metasploit | 60ded76c9ab85b956176bd4b7ed1cce5a980981702dec28c82ac74499411206f

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 10:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71fabb13e31c63bd83afc06eaa14d809.exe
Size

163KB
MD5

71fabb13e31c63bd83afc06eaa14d809
SHA1

358401bfe1cb9d86255d717ed902a28a2dc0efea
SHA256

60ded76c9ab85b956176bd4b7ed1cce5a980981702dec28c82ac74499411206f
SHA512

183c942ab887ed37caf8f6b5bc98ae979486ded8e085a209093b1164d14474e905a205adbd6d9d3fc07dd45f46dff6c1834edc69b1224eaf2790659e462760bb
SSDEEP

3072:OzUy1ADhyMMQ/HMm3nQuTz5U0Ofr2AUx4bzWKeH3tMCmzsaz:Oz5qIMMQ/Hj3Qg112rhUxl/3thEse

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sysdrv32.sys	svchost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\sysdrv32.sys	svchost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\sysdrv32.sys	svchost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\sysdrv32.sys	svchost.exe

Deletes itself 1 IoCs

pid	Process
2412	svchost.exe

Executes dropped EXE 37 IoCs

pid	Process
2412	svchost.exe
4724	svchost.exe
4164	svchost.exe
1244	svchost.exe
3836	svchost.exe
4500	svchost.exe
4504	svchost.exe
2648	svchost.exe
556	svchost.exe
4844	svchost.exe
4552	svchost.exe
4112	svchost.exe
1252	svchost.exe
3176	svchost.exe
544	svchost.exe
688	svchost.exe
4556	svchost.exe
3228	svchost.exe
4548	svchost.exe
4216	svchost.exe
208	svchost.exe
1700	svchost.exe
3732	svchost.exe
4448	svchost.exe
4108	svchost.exe
2552	svchost.exe
2304	svchost.exe
4440	svchost.exe
4372	svchost.exe
2680	svchost.exe
4248	svchost.exe
1552	svchost.exe
4700	svchost.exe
2688	svchost.exe
4152	svchost.exe
2204	svchost.exe
1388	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\security\svchost.exe	71fabb13e31c63bd83afc06eaa14d809.exe
File opened for modification	C:\Windows\security\svchost.exe	71fabb13e31c63bd83afc06eaa14d809.exe

C:\Users\Admin\AppData\Local\Temp\71fabb13e31c63bd83afc06eaa14d809.exe
"C:\Users\Admin\AppData\Local\Temp\71fabb13e31c63bd83afc06eaa14d809.exe"
1⤵
- Drops file in Windows directory
PID:2044

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
PID:2412

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1244

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:556

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:3176

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:544

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:688

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:208

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4152

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\security\svchost.exe
"C:\Windows\security\svchost.exe"
1⤵
- Executes dropped EXE
PID:1388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\security\svchost.exe

Filesize
163KB

MD5
71fabb13e31c63bd83afc06eaa14d809

SHA1
358401bfe1cb9d86255d717ed902a28a2dc0efea

SHA256
60ded76c9ab85b956176bd4b7ed1cce5a980981702dec28c82ac74499411206f

SHA512
183c942ab887ed37caf8f6b5bc98ae979486ded8e085a209093b1164d14474e905a205adbd6d9d3fc07dd45f46dff6c1834edc69b1224eaf2790659e462760bb

Download Submit
C:\Windows\security\svchost.exe

Filesize
128KB

MD5
f53794a7fa72565a75f4cc99fd043425

SHA1
3fe515d84c3f5c8c1aaf2a61f0ba4446250b1833

SHA256
381f54fea42617d473e1572040e2fcaf3f0c04fb90f0c8f91c6f82dfc2f64b8b

SHA512
616f5d960fe459794d20b32c55bab6b06fc3b27a5a7281575a838b77e4ee6450a9a7e891a517cc1577baa719473e865b302d2eba81152bc43db70796a1b18fbb

Download Submit
memory/208-58-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/544-41-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/544-40-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/556-26-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/556-27-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/688-44-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/688-43-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/1244-14-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/1244-16-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/1252-36-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/1252-35-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/1388-98-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/1552-85-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/1700-61-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/1700-60-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/2044-0-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/2044-5-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/2204-96-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/2304-73-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/2412-7-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/2552-71-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/2648-24-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/2680-80-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/2688-90-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/2688-91-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/3176-38-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/3228-50-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/3228-49-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/3732-64-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/3732-63-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/3836-18-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4108-69-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4112-33-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4152-94-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4152-93-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4164-12-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4216-56-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4216-55-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4248-83-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4248-82-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4372-77-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4372-78-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4440-75-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4448-67-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4448-66-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4500-20-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4504-22-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4548-53-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4548-52-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4552-31-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4556-46-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4556-47-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4700-87-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4700-88-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4724-10-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4724-9-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download
memory/4844-29-0x00000000003E0000-0x0000000000A32000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads