metasploit | 136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de

General

Target

file.exe
Size

522KB
MD5

06a0c92c691e980875b3345ce72fe78b
SHA1

ab38c20a9e04f0ffe951a194075c296373e3e367
SHA256

136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de
SHA512

ea60783778989f0979e6edc25b4877d073ac7ea0a067fd7750a679eb6f380212e739ef07d6239911a4a3604e236ccdf65df6fd9faccd37f2c25116844e91f2cb
SSDEEP

12288:JzxzTDWikLSb4NS7QX+tjUXZkzF4Lyqe185h9pp3bQ/FO:zDWHSb4NkJ4S6hE/s

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

8.130.82.167:5544

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 1 IoCs

pid	Process
2308	i0C.exe

Loads dropped DLL 1 IoCs

pid	Process
2824	file.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2736	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2308	2824	file.exe	31
PID 2824 wrote to memory of 2308	2824	file.exe	31
PID 2824 wrote to memory of 2308	2824	file.exe	31
PID 2824 wrote to memory of 2308	2824	file.exe	31
PID 2824 wrote to memory of 2736	2824	file.exe	32
PID 2824 wrote to memory of 2736	2824	file.exe	32
PID 2824 wrote to memory of 2736	2824	file.exe	32
PID 2824 wrote to memory of 2736	2824	file.exe	32
PID 2736 wrote to memory of 2200	2736	WINWORD.EXE	34
PID 2736 wrote to memory of 2200	2736	WINWORD.EXE	34
PID 2736 wrote to memory of 2200	2736	WINWORD.EXE	34
PID 2736 wrote to memory of 2200	2736	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\windows\temp\i0C.exe
  "C:\windows\temp\i0C.exe"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\windows\temp\3950.docx"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
acb59f522f3a18d32794e166b79f13e7

SHA1
53bfec3e07d056b4f0d24c6e8a82fb0b00ed8fbc

SHA256
046ac24ef6d3b8813898dabc857289ad18db2240f550c6a077c3d3bcd8d1d35b

SHA512
f626d8ef8593e96f2f6db8b437d4cccbe7fea6dd7c447f30e75b843c1a2e922957ed36072215fe9dc8b28429f3383bd3ffcfbfdc901e352ae32602b0917831de

Download Submit
C:\windows\temp\3950.docx

Filesize
30KB

MD5
daadd19803a76add7d5d0d707172c1d1

SHA1
c9d71423fca459786073a6bdfa48f4a1636335ad

SHA256
79c64517400d205f149825cb196576cdf9a2ce7d41b554d5065de0ec71ef1c29

SHA512
ce567bacb900ed86f89c987020781bd3cb6e9cfc78d346e508d81c3d17ae9526ea89f7ce6f8c532211e36116397ea15ac9dcb91131f58e12a2c3df12a5acffa6

Download Submit
\Windows\Temp\i0C.exe

Filesize
650KB

MD5
98ce25fcd5b58bf3a90ba1b4c306cbc1

SHA1
93f89bf4754809702df814db2be8f2d905128402

SHA256
b3174a40b59341a5604ac5878c80ec7033f223c4122ff407c1c61a5231dea84e

SHA512
01ca4d9bfd35944f8888713a296f857e9b7c7f72a4f1883cd56089b728c2056576e7e48dfd877b506653054beeee9a0982b48d4718dd7fac3f8830e9a26615c8

Download Submit
memory/2308-13-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/2308-15-0x000000013F370000-0x000000013F40D000-memory.dmp

Filesize
628KB

Download
memory/2736-9-0x000000002FC71000-0x000000002FC72000-memory.dmp

Filesize
4KB

Download
memory/2736-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2736-11-0x000000007181D000-0x0000000071828000-memory.dmp

Filesize
44KB

Download
memory/2736-16-0x000000007181D000-0x0000000071828000-memory.dmp

Filesize
44KB

Download
memory/2736-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2736-38-0x000000007181D000-0x0000000071828000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing