metasploit | c49e231dbc89b50f9f4c40148d61bb6000d03455f38112f6bf02900fa2b47dbd

General

Target

c49e231dbc89b50f9f4c40148d61bb6000d03455f38112f6bf02900fa2b47dbd.doc
Size

35KB
MD5

59a5c322894532880f84b8019dcdd0cf
SHA1

7fd471e6db362b84c47d9ce2501703e954dc5ff2
SHA256

c49e231dbc89b50f9f4c40148d61bb6000d03455f38112f6bf02900fa2b47dbd
SHA512

22eaca6b9486f8309b25fa8875f35d64a391e2eb3780c53d37097392a8720b78267571319e39720ffa39f27b39e129433b3f0703158dba35df7f8f5c1e7a998b
SSDEEP

384:gyiSwvxjk+t0/8iRMsPJ1XM4CQn6DQl0jYktv5y6CEt:g1xw+tEDRMsR1X/5mQlrkny6C

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

10.127.246.155:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2252	2068	DW20.EXE	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DW20.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwwin.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2068	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2068	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2068	WINWORD.EXE
2068	WINWORD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1712	2068	WINWORD.EXE	30
PID 2068 wrote to memory of 1712	2068	WINWORD.EXE	30
PID 2068 wrote to memory of 1712	2068	WINWORD.EXE	30
PID 2068 wrote to memory of 1712	2068	WINWORD.EXE	30
PID 2068 wrote to memory of 2252	2068	WINWORD.EXE	33
PID 2068 wrote to memory of 2252	2068	WINWORD.EXE	33
PID 2068 wrote to memory of 2252	2068	WINWORD.EXE	33
PID 2068 wrote to memory of 2252	2068	WINWORD.EXE	33
PID 2068 wrote to memory of 2252	2068	WINWORD.EXE	33
PID 2068 wrote to memory of 2252	2068	WINWORD.EXE	33
PID 2068 wrote to memory of 2252	2068	WINWORD.EXE	33
PID 2252 wrote to memory of 2720	2252	DW20.EXE	34
PID 2252 wrote to memory of 2720	2252	DW20.EXE	34
PID 2252 wrote to memory of 2720	2252	DW20.EXE	34
PID 2252 wrote to memory of 2720	2252	DW20.EXE	34

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c49e231dbc89b50f9f4c40148d61bb6000d03455f38112f6bf02900fa2b47dbd.doc"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1712
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1260
  2⤵
  - Process spawned suspicious child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1260
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259444170.cvr

Filesize
1KB

MD5
9466c4162ab72479cfa68e9713dc7f81

SHA1
02bde5f1bf195556ac2686279854f15284698658

SHA256
d75b134afaf29dc12a2941b6e31ddc902754c1b44e1ddfc7d16ad9be7f7c5998

SHA512
63323a20b1c7d1e786c7bd1f67587a5c89e5320098e0835df93abbe2de84fa7bb21c40ca7a93fb13d5f2818b8fc8c22ebe18948120756e7914055100aae388cb

Download Submit
memory/2068-16-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-21-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-14-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-11-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-13-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-20-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-19-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-17-0x00000000065D0000-0x00000000065D1000-memory.dmp

Filesize
4KB

Download
memory/2068-15-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-0-0x000000002FBC1000-0x000000002FBC2000-memory.dmp

Filesize
4KB

Download
memory/2068-4-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-2-0x0000000070E1D000-0x0000000070E28000-memory.dmp

Filesize
44KB

Download
memory/2068-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2068-10-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-9-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-8-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-7-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-6-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-5-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2068-24-0x0000000070E1D000-0x0000000070E28000-memory.dmp

Filesize
44KB

Download
memory/2068-25-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing