metasploit | f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5

General

Target

f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Size

1.7MB
MD5

1445b48111cedf2ac017788eaeaee624
SHA1

fa607c0fdf147e4dbfadc37ffef0a0cc08b4bf7b
SHA256

f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5
SHA512

28494d3d78dadfe9e45bd959f52efca679b4a2cb7783c0a1d27ad70f7740d12aecb24c6e8870995e5bc666161f30fa1868c87a62b9d18d79ddcca36b5b5b9400
SSDEEP

24576:GVP4iQzePuruuXj/cz86edKl7DLwkCTpLH9ZVm+nzEG6GvmhhbnCydBA+bAW1ej:GWBj/czxedKFCTpRZdzEjAm9bK

Score

10^/10

metasploit backdoor persistence trojan upx

Malware Config

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

2 1160 rundll32.exe
2 1160 rundll32.exe
2 1160 rundll32.exe
2 1160 rundll32.exe
2 1160 rundll32.exe
Executes dropped EXE 3 IoCs

Processes:

sg.tmp5555.exe5555.exe

pid process

2680 sg.tmp
2572 5555.exe
2404 5555.exe

flow	pid	process
2	1160	rundll32.exe
2	1160	rundll32.exe
2	1160	rundll32.exe
2	1160	rundll32.exe
2	1160	rundll32.exe

pid	process
2680	sg.tmp
2572	5555.exe
2404	5555.exe

Loads dropped DLL 7 IoCs

Processes:

f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe5555.exerundll32.exe

pid	process
2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
2572	5555.exe
108	rundll32.exe
108	rundll32.exe
108	rundll32.exe
108	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2140-0-0x0000000000400000-0x0000000000566000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\~1366243798889523539\temp.exe	upx
behavioral1/memory/2140-72-0x0000000000400000-0x0000000000566000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe5555.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\5555.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\~1366243798889523539\\5555.exe\""	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\5555.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\~1366243798889523539\\5555.exe\""	5555.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\2.bat = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\~1808707249053499992\\2.bat\""	5555.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 108 set thread context of 1160 108 rundll32.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5555.exef02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe

pid process

2572 5555.exe
2140 f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe

description	pid	process	target process
PID 108 set thread context of 1160	108	rundll32.exe	rundll32.exe

pid	process
2572	5555.exe
2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exesg.tmp5555.exe5555.exe

description	pid	process
Token: SeBackupPrivilege	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Token: SeRestorePrivilege	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Token: 33	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Token: SeIncBasePriorityPrivilege	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Token: 33	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Token: SeIncBasePriorityPrivilege	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Token: 33	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Token: SeIncBasePriorityPrivilege	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Token: SeRestorePrivilege	2680	sg.tmp
Token: 35	2680	sg.tmp
Token: SeSecurityPrivilege	2680	sg.tmp
Token: SeSecurityPrivilege	2680	sg.tmp
Token: 33	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Token: SeIncBasePriorityPrivilege	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
Token: SeBackupPrivilege	2572	5555.exe
Token: SeRestorePrivilege	2572	5555.exe
Token: 33	2572	5555.exe
Token: SeIncBasePriorityPrivilege	2572	5555.exe
Token: 33	2572	5555.exe
Token: SeIncBasePriorityPrivilege	2572	5555.exe
Token: 33	2572	5555.exe
Token: SeIncBasePriorityPrivilege	2572	5555.exe
Token: SeBackupPrivilege	2404	5555.exe
Token: SeRestorePrivilege	2404	5555.exe
Token: 33	2404	5555.exe
Token: SeIncBasePriorityPrivilege	2404	5555.exe
Token: 33	2572	5555.exe
Token: SeIncBasePriorityPrivilege	2572	5555.exe
Token: SeDebugPrivilege	2572	5555.exe
Token: SeDebugPrivilege	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe5555.execmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2140 wrote to memory of 2600	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	cmd.exe
PID 2140 wrote to memory of 2600	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	cmd.exe
PID 2140 wrote to memory of 2600	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	cmd.exe
PID 2140 wrote to memory of 2600	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	cmd.exe
PID 2140 wrote to memory of 2680	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	sg.tmp
PID 2140 wrote to memory of 2680	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	sg.tmp
PID 2140 wrote to memory of 2680	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	sg.tmp
PID 2140 wrote to memory of 2680	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	sg.tmp
PID 2140 wrote to memory of 2572	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	5555.exe
PID 2140 wrote to memory of 2572	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	5555.exe
PID 2140 wrote to memory of 2572	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	5555.exe
PID 2140 wrote to memory of 2572	2140	f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe	5555.exe
PID 2572 wrote to memory of 2428	2572	5555.exe	cmd.exe
PID 2572 wrote to memory of 2428	2572	5555.exe	cmd.exe
PID 2572 wrote to memory of 2428	2572	5555.exe	cmd.exe
PID 2572 wrote to memory of 2428	2572	5555.exe	cmd.exe
PID 2572 wrote to memory of 2404	2572	5555.exe	5555.exe
PID 2572 wrote to memory of 2404	2572	5555.exe	5555.exe
PID 2572 wrote to memory of 2404	2572	5555.exe	5555.exe
PID 2572 wrote to memory of 2404	2572	5555.exe	5555.exe
PID 2572 wrote to memory of 580	2572	5555.exe	cmd.exe
PID 2572 wrote to memory of 580	2572	5555.exe	cmd.exe
PID 2572 wrote to memory of 580	2572	5555.exe	cmd.exe
PID 2572 wrote to memory of 580	2572	5555.exe	cmd.exe
PID 580 wrote to memory of 1076	580	cmd.exe	rundll32.exe
PID 580 wrote to memory of 1076	580	cmd.exe	rundll32.exe
PID 580 wrote to memory of 1076	580	cmd.exe	rundll32.exe
PID 1076 wrote to memory of 108	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 108	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 108	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 108	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 108	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 108	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 108	1076	rundll32.exe	rundll32.exe
PID 108 wrote to memory of 1160	108	rundll32.exe	rundll32.exe
PID 108 wrote to memory of 1160	108	rundll32.exe	rundll32.exe
PID 108 wrote to memory of 1160	108	rundll32.exe	rundll32.exe
PID 108 wrote to memory of 1160	108	rundll32.exe	rundll32.exe
PID 108 wrote to memory of 1160	108	rundll32.exe	rundll32.exe
PID 108 wrote to memory of 1160	108	rundll32.exe	rundll32.exe
PID 108 wrote to memory of 1160	108	rundll32.exe	rundll32.exe
PID 108 wrote to memory of 1160	108	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe
"C:\Users\Admin\AppData\Local\Temp\f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\~1713832263202472777~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\f02bb51dfbe714d0475327c95a8e406e8ee80892a5717b0ea41345df39bd74b5.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~1366243798889523539"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\~1366243798889523539\5555.exe
  "C:\Users\Admin\AppData\Local\Temp\~1366243798889523539\5555.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\system32\cmd.exe
    cmd.exe /c set
    3⤵
    PID:2428
- - C:\Users\Admin\AppData\Local\Temp\~1366243798889523539\5555.exe
    PECMD**pecmd-cmd* PUTF -dd -skipb=588800 -len=95855 "C:\Users\Admin\AppData\Local\Temp\~2489542592940650016.tmp",,C:\Users\Admin\AppData\Local\Temp\~1366243798889523539\5555.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\~1808707249053499992\2.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\system32\rundll32.exe
      rundll32 ./1713161804.dll dllentrypoint
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 ./1713161804.dll dllentrypoint
        5⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:108
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe
        6⤵
        Blocklisted process makes network request
        
        PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~1366243798889523539\1713336160.dll

Filesize
261KB

MD5
17a097be2a26aa61488298b9b7b9ba10

SHA1
0d6cf624e0b70358185e01f061ac29d68731760a

SHA256
ba23fee0a4efcd231b90482d150efcaa88e7b5e03c59e7f533af665654b7d66d

SHA512
b117f4fb6ae38b45e74312171c54f7b7ad149be6bef06e29a7701c04717f948200919ce5f2ae1bbcc7238703e65ae67f24eec657025a95f43bd8bad2a38c0571

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1366243798889523539\5555.exe

Filesize
668KB

MD5
f5a9217e194d53e7278423686286a391

SHA1
fb77be3876a2dc7c3e310e9fa16e96e69915b315

SHA256
ed8239f5324cffe38a37b09143251e89175d602b56786e422556678c41387e84

SHA512
9011e6f131318d13a2d635356d48ac768c3e2f76dda8e7148d6431ee37db4a478a6cce9a1686d69b89d1ecfb7671844b4b76f35ab8efeff6c88b3f38f27fbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1366243798889523539\temp.bat

Filesize
978B

MD5
6942e6b6f3ada1d65e596124badd2836

SHA1
35cf2379371cf7ff2b42090b3d7083c9115f48e6

SHA256
bf444e9af5e7fe24d8319baa839cf7db2a9c365fc447bf0106904a205484f566

SHA512
da6196671f80388e59c0d125c8155c208bdbb7a2f59a62a06b566a9c4200710c80d7dc8e4fda577ecdcd32384833756f711427d42880458d1bd7b0303d931b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1366243798889523539\temp.exe

Filesize
46KB

MD5
12247aec1d3416ff0b5070078d6dc042

SHA1
a5a1d29276c91db609f03f4ebb7bff954739e785

SHA256
fc491c9fb73303f03441faa126e7674ffa2e00a936c099e9b73419020e0b4145

SHA512
6aee30237a6575be6d65d60953bba62235e389abdf81aadf1b175c3926ac0c254943026a952aa5447dcd8042f0eb83a5b88b0a6c624929d239632889affe4148

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1808707249053499992\1713161804.dll

Filesize
261KB

MD5
4fe3607b4c01296b113e08f46cd76a04

SHA1
0267353daa20fb9d30d7460bab108d0a328d56b2

SHA256
247c09410d5ea2ee97500e91f0b3e57bb7290c1518084d3447c6fab8f08b235c

SHA512
0d405a8d17af2d6ea465452586f59522f5681b1d19c60e03f960202fdd8293bb36e97aa47ac66b5e79104beb1815ce5179a5032f4a8e2c80edf96af050b8f751

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1808707249053499992\2.bat

Filesize
39B

MD5
715da46a4cc962d88be2cafe42eedd66

SHA1
9771b59f518541e0d069b52df70ccfe078cbcc3a

SHA256
6c782df52d05fb69739152b1de15314419416c8574abcd678d838c3d0574c735

SHA512
3740475d9a78f51d1a4ae8434b69c76fc6a115a06deda2e234cdb38f3903ff10e640dd2aa75e5a996709839b7f85691d75574e77bfe57389c247cff058d06c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2489542592940650016.tmp

Filesize
93KB

MD5
835b66cbbd0f128745bb599c5084116f

SHA1
f74e6458e1dec5a37451116ce0d2b8a3bcb72cc8

SHA256
783700e78c2994420768bb735212f079b6d5eaf6f0c2b62dd028f9319f464a08

SHA512
e260a98b65f76c2b25da9f1ef63770535918779c7a7f149d70682cd4057e83a5bda396dfbb73b2d74ed9002162163db764cc1ae5b0a43a4941411116edfe7f6a

Download Submit
\Users\Admin\AppData\Local\Temp\~1713832263202472777~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/1160-66-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/1160-64-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/1160-67-0x0000000000190000-0x00000000001C4000-memory.dmp

Filesize
208KB

Download
memory/2140-0-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/2140-23-0x0000000002E90000-0x0000000002F84000-memory.dmp

Filesize
976KB

Download
memory/2140-72-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/2404-36-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2572-34-0x0000000002580000-0x0000000002674000-memory.dmp

Filesize
976KB

Download
memory/2572-25-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2572-71-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads