metasploit | dad1a4bc2ec24bf8b689974ae5a7128d85482d970162a70ea40ea0e80fbfa8ee

General

Target

wps.exe
Size

1.0MB
MD5

8258fb211075d889b4e3e15458b2a9c5
SHA1

6620a898c2899b346ee6a524b09c306775e44706
SHA256

b814a4c506ce2dd3920990ecfcb106b7650529be39fe7513373073c5274e62b3
SHA512

603cef3ad12ccf092b4cf49315da79f1893775d188c6c7d0015932f9e0ad9030d7871475b7dd202dad0a2198ecde654b73dd819175d2a61c8a64bf32de7693f2
SSDEEP

24576:P7QXeEKjLIRwIp8wciIJZou3aF8Sj+1vDXjU/5:jQuEoIG28wcmF8Sj+B/K5

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wps.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	wps.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3028	WINWORD.EXE
3028	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 3028	560	wps.exe	84
PID 560 wrote to memory of 3028	560	wps.exe	84

C:\Users\Admin\AppData\Local\Temp\wps.exe
"C:\Users\Admin\AppData\Local\Temp\wps.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\冠状病毒实时更新：中国正在追踪来自湖北的旅行者.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD879.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\冠状病毒实时更新：中国正在追踪来自湖北的旅行者.doc

Filesize
713KB

MD5
c5b98b77810c5619d20b71791b820529

SHA1
0c9bcc7e92c9557d4f2072e40af0e5e029d92c15

SHA256
fb82f32b9ce1d63cc86ab6ee93b9e619056222af181578d2f8ed38ee6474c092

SHA512
e6f16c71d3aefff8789c28b1a8abbcb47680dbdced912f50d318a9037c6f56bfe0a48e5cbf879ef24cecff03a5af937f8ec4b25c8230229730f71c38453da2b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
ed950687fdeca4b1a497a4117ad6b34e

SHA1
c7525daaccfa3dd1de94bf81ad115864454267cd

SHA256
d72c6b50108837687f4b01a579747bc062017c3a6ce54cb3f1cf056e58c1468a

SHA512
207a4bf6e8e4131c8442ab608829db50296c4ab98034e6420a5f0a412508684b5a364a578557feb94cf91a3648c9d1dc2b8fef30b7ffefaa293b144a0c86d582

Download Submit
memory/560-8-0x0000000003950000-0x00000000039E0000-memory.dmp

Filesize
576KB

Download
memory/3028-15-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-18-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-9-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

Filesize
64KB

Download
memory/3028-14-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

Filesize
64KB

Download
memory/3028-17-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-16-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-13-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

Filesize
64KB

Download
memory/3028-10-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

Filesize
64KB

Download
memory/3028-21-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-20-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-19-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-22-0x00007FFB37A90000-0x00007FFB37AA0000-memory.dmp

Filesize
64KB

Download
memory/3028-23-0x00007FFB37A90000-0x00007FFB37AA0000-memory.dmp

Filesize
64KB

Download
memory/3028-36-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-11-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

Filesize
64KB

Download
memory/3028-12-0x00007FFB79C4D000-0x00007FFB79C4E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads