metasploit | 136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de

General

Target

136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe
Size

522KB
MD5

06a0c92c691e980875b3345ce72fe78b
SHA1

ab38c20a9e04f0ffe951a194075c296373e3e367
SHA256

136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de
SHA512

ea60783778989f0979e6edc25b4877d073ac7ea0a067fd7750a679eb6f380212e739ef07d6239911a4a3604e236ccdf65df6fd9faccd37f2c25116844e91f2cb
SSDEEP

12288:JzxzTDWikLSb4NS7QX+tjUXZkzF4Lyqe185h9pp3bQ/FO:zDWHSb4NkJ4S6hE/s

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

8.130.82.167:5544

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 1 IoCs

pid	Process
336	i0C.exe

Loads dropped DLL 1 IoCs

pid	Process
2292	136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1808	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1808	WINWORD.EXE
1808	WINWORD.EXE
1808	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 336	2292	136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe	28
PID 2292 wrote to memory of 336	2292	136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe	28
PID 2292 wrote to memory of 336	2292	136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe	28
PID 2292 wrote to memory of 336	2292	136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe	28
PID 2292 wrote to memory of 1808	2292	136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe	29
PID 2292 wrote to memory of 1808	2292	136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe	29
PID 2292 wrote to memory of 1808	2292	136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe	29
PID 2292 wrote to memory of 1808	2292	136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe	29
PID 1808 wrote to memory of 2672	1808	WINWORD.EXE	33
PID 1808 wrote to memory of 2672	1808	WINWORD.EXE	33
PID 1808 wrote to memory of 2672	1808	WINWORD.EXE	33
PID 1808 wrote to memory of 2672	1808	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe
"C:\Users\Admin\AppData\Local\Temp\136e03127b12cc2b5242530339b24ad7c082741c152783d996b3fa63bc21f6de.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\windows\temp\i0C.exe
  "C:\windows\temp\i0C.exe"
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\windows\temp\3950.docx"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
0ba659b788598535c0a59946b8138d75

SHA1
58dc797a284a917d0aab05f55768191aee761840

SHA256
4904ce0768739a46a2d6453fd2b461d88f0f9834f020fed8ba781aa144097dab

SHA512
2203568f89038e111f21dcd7eee1215db259d692ecdb91c07e04a48dc6ce9b762228a850cdbbbf120e09a6cfb25a7ce75c16a1ee89dab000f6ba8d50289eb5ba

Download Submit
C:\windows\temp\3950.docx

Filesize
30KB

MD5
daadd19803a76add7d5d0d707172c1d1

SHA1
c9d71423fca459786073a6bdfa48f4a1636335ad

SHA256
79c64517400d205f149825cb196576cdf9a2ce7d41b554d5065de0ec71ef1c29

SHA512
ce567bacb900ed86f89c987020781bd3cb6e9cfc78d346e508d81c3d17ae9526ea89f7ce6f8c532211e36116397ea15ac9dcb91131f58e12a2c3df12a5acffa6

Download Submit
\Windows\Temp\i0C.exe

Filesize
650KB

MD5
98ce25fcd5b58bf3a90ba1b4c306cbc1

SHA1
93f89bf4754809702df814db2be8f2d905128402

SHA256
b3174a40b59341a5604ac5878c80ec7033f223c4122ff407c1c61a5231dea84e

SHA512
01ca4d9bfd35944f8888713a296f857e9b7c7f72a4f1883cd56089b728c2056576e7e48dfd877b506653054beeee9a0982b48d4718dd7fac3f8830e9a26615c8

Download Submit
memory/336-14-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/336-16-0x000000013F860000-0x000000013F8FD000-memory.dmp

Filesize
628KB

Download
memory/1808-9-0x000000002F241000-0x000000002F242000-memory.dmp

Filesize
4KB

Download
memory/1808-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1808-11-0x000000007105D000-0x0000000071068000-memory.dmp

Filesize
44KB

Download
memory/1808-17-0x000000007105D000-0x0000000071068000-memory.dmp

Filesize
44KB

Download
memory/1808-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1808-40-0x000000007105D000-0x0000000071068000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing