metasploit | 6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc

Resubmissions

07-11-2024 15:19

241107-sqffcavcpn 10

26-10-2024 21:50

241026-1pw1pszape 10

26-10-2024 21:43

241026-1k53tazhlq 10

Analysis

max time kernel
77s
max time network
80s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-10-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe
Size

2.8MB
MD5

e04ecdd8ffdc552a1487fc06fe7b7d32
SHA1

6bbc335e0a245fff6a76609cce91002a9b4fa4da
SHA256

6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc
SHA512

8c7d78d34efcfe4fff5657c2d77fa166e018705e0430472a1ed68404e1e2643dfc1216d1a4e10d6e900409edc301139ebd8513e06f9b1c63721f80ffa2a8e906
SSDEEP

49152:QTv13vUrb/TvvO90dL3BmAFd4A64nsfJ2O4w7mtxwenpxgmM9GgoW0D1/xhN/v38:m3vXR907bN/1XVK

Score

10^/10

metasploit backdoor discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

192.168.65.128:9999

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Suspicious use of SetThreadContext 1 IoCs

Processes:

6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe

description	pid	Process	procid_target
PID 4104 set thread context of 2808	4104	6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe	78

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

FileCoAuth.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Modifies registry class 4 IoCs

Processes:

BackgroundTransferHost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description	pid	Process
Token: 33	1440	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1440	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

osk.exe

pid	Process
4484	osk.exe
4484	osk.exe
4484	osk.exe
4484	osk.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exeATBroker.exe

description	pid	Process	procid_target
PID 4104 wrote to memory of 2808	4104	6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe	78
PID 4104 wrote to memory of 2808	4104	6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe	78
PID 4104 wrote to memory of 2808	4104	6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe	78
PID 4104 wrote to memory of 2808	4104	6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe	78
PID 4104 wrote to memory of 2808	4104	6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe	78
PID 4104 wrote to memory of 2808	4104	6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe	78
PID 4104 wrote to memory of 2808	4104	6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe	78
PID 4212 wrote to memory of 4484	4212	ATBroker.exe	91
PID 4212 wrote to memory of 4484	4212	ATBroker.exe	91

C:\Users\Admin\AppData\Local\Temp\6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe
"C:\Users\Admin\AppData\Local\Temp\6d22d9e2c7a3c3d0063a8faec8dc2adccaff2b834a3fe9a1bb4bad6e43ae91dc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1392

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1844

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1940

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4844

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start osk
1⤵
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x000000000000046C
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\c9ac24cc-81da-4c0a-9fa4-dbd3e660e6b0.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
memory/2808-0-0x00007FF69F140000-0x00007FF69F145000-memory.dmp

Filesize
20KB

Download
memory/2808-7-0x00007FF69F140000-0x00007FF69F145000-memory.dmp

Filesize
20KB

Download
memory/2808-6-0x00007FF69F140000-0x00007FF69F144278-memory.dmp

Filesize
16KB

Download