metasploit | 1192a8bd32d59f04728dbfa094fc0ed752e156898a374eb706622c9e2f34eacb

General

Target

7aaee3faa3604e4360a018e1b5b00876.exe
Size

171KB
MD5

7aaee3faa3604e4360a018e1b5b00876
SHA1

30095527cb375c29ab38e183d13ff076951f29c7
SHA256

1192a8bd32d59f04728dbfa094fc0ed752e156898a374eb706622c9e2f34eacb
SHA512

30fc3abc1dcda89c348a225e072b0585a4c0cfbd6b895cf9ef147d14e0c3917ca67788fc146458aa0a8b46c195f437d1ff3373a79adbc5dbfaf27f5b197f3114
SSDEEP

3072:F9daQL2x73UcR0USwtXlvOtTp3XZV3ai7OZ32sztZ9TxInVmydcfU:Fr3L47kcR0USwkp3XnKi7a3ZGKfU

Score

10^/10

metasploit backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	wmphtb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmphtb.exe = "C:\\Windows\\SysWOW64\\wmphtb.exe:*:Enabled:WinMedia iServer"	wmphtb.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List	wmphtb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmphtb.exe = "C:\\Windows\\SysWOW64\\wmphtb.exe:*:Enabled:WinMedia iServer"	wmphtb.exe

Deletes itself 1 IoCs

pid	Process
1760	wmphtb.exe

Executes dropped EXE 2 IoCs

pid	Process
2072	wmphtb.exe
1760	wmphtb.exe

Loads dropped DLL 3 IoCs

pid	Process
3000	7aaee3faa3604e4360a018e1b5b00876.exe
3000	7aaee3faa3604e4360a018e1b5b00876.exe
2072	wmphtb.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3000-4-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3000-7-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3000-6-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3000-10-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3000-13-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3000-12-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3000-11-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3000-36-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1760-39-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1760-42-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1760-45-0x0000000000400000-0x000000000044C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinMedia iServer = "C:\\Windows\\SysWOW64\\wmphtb.exe"	wmphtb.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmphtb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmphtb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7aaee3faa3604e4360a018e1b5b00876.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	7aaee3faa3604e4360a018e1b5b00876.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmphtb.exe	7aaee3faa3604e4360a018e1b5b00876.exe
File created	C:\Windows\SysWOW64\wmphtb.exe	7aaee3faa3604e4360a018e1b5b00876.exe
File opened for modification	C:\Windows\SysWOW64\	wmphtb.exe
File opened for modification	C:\Windows\SysWOW64\	7aaee3faa3604e4360a018e1b5b00876.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2932 set thread context of 3000	2932	7aaee3faa3604e4360a018e1b5b00876.exe	28
PID 2072 set thread context of 1760	2072	wmphtb.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3000	7aaee3faa3604e4360a018e1b5b00876.exe
3000	7aaee3faa3604e4360a018e1b5b00876.exe
1760	wmphtb.exe
1760	wmphtb.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3000	2932	7aaee3faa3604e4360a018e1b5b00876.exe	28
PID 2932 wrote to memory of 3000	2932	7aaee3faa3604e4360a018e1b5b00876.exe	28
PID 2932 wrote to memory of 3000	2932	7aaee3faa3604e4360a018e1b5b00876.exe	28
PID 2932 wrote to memory of 3000	2932	7aaee3faa3604e4360a018e1b5b00876.exe	28
PID 2932 wrote to memory of 3000	2932	7aaee3faa3604e4360a018e1b5b00876.exe	28
PID 2932 wrote to memory of 3000	2932	7aaee3faa3604e4360a018e1b5b00876.exe	28
PID 2932 wrote to memory of 3000	2932	7aaee3faa3604e4360a018e1b5b00876.exe	28
PID 3000 wrote to memory of 2072	3000	7aaee3faa3604e4360a018e1b5b00876.exe	29
PID 3000 wrote to memory of 2072	3000	7aaee3faa3604e4360a018e1b5b00876.exe	29
PID 3000 wrote to memory of 2072	3000	7aaee3faa3604e4360a018e1b5b00876.exe	29
PID 3000 wrote to memory of 2072	3000	7aaee3faa3604e4360a018e1b5b00876.exe	29
PID 2072 wrote to memory of 1760	2072	wmphtb.exe	30
PID 2072 wrote to memory of 1760	2072	wmphtb.exe	30
PID 2072 wrote to memory of 1760	2072	wmphtb.exe	30
PID 2072 wrote to memory of 1760	2072	wmphtb.exe	30
PID 2072 wrote to memory of 1760	2072	wmphtb.exe	30
PID 2072 wrote to memory of 1760	2072	wmphtb.exe	30
PID 2072 wrote to memory of 1760	2072	wmphtb.exe	30
PID 1760 wrote to memory of 1244	1760	wmphtb.exe	22
PID 1760 wrote to memory of 1244	1760	wmphtb.exe	22

C:\Users\Admin\AppData\Local\Temp\7aaee3faa3604e4360a018e1b5b00876.exe
"C:\Users\Admin\AppData\Local\Temp\7aaee3faa3604e4360a018e1b5b00876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\7aaee3faa3604e4360a018e1b5b00876.exe
  "C:\Users\Admin\AppData\Local\Temp\7aaee3faa3604e4360a018e1b5b00876.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\wmphtb.exe
    "C:\Windows\SysWOW64\wmphtb.exe" C:\Users\Admin\AppData\Local\Temp\7AAEE3~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\wmphtb.exe
      "C:\Windows\SysWOW64\wmphtb.exe" C:\Users\Admin\AppData\Local\Temp\7AAEE3~1.EXE
      4⤵
      Modifies firewall policy service
      Deletes itself
      Executes dropped EXE
      Adds Run key to start application
      Maps connected drives based on registry
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmphtb.exe

Filesize
171KB

MD5
7aaee3faa3604e4360a018e1b5b00876

SHA1
30095527cb375c29ab38e183d13ff076951f29c7

SHA256
1192a8bd32d59f04728dbfa094fc0ed752e156898a374eb706622c9e2f34eacb

SHA512
30fc3abc1dcda89c348a225e072b0585a4c0cfbd6b895cf9ef147d14e0c3917ca67788fc146458aa0a8b46c195f437d1ff3373a79adbc5dbfaf27f5b197f3114

Download Submit
memory/1244-44-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1244-43-0x0000000002940000-0x000000000295E000-memory.dmp

Filesize
120KB

Download
memory/1760-45-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1760-42-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1760-39-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2072-35-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-3-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/3000-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3000-11-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3000-19-0x0000000004370000-0x00000000043B1000-memory.dmp

Filesize
260KB

Download
memory/3000-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3000-36-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3000-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3000-10-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3000-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3000-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3000-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads