metasploit | ab0bbc950ef2066a74e80ed1fab7951f2feefbfed35f71f1ff1e6a65273e9bb1

General

Target

8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
Size

143KB
MD5

8d6821e1b2ca8c76d1d5f15bf4f838a7
SHA1

040895bce4309207090f8ae51263f96948643daa
SHA256

ab0bbc950ef2066a74e80ed1fab7951f2feefbfed35f71f1ff1e6a65273e9bb1
SHA512

b7b4c74ad36958e98ed3f961720c74a0908023639f155fb5b06b1a8c0ab867d012315bf8abca1d636d199d6e630036a9413a9f1ae901e4e1b4076a9c3df0cf4b
SSDEEP

3072:AMGIkXgig5iuvINdcsnIKaHiyI0TelORghzIdeZw:AMGI9igGNaskmvoglIdeK

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2708	svchost.exe
2840	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
2708	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2096	2224	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2708 set thread context of 2840	2708	svchost.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
Token: SeShutdownPrivilege	2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
Token: SeDebugPrivilege	2840	svchost.exe
Token: SeShutdownPrivilege	2840	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2096	2224	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2224 wrote to memory of 2096	2224	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2224 wrote to memory of 2096	2224	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2224 wrote to memory of 2096	2224	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2224 wrote to memory of 2096	2224	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2224 wrote to memory of 2096	2224	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2096 wrote to memory of 2708	2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	29
PID 2096 wrote to memory of 2708	2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	29
PID 2096 wrote to memory of 2708	2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	29
PID 2096 wrote to memory of 2708	2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	29
PID 2096 wrote to memory of 2812	2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	30
PID 2096 wrote to memory of 2812	2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	30
PID 2096 wrote to memory of 2812	2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	30
PID 2096 wrote to memory of 2812	2096	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	30
PID 2708 wrote to memory of 2840	2708	svchost.exe	34
PID 2708 wrote to memory of 2840	2708	svchost.exe	34
PID 2708 wrote to memory of 2840	2708	svchost.exe	34
PID 2708 wrote to memory of 2840	2708	svchost.exe	34
PID 2708 wrote to memory of 2840	2708	svchost.exe	34
PID 2708 wrote to memory of 2840	2708	svchost.exe	34

C:\Users\Admin\AppData\Local\Temp\8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
"C:\Users\Admin\AppData\Local\Temp\8d6821e1b2ca8c76d1d5f15bf4f838a7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
  C:\Users\Admin\AppData\Local\Temp\8d6821e1b2ca8c76d1d5f15bf4f838a7.exe C:\Documents an
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Documents an
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\8D6821~1.EXE" >> NUL
    3⤵
    - Deletes itself
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
143KB

MD5
8d6821e1b2ca8c76d1d5f15bf4f838a7

SHA1
040895bce4309207090f8ae51263f96948643daa

SHA256
ab0bbc950ef2066a74e80ed1fab7951f2feefbfed35f71f1ff1e6a65273e9bb1

SHA512
b7b4c74ad36958e98ed3f961720c74a0908023639f155fb5b06b1a8c0ab867d012315bf8abca1d636d199d6e630036a9413a9f1ae901e4e1b4076a9c3df0cf4b

Download Submit
memory/2096-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2096-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2096-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2096-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2096-6-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2096-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2096-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2224-4-0x0000000020000000-0x000000002002E000-memory.dmp

Filesize
184KB

Download
memory/2708-27-0x0000000020000000-0x000000002002E000-memory.dmp

Filesize
184KB

Download
memory/2840-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2840-30-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2840-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2840-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2840-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads