metasploit | 97e9d58c9203373d457756c312075cf6d529115df21b1ccb02e22d8808cd9b23

General

Target

ob.exe
Size

72KB
MD5

a9cbb39c444099cc845042715642b3ae
SHA1

172394be0eaebdd74a793d534d03fbd15ceebbb7
SHA256

97e9d58c9203373d457756c312075cf6d529115df21b1ccb02e22d8808cd9b23
SHA512

46c5cc4e604fa25267b721aa523b93a3b4169af497eb4dd8cb5a8495ecc44b028abd9948510d77b48ab01cb4e382f3b17699f1e9b8f8a992c4038f737948f894
SSDEEP

1536:IU/VhJ9ojsHHRRL8Aoy07H7vpd87bpvOPbhMb+KR0Nc8QsJq39:t/7J9ojybL8ATUs7Qzhe0Nc8QsC9

Score

10^/10

metasploit backdoor execution persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

146.190.15.117:60170

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

17 1656 rundll32.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

sms_service.exe

pid process

1676 sms_service.exe

flow	pid	process
17	1656	rundll32.exe

pid	process
1676	sms_service.exe

Drops file in System32 directory 2 IoCs

Processes:

ob.exerundll32.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\sms_service.exe	ob.exe
File opened for modification	\??\c:\windows\SysWOW64\sms_service.exe	rundll32.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3524 sc.exe
4740 sc.exe
868 sc.exe
2860 sc.exe

pid	process
3524	sc.exe
4740	sc.exe
868	sc.exe
2860	sc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ob.execmd.exesms_service.exerundll32.execmd.exe

description	pid	process	target process
PID 5084 wrote to memory of 3740	5084	ob.exe	cmd.exe
PID 5084 wrote to memory of 3740	5084	ob.exe	cmd.exe
PID 5084 wrote to memory of 3740	5084	ob.exe	cmd.exe
PID 3740 wrote to memory of 3524	3740	cmd.exe	sc.exe
PID 3740 wrote to memory of 3524	3740	cmd.exe	sc.exe
PID 3740 wrote to memory of 3524	3740	cmd.exe	sc.exe
PID 3740 wrote to memory of 4784	3740	cmd.exe	findstr.exe
PID 3740 wrote to memory of 4784	3740	cmd.exe	findstr.exe
PID 3740 wrote to memory of 4784	3740	cmd.exe	findstr.exe
PID 3740 wrote to memory of 4740	3740	cmd.exe	sc.exe
PID 3740 wrote to memory of 4740	3740	cmd.exe	sc.exe
PID 3740 wrote to memory of 4740	3740	cmd.exe	sc.exe
PID 3740 wrote to memory of 868	3740	cmd.exe	sc.exe
PID 3740 wrote to memory of 868	3740	cmd.exe	sc.exe
PID 3740 wrote to memory of 868	3740	cmd.exe	sc.exe
PID 1676 wrote to memory of 1656	1676	sms_service.exe	rundll32.exe
PID 1676 wrote to memory of 1656	1676	sms_service.exe	rundll32.exe
PID 1676 wrote to memory of 1656	1676	sms_service.exe	rundll32.exe
PID 1676 wrote to memory of 1656	1676	sms_service.exe	rundll32.exe
PID 1656 wrote to memory of 2456	1656	rundll32.exe	cmd.exe
PID 1656 wrote to memory of 2456	1656	rundll32.exe	cmd.exe
PID 1656 wrote to memory of 2456	1656	rundll32.exe	cmd.exe
PID 2456 wrote to memory of 2860	2456	cmd.exe	sc.exe
PID 2456 wrote to memory of 2860	2456	cmd.exe	sc.exe
PID 2456 wrote to memory of 2860	2456	cmd.exe	sc.exe
PID 2456 wrote to memory of 4068	2456	cmd.exe	findstr.exe
PID 2456 wrote to memory of 4068	2456	cmd.exe	findstr.exe
PID 2456 wrote to memory of 4068	2456	cmd.exe	findstr.exe

C:\Users\Admin\AppData\Local\Temp\ob.exe
"C:\Users\Admin\AppData\Local\Temp\ob.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc query TextService | findstr /I /C:"SERVICE_NAME: TextService" && exit 0 || (echo "Service does not exist, proceeding..." && sc create TextService binPath= "C:\windows\system32\sms_service.exe" start= auto && sc start TextService)
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\sc.exe
    sc query TextService
    3⤵
    - Launches sc.exe
    PID:3524
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I /C:"SERVICE_NAME: TextService"
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\sc.exe
    sc create TextService binPath= "C:\windows\system32\sms_service.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:4740
- - C:\Windows\SysWOW64\sc.exe
    sc start TextService
    3⤵
    - Launches sc.exe
    PID:868

C:\windows\SysWOW64\sms_service.exe
C:\windows\SysWOW64\sms_service.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676
- C:\windows\SysWOW64\rundll32.exe
  rundll32.exe
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\windows\SysWOW64\cmd.exe
    cmd.exe /c sc query TextService | findstr /I /C:"SERVICE_NAME: TextService" && exit 0 || (echo "Service does not exist, proceeding..." && sc create TextService binPath= "C:\windows\system32\sms_service.exe" start= auto && sc start TextService)
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\sc.exe
      sc query TextService
      4⤵
      Launches sc.exe
      PID:2860
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I /C:"SERVICE_NAME: TextService"
      4⤵
      PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sms_service.exe

Filesize
15KB

MD5
a764d19701c5fc1d48083270e945743a

SHA1
d4af43b67757b89b9cf0c8ef11308b3d2ba56e43

SHA256
d364328da5e9db108ea3aaa5a87c1524386552aeae57778daa2789a2213ed359

SHA512
9b75e6a1375d136be6451cf62ef910508bfc24fc453074996bec70a7913ef5e8261c5c1c887fc1dd812ac9ee98c474942d9de28ee5cc0e66bf342b1a03915195

Download Submit
memory/1656-70-0x0000000001230000-0x0000000001261000-memory.dmp

Filesize
196KB

Download
memory/1656-63-0x0000000001230000-0x0000000001261000-memory.dmp

Filesize
196KB

Download
memory/1656-130-0x00000000016B0000-0x00000000017B0000-memory.dmp

Filesize
1024KB

Download
memory/1656-60-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/1656-129-0x00000000016B0000-0x00000000017B0000-memory.dmp

Filesize
1024KB

Download
memory/1656-103-0x00000000016B0000-0x00000000017B0000-memory.dmp

Filesize
1024KB

Download
memory/1656-82-0x00000000016B0000-0x00000000017B0000-memory.dmp

Filesize
1024KB

Download
memory/1656-77-0x00000000017B0000-0x0000000001813000-memory.dmp

Filesize
396KB

Download
memory/1656-68-0x0000000001200000-0x000000000122C000-memory.dmp

Filesize
176KB

Download
memory/1656-67-0x0000000001230000-0x0000000001261000-memory.dmp

Filesize
196KB

Download
memory/1656-62-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/1676-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5084-40-0x0000000002590000-0x0000000002690000-memory.dmp

Filesize
1024KB

Download
memory/5084-2-0x0000000000930000-0x0000000000961000-memory.dmp

Filesize
196KB

Download
memory/5084-6-0x0000000000930000-0x0000000000961000-memory.dmp

Filesize
196KB

Download
memory/5084-14-0x0000000002690000-0x00000000026F3000-memory.dmp

Filesize
396KB

Download
memory/5084-55-0x0000000000930000-0x0000000000961000-memory.dmp

Filesize
196KB

Download
memory/5084-56-0x0000000000930000-0x0000000000961000-memory.dmp

Filesize
196KB

Download
memory/5084-45-0x0000000000930000-0x0000000000961000-memory.dmp

Filesize
196KB

Download
memory/5084-41-0x0000000000930000-0x0000000000961000-memory.dmp

Filesize
196KB

Download
memory/5084-0-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/5084-1-0x00000000008C0000-0x00000000008EC000-memory.dmp

Filesize
176KB

Download
memory/5084-35-0x0000000002700000-0x0000000002725000-memory.dmp

Filesize
148KB

Download
memory/5084-20-0x0000000000930000-0x0000000000961000-memory.dmp

Filesize
196KB

Download
memory/5084-124-0x00000000008C0000-0x00000000008EC000-memory.dmp

Filesize
176KB

Download
memory/5084-125-0x0000000002590000-0x0000000002690000-memory.dmp

Filesize
1024KB

Download
memory/5084-128-0x0000000002590000-0x0000000002690000-memory.dmp

Filesize
1024KB

Download
memory/5084-19-0x0000000002590000-0x0000000002690000-memory.dmp

Filesize
1024KB

Download
memory/5084-7-0x0000000000930000-0x0000000000961000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads