metasploit | ab0bbc950ef2066a74e80ed1fab7951f2feefbfed35f71f1ff1e6a65273e9bb1

General

Target

8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
Size

143KB
MD5

8d6821e1b2ca8c76d1d5f15bf4f838a7
SHA1

040895bce4309207090f8ae51263f96948643daa
SHA256

ab0bbc950ef2066a74e80ed1fab7951f2feefbfed35f71f1ff1e6a65273e9bb1
SHA512

b7b4c74ad36958e98ed3f961720c74a0908023639f155fb5b06b1a8c0ab867d012315bf8abca1d636d199d6e630036a9413a9f1ae901e4e1b4076a9c3df0cf4b
SSDEEP

3072:AMGIkXgig5iuvINdcsnIKaHiyI0TelORghzIdeZw:AMGI9igGNaskmvoglIdeK

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	svchost.exe
2960	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
2780	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2740	2632	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2780 set thread context of 2960	2780	svchost.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
Token: SeShutdownPrivilege	2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
Token: SeDebugPrivilege	2960	svchost.exe
Token: SeShutdownPrivilege	2960	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2740	2632	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2632 wrote to memory of 2740	2632	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2632 wrote to memory of 2740	2632	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2632 wrote to memory of 2740	2632	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2632 wrote to memory of 2740	2632	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2632 wrote to memory of 2740	2632	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	28
PID 2740 wrote to memory of 2780	2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	29
PID 2740 wrote to memory of 2780	2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	29
PID 2740 wrote to memory of 2780	2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	29
PID 2740 wrote to memory of 2780	2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	29
PID 2740 wrote to memory of 2676	2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	30
PID 2740 wrote to memory of 2676	2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	30
PID 2740 wrote to memory of 2676	2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	30
PID 2740 wrote to memory of 2676	2740	8d6821e1b2ca8c76d1d5f15bf4f838a7.exe	30
PID 2780 wrote to memory of 2960	2780	svchost.exe	32
PID 2780 wrote to memory of 2960	2780	svchost.exe	32
PID 2780 wrote to memory of 2960	2780	svchost.exe	32
PID 2780 wrote to memory of 2960	2780	svchost.exe	32
PID 2780 wrote to memory of 2960	2780	svchost.exe	32
PID 2780 wrote to memory of 2960	2780	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
"C:\Users\Admin\AppData\Local\Temp\8d6821e1b2ca8c76d1d5f15bf4f838a7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\8d6821e1b2ca8c76d1d5f15bf4f838a7.exe
  C:\Users\Admin\AppData\Local\Temp\8d6821e1b2ca8c76d1d5f15bf4f838a7.exe C:\Documents an
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Documents an
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\8D6821~1.EXE" >> NUL
    3⤵
    - Deletes itself
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
143KB

MD5
8d6821e1b2ca8c76d1d5f15bf4f838a7

SHA1
040895bce4309207090f8ae51263f96948643daa

SHA256
ab0bbc950ef2066a74e80ed1fab7951f2feefbfed35f71f1ff1e6a65273e9bb1

SHA512
b7b4c74ad36958e98ed3f961720c74a0908023639f155fb5b06b1a8c0ab867d012315bf8abca1d636d199d6e630036a9413a9f1ae901e4e1b4076a9c3df0cf4b

Download Submit
memory/2632-4-0x0000000020000000-0x000000002002E000-memory.dmp

Filesize
184KB

Download
memory/2740-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2740-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2740-6-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2740-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2740-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2740-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-26-0x0000000020000000-0x000000002002E000-memory.dmp

Filesize
184KB

Download
memory/2960-28-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2960-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2960-30-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2960-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2960-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads