metasploit | 112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76

General

Target

112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe
Size

2.6MB
MD5

7c10602aacb99aacec3dfce60452fadc
SHA1

75976104c539e62736a7ea697f86582e6884d306
SHA256

112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76
SHA512

1da2d169069cfbc21e370d889d4b068cecaf1c5752e22e1459f82cd0de1055907153ff3e05eb4a78b5e10767468c6153b02a42de8dbb26c8b25c3b11ae1ecb84
SSDEEP

49152:jZB1G8YMZfyI6jfYdZFSzqDm5qDYho6QADT5zFl5uy55Sl/HgIc9Cg03TGjytsUA:93G6Zfe+bSaCqkR5uy7qHgh1eTGgHA

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

192.168.106.131:1111

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 2 IoCs

pid	Process
2528	hm.exe
2224	SteamSetup.exe

Loads dropped DLL 4 IoCs

pid	Process
328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe
328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe
2224	SteamSetup.exe
2224	SteamSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2224	SteamSetup.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2528	328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe	30
PID 328 wrote to memory of 2528	328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe	30
PID 328 wrote to memory of 2528	328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe	30
PID 328 wrote to memory of 2224	328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe	31
PID 328 wrote to memory of 2224	328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe	31
PID 328 wrote to memory of 2224	328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe	31
PID 328 wrote to memory of 2224	328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe	31
PID 328 wrote to memory of 2224	328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe	31
PID 328 wrote to memory of 2224	328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe	31
PID 328 wrote to memory of 2224	328	112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe	31

C:\Users\Admin\AppData\Local\Temp\112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe
"C:\Users\Admin\AppData\Local\Temp\112c7bc3e4c1565bd2c3a1e94de97ded379020655338206a8f0760282bb34b76.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328
- C:\windows\temp\hm.exe
  "C:\windows\temp\hm.exe" /windows/temp/hm.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\windows\temp\SteamSetup.exe
  "C:\windows\temp\SteamSetup.exe" /windows/temp/SteamSetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\SteamSetup.exe

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Windows\Temp\hm.exe

Filesize
7KB

MD5
3f4f6bcf6562ba719f22130ff43b2cdc

SHA1
7a967c9f2c746fc138e812dcf346d021b3058fa2

SHA256
30f9515b23e1dd56faebdecb88189a13cc67ddcbd91af485f64222b87065e44d

SHA512
84133dc3a6bc6b25c92012bce840bb570ebcbaf0f67159b3068eb11d1196e715996372ddec6acd91391b3d541badb06579d50f6f014494e5e95eeff1b4c5bc49

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB6A4.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB6A4.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
memory/328-11-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/328-6-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2528-15-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/2528-41-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download

Analysis

Sharing