metasploit | 956bd5ac5746f4e92c9ae97c77e714188ebfb49e7552113dafe871e62853860e

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c055a021e4446a6d4f3c25690988c10N.docm
Size

513KB
MD5

6c055a021e4446a6d4f3c25690988c10
SHA1

81661d0510c4b8a4a5c9bf7955c8cd4ed891c1b1
SHA256

956bd5ac5746f4e92c9ae97c77e714188ebfb49e7552113dafe871e62853860e
SHA512

06ce4de973c7baeb53f27a9b2965f24bf8d49a216c8449d8d66d62c2d54d386e74d974adeab773d36d817bf6fe56ea5e67d66cbbdaf1b157c6522f399efc1c6e
SSDEEP

12288:bHAE+gcDDzlWnnqIDmaFMUA7VwnNwcDETWEfD6l/JuJwBpf9:bHAZ7z6nqOwUA7Vwn3DETWCwuqX

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

http://139.162.249.106:4444/9dPuUFpOeQ_mZudnh_Bk-gB3qENo3TtVIO1XahDnEp9dYlN98R8WEzbaRv-XnQuPRJxx4Y-98k3fwiEKUgHRAftoYFiwaXDFU4fty1ZfyvSILA0P-NZauCtJHFpPtBiVkyTrXvBZX5t6yGOXuefG1UC14v8uMSaWyvOqd

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 1 IoCs

pid	Process
2720	rad1820B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
768	WINWORD.EXE
768	WINWORD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rad1820B.tmp.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\TypeLib\{DE271AF2-2778-45BD-8855-8A65C5189483}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE271AF2-2778-45BD-8855-8A65C5189483}\2.0\0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE271AF2-2778-45BD-8855-8A65C5189483}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\TypeLib\{DE271AF2-2778-45BD-8855-8A65C5189483}\2.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE271AF2-2778-45BD-8855-8A65C5189483}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\TypeLib\{DE271AF2-2778-45BD-8855-8A65C5189483}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
768	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
768	WINWORD.EXE
768	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 2016	768	WINWORD.EXE	30
PID 768 wrote to memory of 2016	768	WINWORD.EXE	30
PID 768 wrote to memory of 2016	768	WINWORD.EXE	30
PID 768 wrote to memory of 2016	768	WINWORD.EXE	30
PID 768 wrote to memory of 2720	768	WINWORD.EXE	31
PID 768 wrote to memory of 2720	768	WINWORD.EXE	31
PID 768 wrote to memory of 2720	768	WINWORD.EXE	31
PID 768 wrote to memory of 2720	768	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6c055a021e4446a6d4f3c25690988c10N.docm"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\rad1820B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\rad1820B.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
4adda0bb94befb11c1fa751f20b125b7

SHA1
13a8c3a536f448f33017dc4209066166b3878a68

SHA256
4e9e4d088692d3e934cab4bb1f8c567c491afd955c2cc25e8848c2b55559387c

SHA512
69632ebc70d547c75c64e9f007b4e4f5786d4cb9f73e7ad79bbaf7ac5ec2427356d6a9731667b3f9b4365b1124e6319369957de39e8f1875a712016b59fe8f66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\rad1820B.tmp.exe

Filesize
72KB

MD5
6ba5f5202585682d55bbed282f3f367b

SHA1
d8406910a24f29fe9ead50a53ae9367952efccf4

SHA256
7ea6d252b83e03e7daa08d7d419a18f47b617504d4b50cd9a06cc531789a0e7b

SHA512
d739b56c3d53c58eb63ac1a600eda41571a0dd4522a598ea7a10f4e1966cb720d61a221de4d5857b1cfc1db71e524b48a8190cd80237ca0060094f64be326ac2

Download Submit
memory/768-13-0x0000000005260000-0x0000000005360000-memory.dmp

Filesize
1024KB

Download
memory/768-18-0x0000000005260000-0x0000000005360000-memory.dmp

Filesize
1024KB

Download
memory/768-24-0x0000000005260000-0x0000000005360000-memory.dmp

Filesize
1024KB

Download
memory/768-0-0x000000002F941000-0x000000002F942000-memory.dmp

Filesize
4KB

Download
memory/768-2-0x00000000717ED000-0x00000000717F8000-memory.dmp

Filesize
44KB

Download
memory/768-48-0x00000000717ED000-0x00000000717F8000-memory.dmp

Filesize
44KB

Download
memory/768-49-0x0000000005260000-0x0000000005360000-memory.dmp

Filesize
1024KB

Download
memory/768-50-0x0000000005260000-0x0000000005360000-memory.dmp

Filesize
1024KB

Download
memory/768-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/768-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2720-34-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download