metasploit | ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f

Analysis

max time kernel
107s
max time network
99s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe
Size

5.5MB
MD5

81ffe820eadd46ea42cc17d074d0321e
SHA1

37aedfb02e4c6bb281779e671bb5bbe42197841f
SHA256

ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f
SHA512

28787aa6ccc7666348c17cab777fb89d4846513fc9ae21ea8ebd9fe713147b284e96991933b24157629269803bcf0a6813c7e2504b2cdecf66607d2821139352
SSDEEP

49152:UVJjcsVXXpDYALLRENU9Qd+buk8u/HxjCLdJdZc4rgDQMHLZQB+ELtH1PDCYxEBF:UVJjceXWU9w6ZZHEXJ/BPLdtSf7

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

172.20.10.2:88

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 1 IoCs

pid	Process
1044	Avira.Spotlight.Bootstrapper.exe

Loads dropped DLL 33 IoCs

pid	Process
2792	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Security	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\SOFTWARE\Avira\Security\UserInterface	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Security\UserInterface	Avira.Spotlight.Bootstrapper.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avira.Spotlight.Bootstrapper.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "52048e406bd6468b9f29c3ab556643fd1d9eab0c"	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe\NoStartPage = "0"	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2552	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	Avira.Spotlight.Bootstrapper.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1044	Avira.Spotlight.Bootstrapper.exe
1044	Avira.Spotlight.Bootstrapper.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2552	2792	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe	29
PID 2792 wrote to memory of 2552	2792	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe	29
PID 2792 wrote to memory of 2552	2792	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe	29
PID 2792 wrote to memory of 2552	2792	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe	29
PID 2792 wrote to memory of 1044	2792	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe	31
PID 2792 wrote to memory of 1044	2792	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe	31
PID 2792 wrote to memory of 1044	2792	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe	31
PID 2792 wrote to memory of 1044	2792	ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe	31

C:\Users\Admin\AppData\Local\Temp\ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe
"C:\Users\Admin\AppData\Local\Temp\ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /Xml "C:\Users\Admin\AppData\Local\Temp\.CR.1683\Avira_Security_Installation.xml" /F /TN "Avira_Security_Installation"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\.CR.10867\Avira.Spotlight.Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\.CR.10867\Avira.Spotlight.Bootstrapper.exe" "C:\Users\Admin\AppData\Local\Temp\.CR.10867\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=ec6495eb01b0e205e4e3f4e8f85ef3fa4ef8680c236bab5c7c0f02c3b360ba7f.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.CR.1683\Avira_Security_Installation.xml

Filesize
1KB

MD5
4ef3425d47b36056e7a0f0184d3bde5a

SHA1
2908b16e43ccab0ec30707f39aad5a567bb18dfc

SHA256
ee3dc1ef329cb3f0174372249769426873ce41a45b3f688c2a24202c5186072a

SHA512
f53bcdff73b2975be4c2e1ab87b4de51d66c8834fd37a09280d5786bed1902176c411b2dac3ef36bab6b22d120f0e45cb683e9786ca2081a6a5d8c8efed42e1c

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\AVIRA.COMMON.GUARDS.DLL

Filesize
24KB

MD5
28dbc8e54ed172e24c309e71006f7e75

SHA1
502e41562465faa67413984ae51418807374e07e

SHA256
309e6633e937bc483c77a73bd72a30943542d4505c4fae66bfa40cb0ed6ecc01

SHA512
154dad39306487a9a94e6be987dad5cc9a329bba5afa10ac7934429e8942ae2b363b9cc9c7b999aa5c79e74f59db9e3077353226291fc462f83b3ae75b1443b9

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\AVIRA.COMMON.MIXPANEL.DLL

Filesize
43KB

MD5
09daae0fe7cf600deb391bf7e2838e10

SHA1
0083224dff36607b932aa8790d3b0dced1b2cd59

SHA256
95496ba62500013959d0e28dfee14512f10ca84bb0e2eced438b3139e987cd12

SHA512
8e9076b8d4598d2642cfde16d2d157a979e000f5c0fc63ed28a88480bb43649f0f280f9784a1b46415e7db70471d9a7156e57b372ca15a8e60c00aa83d5dc435

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\AVIRA.SPOTLIGHT.BOOTSTRAPPER.CORE.DLL

Filesize
282KB

MD5
6a90f1d7b869f0b9eed07bd4a2c71271

SHA1
c17487f0cea89c003415ff05f42551a9480af85e

SHA256
15a23836fdf052dc01af514f7baaf509777816abee9f3a0ee58a798c32964f15

SHA512
b73547a725e0507e293b9bf351cc3d52c2fd16eaa3b4706ce88d7b252163f94f3ece28c247e2af86c7241c21910e5564ccab06be044c479ea0cc50c150806ea3

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\AVIRA.SPOTLIGHT.BOOTSTRAPPER.ENGINE.DLL

Filesize
333KB

MD5
dae7a4bdfaad6a6386f3ba6f3b6b70fc

SHA1
162728f0ca4188a16d5ca2f41470f3c3c0e60b23

SHA256
4535f10d6cbde7086beaba9539018b686c3b5768b0582433990931166bc0c384

SHA512
be1b3ae31d6a36a111112004f960ea42d26a82da12fa0de2c8bb8bda90bd8a2e4c5621610426d847a354206cab380e0011542888f3d8d4b89817ce8f338a6780

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE

Filesize
1.5MB

MD5
15f0f3a5eab3bc92cc43d4c411ed6b47

SHA1
013216818044548cd9f941c3c182f1fdf7b9feab

SHA256
4c7bbc6bd2256c0107a1183682812e4590cdcb9831ff9a356cb252a568edb7ae

SHA512
d5e164842a9bc043e06442ce8a2932ed4644277badc43bf8646548fcf845fb21f55e918456f48a7eded63a9c603eed708d0303ae0fdf0558418c205942a37c6b

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\AVIRA.SPOTLIGHT.BOOTSTRAPPER.LOGGING.DLL

Filesize
172KB

MD5
4822c4250e3cfa7c8455793fbf472fd9

SHA1
df1948409344cefc14eb92564d644f5ad7afd705

SHA256
846f9cd3f28619ea13f511dc6c280f0fcc1a887d61df2ccd593937f2e7d4be00

SHA512
82aa7acd8148e76a3a9cc83aa0fa1d0419ff39f345286e1b4f5e77c4a70ce98f23ca29124059af8dc1bdf561d8a9ca3144f639a7ce885fcbaddff980e12143b6

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\AVIRA.SPOTLIGHT.BOOTSTRAPPER.TELEMETRY.INTERFACE.DLL

Filesize
173KB

MD5
e4611ead4c3c8878cb49ac873f4c8b97

SHA1
a37e0574d2cd7d1f679e08dac327afcf4543253b

SHA256
946f53b8e37c24a0aee1fe05118940c794fef751738ff3ba12b2571614b3411c

SHA512
68660467a54b4a2d26f14e2bbe5fbb6dec6b5ac5ea8b931fa9ee8d70f0ee207f8ba3a518c77a6905281dfcbe84dc911a708b9b0e432d866450e5f81eeafa742c

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\DRYIOC.DLL

Filesize
449KB

MD5
270d1e9f3e19fd7f1081bf977991e9bb

SHA1
a0b5749e0be8e2c7778b5e9145b4f1082ba65294

SHA256
8e43cc8ba0469e74571071eff5772e08b8b7230969cd31a09e0430136903be84

SHA512
05bb7053ceffc5852fd69c24bc1bc714444bc539d897a9566909a54a1b7f9493d0d1498a1c9c3296ccaab5c5b45d6511fed93ccda674eeeab329861c85473a16

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\DRYIOC.MEFATTRIBUTEDMODEL.DLL

Filesize
79KB

MD5
58c7fd93db3d08f6204bd98e8bed89a9

SHA1
4ac0016ba2989363d3689d37d877bbfe0bef4e39

SHA256
2bba1292b521f0450b082ac44d10cf1896dc69ae1c22e6a2801f224fd5a814f6

SHA512
05bf1809ded2e8db433bdc96448c187ffd16adaeb2a0009c0d7a570d3e27c4649ec8e089a8ddf26471b0cc9054c6d2d5e4bf2e84b3ed4c109fe7b38044a2a460

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\DRYIOCATTRIBUTES.DLL

Filesize
40KB

MD5
f87ee5b601cd9c68d4a4acf52c85a3e8

SHA1
af1c8ef51377822ed915f89fcf19c695b4730f1c

SHA256
f719705ed9d671d2aaf1487ca8900fec54bc7ba562f0d0a459da71321d592465

SHA512
c15c638348c0f55ef5bba3668c24e7de8632278cb12592a034186803eea6f6847aebad3fda6bc9175af52bae2ae616b992b02cc75105eaeaecbd9326c5403fd8

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\EN-US\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL

Filesize
28KB

MD5
95535327db75046a2f058d02935ce199

SHA1
c1cc4f863fec73e9de67d11c3356463984662d96

SHA256
c3290bf79e27ace9d38e85d2f0b3d27b55c503ea69666a2501269d38dd8d572e

SHA512
5f14b2561bea07f0974daa40123cef335d556f129931bbc1b485154d7797f2ed4d1dc673fd4e1f22c90bbcab9c46096ff29561642d781a47c78223449355567e

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\MICROSOFT.WINDOWS.SHELL.DLL

Filesize
172KB

MD5
ad314e5fc0158ff35234d8e9cf514a0b

SHA1
28cded0755256daa55f86331908e19808ba6837c

SHA256
0f57fb0e38cc95d30909fced1e1ad8ec5651ebc907351abc7d1f604a853fa5d7

SHA512
7f2c56021407969dad81e9c3deb42cce7d4a3e884acc32583c01c1f97484711747032b89cd846d25ae2d3d15ed6e8298fc7edec7b9b352d15dbe7fcef68337dc

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\PRODUCTLABEL.COMMON.DLL

Filesize
188KB

MD5
4d9c6c0ad3ae45ce9e23a282a5d3c0d4

SHA1
10fabd203df3531d9bbe61a36a9e3ee7d313469f

SHA256
8e41eaac1980688511a560004de05e49ce4bf382704dff6ed075b28eda8a18c5

SHA512
e0f9f66dee7d846ed74adb14885a66d6819b045b06c74dbfd6dd89d9ab337370a67566fda2f02b730fa5fb1adf637c7ca942b38139079de2509420ec28eb38ad

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.10867\PRODUCTLABEL.DLL

Filesize
662KB

MD5
1fd7239b3fa452e5954a45f694d44552

SHA1
d90dfb039e29f46dc5da1d3cd3fdbb35177feaf6

SHA256
d817a962fcc1ca03d94172406a9d7d779521176f0f2dd4485b65c9c72493053d

SHA512
342f3e7a3ea6fefaca6c864b0374c681805422593c8793fc9fdc8b4439369fd0ddb5dae4d85292da97a0cfebb62ac682d2907411a773bfe1e159c8fb850ab501

Download Submit
memory/1044-32-0x0000000004AF0000-0x0000000004B94000-memory.dmp

Filesize
656KB

Download
memory/1044-48-0x0000000004A80000-0x0000000004AAC000-memory.dmp

Filesize
176KB

Download
memory/1044-26-0x0000000004410000-0x0000000004440000-memory.dmp

Filesize
192KB

Download
memory/1044-23-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/1044-35-0x0000000004AF0000-0x0000000004B94000-memory.dmp

Filesize
656KB

Download
memory/1044-65-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/1044-36-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1044-20-0x0000000000940000-0x0000000000956000-memory.dmp

Filesize
88KB

Download
memory/1044-39-0x0000000004940000-0x000000000496C000-memory.dmp

Filesize
176KB

Download
memory/1044-17-0x00000000043C0000-0x0000000004406000-memory.dmp

Filesize
280KB

Download
memory/1044-42-0x00000000049D0000-0x0000000004A24000-memory.dmp

Filesize
336KB

Download
memory/1044-45-0x00000000049D0000-0x0000000004A24000-memory.dmp

Filesize
336KB

Download
memory/1044-14-0x0000000004390000-0x00000000043BC000-memory.dmp

Filesize
176KB

Download
memory/1044-29-0x0000000004410000-0x0000000004440000-memory.dmp

Filesize
192KB

Download
memory/1044-11-0x00000000041C0000-0x0000000004230000-memory.dmp

Filesize
448KB

Download
memory/1044-51-0x0000000004BA0000-0x0000000004BAC000-memory.dmp

Filesize
48KB

Download
memory/1044-54-0x0000000004BE0000-0x0000000004BE8000-memory.dmp

Filesize
32KB

Download
memory/1044-8-0x0000000000C50000-0x0000000000DBE000-memory.dmp

Filesize
1.4MB

Download
memory/1044-55-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1044-7-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/1044-58-0x0000000004E00000-0x0000000004E08000-memory.dmp

Filesize
32KB

Download
memory/1044-59-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/1044-64-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1044-60-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/1044-62-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1044-63-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2792-61-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2792-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads