metasploit | 7e7c00740baa58af22ef6f825d86344732464a4e325b5eb6f93f33898de079fa

Analysis

max time kernel
6s
max time network
1s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a.exe
Size

4.0MB
MD5

83be4f97ca8793343140a9d107ad35b3
SHA1

6303977a4bed77b4157daa1f9ca32967d282f639
SHA256

56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a
SHA512

0b1167252debdaf493d5ef9464ea056e57a3243feef1e6f50cdae1dea5f6e24ab2bb406a245a85b98f3381851d1132c01f1b807f6a37e764f138675bac034fca
SSDEEP

98304:UKlAOiZrq1DfPH9sDJVur+B9a+DI47j7wnG2OLEyFvs:UMAO79sDJVur+BjfU7O0

Score

10^/10

metasploit backdoor bootkit discovery persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 1 IoCs

pid	Process
2208	ARP.EXE

Loads dropped DLL 1 IoCs

pid	Process
684	56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ARP.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2208	ARP.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 2208	684	56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a.exe	30
PID 684 wrote to memory of 2208	684	56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a.exe	30
PID 684 wrote to memory of 2208	684	56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a.exe	30
PID 684 wrote to memory of 2208	684	56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a.exe	30

C:\Users\Admin\AppData\Local\Temp\56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a.exe
"C:\Users\Admin\AppData\Local\Temp\56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Roaming\{91143b4c-9707-4ef8-8e91-dd6ae0a6a4cb}\ARP.EXE
  "C:\Users\Admin\AppData\Roaming\{91143b4c-9707-4ef8-8e91-dd6ae0a6a4cb}\ARP.EXE"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{91143b4c-9707-4ef8-8e91-dd6ae0a6a4cb}\ARP.EXE

Filesize
4.0MB

MD5
83be4f97ca8793343140a9d107ad35b3

SHA1
6303977a4bed77b4157daa1f9ca32967d282f639

SHA256
56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a

SHA512
0b1167252debdaf493d5ef9464ea056e57a3243feef1e6f50cdae1dea5f6e24ab2bb406a245a85b98f3381851d1132c01f1b807f6a37e764f138675bac034fca

Download Submit
memory/684-0-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/684-1-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/684-13-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/684-14-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2208-15-0x00000000001E0000-0x00000000001F6000-memory.dmp

Filesize
88KB

Download
memory/2208-16-0x0000000000200000-0x000000000021A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads