metasploit | 9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4

General

Target

9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe
Size

111KB
MD5

ce1c2378b676d5911eddc3758624c976
SHA1

c22076d3747e231f12b5773dd825b9dbf7231ac6
SHA256

9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4
SHA512

a575b4cb25220bba8792bb0dc9f0feb9d3241d4a01c487bcfb6af45fe2ad380ab42525be345269f4eec130d4a0faba63e7cf2766c3f71664b287b9820827d10a
SSDEEP

3072:SwUYPGG9eAoHSwMm8KzF6N0dKMW+Wb+EyjOIpiAAiLF:SwUYz93oHSHBnyWj+EfIEwR

Score

10^/10

metasploit backdoor discovery evasion persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svvchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\scvchost.exe"	svvchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2580	svvchost.exe
2420	scvchost.exe
2460	svvchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe
2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe
2420	scvchost.exe
2420	scvchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\scvchost.exe"	svvchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svvchost.exe = "C:\\Windows\\system32\\svvchost.exe"	scvchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svvchost.exe = "C:\\Windows\\system32\\svvchost.exe"	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	scvchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svvchost.exe	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe
File opened for modification	C:\Windows\SysWOW64\svvchost.exe	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe
File created	C:\Windows\SysWOW64\svvchost.exe	scvchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2420 set thread context of 2460	2420	scvchost.exe	32

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\logfile32.txt	svvchost.exe
File created	C:\Windows\scvchost.exe	svvchost.exe
File opened for modification	C:\Windows\scvchost.exe	svvchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svvchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svvchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2580	svvchost.exe
2580	svvchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2520 wrote to memory of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2520 wrote to memory of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2520 wrote to memory of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2520 wrote to memory of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2520 wrote to memory of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2520 wrote to memory of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2520 wrote to memory of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2520 wrote to memory of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2520 wrote to memory of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2520 wrote to memory of 2580	2520	9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe	30
PID 2580 wrote to memory of 2420	2580	svvchost.exe	31
PID 2580 wrote to memory of 2420	2580	svvchost.exe	31
PID 2580 wrote to memory of 2420	2580	svvchost.exe	31
PID 2580 wrote to memory of 2420	2580	svvchost.exe	31
PID 2420 wrote to memory of 2460	2420	scvchost.exe	32
PID 2420 wrote to memory of 2460	2420	scvchost.exe	32
PID 2420 wrote to memory of 2460	2420	scvchost.exe	32
PID 2420 wrote to memory of 2460	2420	scvchost.exe	32
PID 2420 wrote to memory of 2460	2420	scvchost.exe	32
PID 2420 wrote to memory of 2460	2420	scvchost.exe	32
PID 2420 wrote to memory of 2460	2420	scvchost.exe	32
PID 2420 wrote to memory of 2460	2420	scvchost.exe	32
PID 2420 wrote to memory of 2460	2420	scvchost.exe	32
PID 2420 wrote to memory of 2460	2420	scvchost.exe	32
PID 2420 wrote to memory of 2460	2420	scvchost.exe	32

C:\Users\Admin\AppData\Local\Temp\9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe
"C:\Users\Admin\AppData\Local\Temp\9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\svvchost.exe
  "C:\Users\Admin\AppData\Local\Temp\9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\scvchost.exe
    "C:\Windows\scvchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\svvchost.exe
      "C:\Windows\scvchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svvchost.exe

Filesize
111KB

MD5
ce1c2378b676d5911eddc3758624c976

SHA1
c22076d3747e231f12b5773dd825b9dbf7231ac6

SHA256
9b67914768477c27bfec54e79955674d878e6489abc21344f13166ca9446c9a4

SHA512
a575b4cb25220bba8792bb0dc9f0feb9d3241d4a01c487bcfb6af45fe2ad380ab42525be345269f4eec130d4a0faba63e7cf2766c3f71664b287b9820827d10a

Download Submit
memory/2460-43-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-36-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-38-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-42-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-47-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-46-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-44-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2580-7-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2580-10-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2580-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2580-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads