metasploit | 465103f49f17100d1858ab0c63f2d32d5050b30504cd41a930d4b80caf0e6d08

Analysis

max time kernel
30s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2024, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a1db5af5083758b437f10a1a27f0d4f313b1ef78bfa5491d3d58dbe742a7f17.msi
Size

156KB
MD5

b61ce074ac64253b6f3718b15d634d27
SHA1

439dce9b8c45c4f91ff375ec0c478c3e747b55ca
SHA256

6a1db5af5083758b437f10a1a27f0d4f313b1ef78bfa5491d3d58dbe742a7f17
SHA512

071e068a98208e540201bc9ff65357ba80bac82283edc179126944ebc15cd91c0628bfdd38761968c5693a9e93c53c431ba7c992adf83bdb70911a384cfe516c
SSDEEP

1536:Ek7KKWI59KMnbYYWgdrWw/WNSQm7+8lEgWnwQ5kEMb+KR0Nc8QsJq3UDj0D:v7KKWIO/8oiWNS3+80nwbEe0Nc8QsC

Score

10^/10

metasploit backdoor discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

5.180.45.105:9999

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIDF83.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFB2.tmp	msiexec.exe
File created	C:\Windows\Installer\e57dee6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dee6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{705771E1-8028-4A2A-A93E-7DA02AB734CD}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1644	MSIDFB2.tmp

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4152	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIDFB2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000080ecc9f1fa88237c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000080ecc9f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090080ecc9f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d80ecc9f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000080ecc9f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2324	msiexec.exe
2324	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4152	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4152	msiexec.exe
Token: SeSecurityPrivilege	2324	msiexec.exe
Token: SeCreateTokenPrivilege	4152	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4152	msiexec.exe
Token: SeLockMemoryPrivilege	4152	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4152	msiexec.exe
Token: SeMachineAccountPrivilege	4152	msiexec.exe
Token: SeTcbPrivilege	4152	msiexec.exe
Token: SeSecurityPrivilege	4152	msiexec.exe
Token: SeTakeOwnershipPrivilege	4152	msiexec.exe
Token: SeLoadDriverPrivilege	4152	msiexec.exe
Token: SeSystemProfilePrivilege	4152	msiexec.exe
Token: SeSystemtimePrivilege	4152	msiexec.exe
Token: SeProfSingleProcessPrivilege	4152	msiexec.exe
Token: SeIncBasePriorityPrivilege	4152	msiexec.exe
Token: SeCreatePagefilePrivilege	4152	msiexec.exe
Token: SeCreatePermanentPrivilege	4152	msiexec.exe
Token: SeBackupPrivilege	4152	msiexec.exe
Token: SeRestorePrivilege	4152	msiexec.exe
Token: SeShutdownPrivilege	4152	msiexec.exe
Token: SeDebugPrivilege	4152	msiexec.exe
Token: SeAuditPrivilege	4152	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4152	msiexec.exe
Token: SeChangeNotifyPrivilege	4152	msiexec.exe
Token: SeRemoteShutdownPrivilege	4152	msiexec.exe
Token: SeUndockPrivilege	4152	msiexec.exe
Token: SeSyncAgentPrivilege	4152	msiexec.exe
Token: SeEnableDelegationPrivilege	4152	msiexec.exe
Token: SeManageVolumePrivilege	4152	msiexec.exe
Token: SeImpersonatePrivilege	4152	msiexec.exe
Token: SeCreateGlobalPrivilege	4152	msiexec.exe
Token: SeBackupPrivilege	3608	vssvc.exe
Token: SeRestorePrivilege	3608	vssvc.exe
Token: SeAuditPrivilege	3608	vssvc.exe
Token: SeBackupPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeBackupPrivilege	2460	srtasks.exe
Token: SeRestorePrivilege	2460	srtasks.exe
Token: SeSecurityPrivilege	2460	srtasks.exe
Token: SeTakeOwnershipPrivilege	2460	srtasks.exe
Token: SeBackupPrivilege	2460	srtasks.exe
Token: SeRestorePrivilege	2460	srtasks.exe
Token: SeSecurityPrivilege	2460	srtasks.exe
Token: SeTakeOwnershipPrivilege	2460	srtasks.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4152	msiexec.exe
4152	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2460	2324	msiexec.exe	95
PID 2324 wrote to memory of 2460	2324	msiexec.exe	95
PID 2324 wrote to memory of 1644	2324	msiexec.exe	97
PID 2324 wrote to memory of 1644	2324	msiexec.exe	97
PID 2324 wrote to memory of 1644	2324	msiexec.exe	97
PID 2324 wrote to memory of 536	2324	msiexec.exe	98
PID 2324 wrote to memory of 536	2324	msiexec.exe	98
PID 2324 wrote to memory of 536	2324	msiexec.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6a1db5af5083758b437f10a1a27f0d4f313b1ef78bfa5491d3d58dbe742a7f17.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4152

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\Installer\MSIDFB2.tmp
  "C:\Windows\Installer\MSIDFB2.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3C6DBA7E5A28629702EA212C75D61FC3
  2⤵
  - System Location Discovery: System Language Discovery
  PID:536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIDFB2.tmp

Filesize
124KB

MD5
dee96e7a910a9f64cf83e9e8394ffa15

SHA1
20550291a07b83d24c1d2c1842a5697e887e639f

SHA256
2d5ab6c2da86c853d53837610cd149680523b8ea9677d78d571355fb8086fa2b

SHA512
413a57e9b11121833e92f693cbe3c725b5125d36ab04b3ec4c589b0a4ad72c7c0c05d203c1b4fe0524008f5255830c783c1d24609093b1f01f72a3593ff5097b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
76d0787d0b75bf6e6dcc12050f2ccb14

SHA1
7b130efdc43bd7bbc33ae28b8ecb6ecd5a02a917

SHA256
ddf47909791e65795d4f1bd5643e817c7d1f48ae4d61642171d46222c97c2a23

SHA512
8136e3f77b1dcce9edec00aa3756147fbd6ceb922c6a01f8a314dd551c0a2726bba5537d69e3a6b1b1ae7d9a8ae4c37383d5592b5b30a51348e4648a928e4752

Download Submit
\??\Volume{f1c9ec80-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e2613f49-cd20-4fd5-ac67-a2593d5ad4ca}_OnDiskSnapshotProp

Filesize
6KB

MD5
08958c340b7fe836410675c061520806

SHA1
0ca35648ed57e9ef0fcc38c9f303c7a3b3dca77a

SHA256
39921ada94d5a071f66ab6122b870ea7e3f26d5d48919fe1251643040d0eed43

SHA512
c14bfe76df5e8701c7b5255bc907b7afd43de6b73cecaf2f1d29c43504facb0cbc05105f5efb409ecb81fafd6bbf9f8290686d4fce203f9a7024c7165fb320fb

Download Submit