General

  • Target

    acf977f45b63736b6064c1bf0c4850324caf8b8f04b4b129b72a56da8cc253bd.exe

  • Size

    4.3MB

  • Sample

    240621-hlb71stgrj

  • MD5

    2a3abe90a0bf6e0a019a6c1a36b58a2a

  • SHA1

    5a10aa99a227c5f36a436257ca4c265ae959cacb

  • SHA256

    acf977f45b63736b6064c1bf0c4850324caf8b8f04b4b129b72a56da8cc253bd

  • SHA512

    284aad004999ce7f5bb8aa4d5c273cec48c39d151929682ef3fa2ea0dece24e7347638fce573916811d6407f33f3d4589a4e98f052526d726db0d206ce166764

  • SSDEEP

    12288:MPMe1zAzgiO/HwCao3YLNz4Tfa34P7GDSa3mwT7:M0e1zAzw/HRMNz4TfS7

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

3.136.65.236:18059

Targets

    • Target

      acf977f45b63736b6064c1bf0c4850324caf8b8f04b4b129b72a56da8cc253bd.exe

    • Size

      4.3MB

    • MD5

      2a3abe90a0bf6e0a019a6c1a36b58a2a

    • SHA1

      5a10aa99a227c5f36a436257ca4c265ae959cacb

    • SHA256

      acf977f45b63736b6064c1bf0c4850324caf8b8f04b4b129b72a56da8cc253bd

    • SHA512

      284aad004999ce7f5bb8aa4d5c273cec48c39d151929682ef3fa2ea0dece24e7347638fce573916811d6407f33f3d4589a4e98f052526d726db0d206ce166764

    • SSDEEP

      12288:MPMe1zAzgiO/HwCao3YLNz4Tfa34P7GDSa3mwT7:M0e1zAzw/HRMNz4TfS7

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies Windows Defender Real-time Protection settings

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Discovery

Query Registry

1
T1012

Tasks