metasploit | 3ac5a942797b111f4ba7a9304f5c36fdb179cac8be47997011c2de540e1e8d16

General

Target

3ac5a942797b111f4ba7a9304f5c36fdb179cac8be47997011c2de540e1e8d16.exe
Size

1.6MB
MD5

32d166eed8b91ac09e11a0f6f7be40db
SHA1

7f8adfccab9213aa0235719bddd0d2e67bce96b3
SHA256

3ac5a942797b111f4ba7a9304f5c36fdb179cac8be47997011c2de540e1e8d16
SHA512

f1ce3ef3f247852673532542af8264414b7a4ce6f9173f2dd2369a8ac6b4ca38b4e82c2b39fc4c6a5684309258770fa3c8b86a8ba60eeebc7332ddb677afd92a
SSDEEP

49152:c8Ekly3vrb/T7vO90d7HjmAFd4A64nsfJeUvDgALNCpMWD1:Q3+

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

23.227.194.212:8443

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

992 WINWORD.EXE
992 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXE

pid	process
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE
992	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3ac5a942797b111f4ba7a9304f5c36fdb179cac8be47997011c2de540e1e8d16.execmd.exe

description	pid	process	target process
PID 3132 wrote to memory of 3060	3132	3ac5a942797b111f4ba7a9304f5c36fdb179cac8be47997011c2de540e1e8d16.exe	cmd.exe
PID 3132 wrote to memory of 3060	3132	3ac5a942797b111f4ba7a9304f5c36fdb179cac8be47997011c2de540e1e8d16.exe	cmd.exe
PID 3060 wrote to memory of 992	3060	cmd.exe	WINWORD.EXE
PID 3060 wrote to memory of 992	3060	cmd.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\3ac5a942797b111f4ba7a9304f5c36fdb179cac8be47997011c2de540e1e8d16.exe
"C:\Users\Admin\AppData\Local\Temp\3ac5a942797b111f4ba7a9304f5c36fdb179cac8be47997011c2de540e1e8d16.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\system32\cmd.exe
cmd /c start "" C:\Users\Admin\AppData\Local\Temp\3ac5a942797b111f4ba7a9304f5c36fdb179cac8be47997011c2de540e1e8d16.doc
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3ac5a942797b111f4ba7a9304f5c36fdb179cac8be47997011c2de540e1e8d16.doc" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ac5a942797b111f4ba7a9304f5c36fdb179cac8be47997011c2de540e1e8d16.doc
Filesize
11KB

MD5
913200d8e1ea56bcab85c6a677e576cd

SHA1
9e9e0ca7b1fb636794c02e7de476ed9a9ac3ad3c

SHA256
e0be2922b7e2b88f5fe25feea014ff2a7345b5bfff805c8a2e02ebe775b88d66

SHA512
ffffa9d6051a1f1269074864b101992e92d04b2e27a6e86f9734c7b3f05f6f87a2c70bd82c1ca6060f8bea05ccf84ed0f010d1713056b6338c26bc94cc1d0b5d

Download Submit
memory/992-19-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-10-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-5-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/992-7-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-17-0x00007FFA932C0000-0x00007FFA932D0000-memory.dmp

Filesize
64KB

Download
memory/992-8-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/992-9-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-20-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-11-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-21-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-14-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-15-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-13-0x00007FFA932C0000-0x00007FFA932D0000-memory.dmp

Filesize
64KB

Download
memory/992-16-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-18-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-3-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/992-6-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/992-4-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/992-12-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-22-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-23-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-24-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-25-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-28-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-63-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/992-42-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-61-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/992-62-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/992-64-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-66-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-65-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/992-68-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/992-67-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/3132-35-0x000001C650E00000-0x000001C650E01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads