metasploit | 1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232

General

Target

1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe
Size

2.7MB
MD5

cb774bd4732de28267dacc87b5539a4f
SHA1

9ca2a8cee0b3e63a382a3086246213ade2b8a1b4
SHA256

1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232
SHA512

a2b0820fbf244d565a1b5c1307845769650867f0630060d6c084c2ad9279ec1b4ab54d29b7f7c551c7a1b365cda94c7ece24db98b1d770223cc5137ea55d9990
SSDEEP

49152:1ZB1G8YSDQZfyI6jfYdZFSzqDm5qDYho6QADT5zFl5uy55Sl/HgIc9Cg03TGjytg:P3GTZfe+bSaCqkR5uy7qHgh1eTGgHA

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

192.168.106.131:1111

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 2 IoCs

pid	Process
1808	hm.exe
2160	SteamSetup.exe

Loads dropped DLL 4 IoCs

pid	Process
2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe
2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe
2160	SteamSetup.exe
2160	SteamSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2160	SteamSetup.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1808	2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe	30
PID 2976 wrote to memory of 1808	2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe	30
PID 2976 wrote to memory of 1808	2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe	30
PID 2976 wrote to memory of 2160	2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe	31
PID 2976 wrote to memory of 2160	2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe	31
PID 2976 wrote to memory of 2160	2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe	31
PID 2976 wrote to memory of 2160	2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe	31
PID 2976 wrote to memory of 2160	2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe	31
PID 2976 wrote to memory of 2160	2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe	31
PID 2976 wrote to memory of 2160	2976	1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe	31

C:\Users\Admin\AppData\Local\Temp\1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe
"C:\Users\Admin\AppData\Local\Temp\1f55469c3f411e773cfc817ada68421343bd21bdb9ba9b99904ba759e3bd7232.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\windows\temp\hm.exe
  "C:\windows\temp\hm.exe" /windows/temp/hm.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\windows\temp\SteamSetup.exe
  "C:\windows\temp\SteamSetup.exe" /windows/temp/SteamSetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\SteamSetup.exe

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB1C4.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
\Windows\Temp\hm.exe

Filesize
7KB

MD5
3f4f6bcf6562ba719f22130ff43b2cdc

SHA1
7a967c9f2c746fc138e812dcf346d021b3058fa2

SHA256
30f9515b23e1dd56faebdecb88189a13cc67ddcbd91af485f64222b87065e44d

SHA512
84133dc3a6bc6b25c92012bce840bb570ebcbaf0f67159b3068eb11d1196e715996372ddec6acd91391b3d541badb06579d50f6f014494e5e95eeff1b4c5bc49

Download Submit
memory/1808-14-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/2976-6-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing