metasploit | a2c793e5586953616c24b7f2fc8d7a2f86797ad4eec4e457e551792bb4b8707c

General

Target

important.exe
Size

3.5MB
MD5

18a4199cdc67767f148535e57d26cb1c
SHA1

e4da84914bcd047f84d2065097098bea676835bb
SHA256

9af8cf4ddaab23832526a008ffab1fa8606dea6eff0eddab55ce88866b79eb31
SHA512

d3f470eb1a5de29ee45b96f706e84cf8ad5e652278b8afa2236f8597e88f2f9abc6436757544544787f0ef6b9e63b79cf83743bd3ffbde552ea5df65c92acf57
SSDEEP

98304:aeZ/bzQdEMgMsae2FhINt+WFsqQMyuyKFCz54IS0k76qe6VrpmPrq:hZ/bzrMgMsae2jK+WtQPQvIa6qe0pmPG

Score

10^/10

metasploit backdoor evasion ransomware trojan

Malware Config

Extracted

Path

F:\!Please Read Me!.txt

Ransom Note

------------- Oops,Your Network have been infected!------------- Dear Admin All files on the network have been attacked and encrypted with a strong encryption algorithms. RSA 2048 and AES-256. All your files, documents, photos, databases and other important files are encrypted by a strong encryption. Don't worry, you can return all your files! We are the only ones who can decrypt your files Through the unique key. what should I do for decrypting my files? If you want to recover your files, you must purchase a the unique key You must pay 300$ bitcoin to wallet : 3JFgm9SMRxSP9YWPZiSCsezXvWZS5aTsaR for each affected pc or 1000$ to receive all pc affected your network. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. As proof you can email us 3 files to decrypt and we will send you the recover files to prove that we can decrypt your files. Attempts to restore your data with third party software as Rakhni Decryptor etc. will lead to irreversible destruction of your data. To get this software you need write on our e-mail: [email protected] Your personal ID: iY03EkOvX068R9vKRAT+SpKnFzCbmZYmFendS2L5M6V553p8iiD59IouL4u+FTRDz2+kk0+E3pCdbX4dq55bqaBSsg5kYFLNPqcwgXCkumWkbH9xZQBXy/m7PhGXJCTi2+qCU9pqbPI2Ijx20Cr6nIIif0xXiEuDwIWBGz9b2qo=

Emails

[email protected]

Wallets

3JFgm9SMRxSP9YWPZiSCsezXvWZS5aTsaR

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	reg.exe

Renames multiple (68) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lan.dll	important.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1080	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	important.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2104	2492	important.exe	30
PID 2492 wrote to memory of 2104	2492	important.exe	30
PID 2492 wrote to memory of 2104	2492	important.exe	30
PID 2104 wrote to memory of 1080	2104	cmd.exe	32
PID 2104 wrote to memory of 1080	2104	cmd.exe	32
PID 2104 wrote to memory of 1080	2104	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\important.exe
"C:\Users\Admin\AppData\Local\Temp\important.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\scan.txt

Filesize
168B

MD5
0882756470fb2f5eedc254045f7b82c8

SHA1
fd9eb1f83e002276dd7537bda649140b62a1b4f4

SHA256
211a7374089c0261f7723672eaa3ab81c77907642105d60d047b2739c821c5cd

SHA512
d5227959163334bf6753c4c9a9134561576c4c80030c310f0f4f6e259bec1b08c1e05e2d41350972b50cf250494d95b60eead8a57da7ec10996e2f266edb0811

Download Submit
C:\Users\Admin\AppData\Local\Temp\scan.txt

Filesize
2KB

MD5
d2d97cf9ae2780b4da95acd746566b1c

SHA1
1c1516b6d50118e7efde1bc95d5e22feeb41f537

SHA256
7e16e3718520146df434774c2230e7f6a1e836fbd15e7ef4f8e02d0fd3d74750

SHA512
a2b691531dacd9b1b7e7efd263a71235df32f1d3a238da8795cfef88b7484ba02b14d2cf359113275046450280dea64bee3421d9de8ccc39ad3a92c0c77f8f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scan.txt

Filesize
2KB

MD5
a2f9334c0ca4799f12be8398cbd844af

SHA1
d80420262380a5219549dede8d4b6ce81827b42d

SHA256
4012928fb7f884c2fe2a9505db33e6a78bbc9737960c8ac9b9c6f4b032320db9

SHA512
6f6f774967637984688d8f74402f591181f19249a1a25e6dd76ba63e1aca6d38f097fb5ac51241dff2b747ed3484990c44c7ceaa212804679ecf35ab8f549b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scan.txt

Filesize
3KB

MD5
a9d2e85ca5c9fb5260e7ea57a25bc9be

SHA1
6b3eb6d22a74be0eb124bb0f4d6596fa2e29e2d9

SHA256
851c856d539b699036e319e9cb5e71ed4497e7664d728d08a37ca9892fb4df7e

SHA512
8b977e0a31369358a419aef0f04def8cba6cb5f1d2045126161617edb1a9bbe386865567f42662d0e603cf6f3e3475700d45f172a2ee05bcee7e6a864ccc140f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scan.txt

Filesize
3KB

MD5
409447019987a33ba3c6ad03c010418d

SHA1
ece76e2a93f6c2b417bc50d0f075c87d53720de7

SHA256
d8695f0e0b572887a58356bd7ad0052f310b39fa08ba20e7d0219f212b4d2a7f

SHA512
a12ef4bb6788d07fcb5de62e62fb6b1c9fe3ffae46c0b5dc949151ff68103f374cd74e1e9db80c45700e080a2f03f4b2c25b51d887e1577aa9acf589be657114

Download Submit
C:\Users\Admin\AppData\Local\Temp\scan.txt

Filesize
4KB

MD5
496f3b9e887a041341ef80bdeb0d8f3d

SHA1
839469c81249cd1349fdfe577a666e0f38a6ab29

SHA256
35dcf25eb39467d5a997c979edafb72ace8420bc39700241629cd1cd1be76cf7

SHA512
cc0e6c122c69ade5d2d8950aa90edcd414279a8492cc41ba8b1cb7c386ead5cd1054e9552cdec57c0656139a1db9b17a0732afb7564eef0900f59306655482ac

Download Submit
C:\Users\Admin\Music\!Please Read Me!.vbs

Filesize
1KB

MD5
238375212135e48bba55e4f8ada36256

SHA1
a20595642f8ca2f33c25c1ec1907cc9b26df3815

SHA256
fdce54893aae62128356a892ebf844281370872cddff62756e96e8f518c4c150

SHA512
f7937baff248e72c8a878b8ac811359840bffe4f29f7d86770ecbcb717a52db0ed6d086a1f76ee2bfad84b488901f7d09031e1174bf115615d946eb3815e7cc3

Download Submit
F:\!Please Read Me!.txt

Filesize
1KB

MD5
de5da1f7f611346ec35b66498580e14e

SHA1
590a7f654f1858929e6a9bf527ca2fdd3c77207f

SHA256
260ce0f459200021b68bce7b07fc9e188ff5d3417e32a99fc46d31d455f60c14

SHA512
a67e4c48d61a8c6593c49e7ba4ee4aa3cac662436f92b5f9ef0db6070ebd82ab4274adb138ae1431c5dbbc456efc513d18a2845054414efa76d3ed65396cb60a

Download Submit
memory/2492-1-0x0000000000320000-0x00000000006B4000-memory.dmp

Filesize
3.6MB

Download
memory/2492-3-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-2-0x000000001B520000-0x000000001BB42000-memory.dmp

Filesize
6.1MB

Download
memory/2492-5-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-0-0x000007FEF5663000-0x000007FEF5664000-memory.dmp

Filesize
4KB

Download
memory/2492-4-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-1102-0x000007FEF5663000-0x000007FEF5664000-memory.dmp

Filesize
4KB

Download
memory/2492-7476-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-10696-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-12222-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads