exe
        
        C:\Windows\system32\wuauclt11.exe 544 "C:\Windows\SysWOW64\wuauclt11.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\wuauclt11.exe
        
        C:\Windows\system32\wuauclt11.exe 548 "C:\Windows\SysWOW64\wuauclt11.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\wuauclt11.exe
        
        C:\Windows\system32\wuauclt11.exe 552 "C:\Windows\SysWOW64\wuauclt11.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\wuauclt11.exe
        
        C:\Windows\system32\wuauclt11.exe 556 "C:\Windows\SysWOW64\wuauclt11.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wuauclt11.exe

Filesize
374KB

MD5
4772c058861a05be7a7fd654931e3c25

SHA1
edf463fe1512dc7509203f519a4afcfb475088db

SHA256
82ecbaa97f176fc0115ac32d7a7c4cfee4585bc84eb21cd6848a0d01248b2779

SHA512
79179f20d97eb2ba40c3806cf93ad5d70ffcbb18209b4ec21a8d374abf627244c54ef73f0814b605dfd8bb02061645a2d8853df1915bc7c2b2a5672723c7da40

Download Submit
memory/796-176-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/1256-74-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1256-70-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1256-69-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1256-66-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1256-75-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1256-68-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1256-73-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1256-72-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1256-71-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1856-683-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2120-209-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2240-838-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2756-693-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2848-32-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-42-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-13-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2848-14-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2848-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2848-15-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/2848-16-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2848-18-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2848-19-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2848-20-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2848-21-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2848-22-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2848-23-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2848-25-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2848-24-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2848-26-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2848-27-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2848-28-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2848-30-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2848-29-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2848-10-0x00000000027D0000-0x00000000027DA000-memory.dmp

Filesize
40KB

Download
memory/2848-35-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-37-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-38-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-39-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-40-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-41-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-12-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2848-43-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-44-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-45-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-46-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-47-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-48-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-49-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-50-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-51-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-52-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-53-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-55-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-62-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2848-11-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2848-8-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2848-9-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2848-6-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2848-7-0x00000000027E0000-0x00000000027E5000-memory.dmp

Filesize
20KB

Download
memory/2848-4-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2848-5-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2848-3-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2848-2-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000000290000-0x00000000002DB000-memory.dmp

Filesize
300KB

Download
memory/2848-0-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2848-64-0x0000000000290000-0x00000000002DB000-memory.dmp

Filesize
300KB

Download
memory/2848-63-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-60-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/2848-65-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download