metasploit | 78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e

General

Target

78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe
Size

441KB
MD5

5c08ca135ff9d8316dd10845db00f635
SHA1

a24c9ccc818e192356169c409c265645e6f39824
SHA256

78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e
SHA512

a38b1c2db66416d96e966960ef394da048065f981d1386851581e43c579ebddc623bbfb4dac8a2079ddf1190ab3548e57a7b5abef6d0ca186aae438e84b0f9db
SSDEEP

6144:QZlBLpEu7eOhAF2QXcnzVRPYfmB8LVqv7IVuUmj+ZF6/BCrO6Kwc:QlpEu7eOhA7XcnzjYf+8LV2IVgj+Ep

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 8 IoCs

pid	Process
3468	wplayer.exe
1368	wplayer.exe
2916	wplayer.exe
4068	wplayer.exe
916	wplayer.exe
2572	wplayer.exe
4996	wplayer.exe
2376	wplayer.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3680-0-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/files/0x000c000000023b12-5.dat	upx
behavioral2/memory/3680-7-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/3468-8-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/1368-10-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/2916-12-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/4068-14-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/916-16-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/2572-18-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/4996-20-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/2376-22-0x0000000000400000-0x00000000004AE000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 3468	3680	78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe	82
PID 3680 wrote to memory of 3468	3680	78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe	82
PID 3680 wrote to memory of 3468	3680	78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe	82
PID 3468 wrote to memory of 1368	3468	wplayer.exe	88
PID 3468 wrote to memory of 1368	3468	wplayer.exe	88
PID 3468 wrote to memory of 1368	3468	wplayer.exe	88
PID 1368 wrote to memory of 2916	1368	wplayer.exe	92
PID 1368 wrote to memory of 2916	1368	wplayer.exe	92
PID 1368 wrote to memory of 2916	1368	wplayer.exe	92
PID 2916 wrote to memory of 4068	2916	wplayer.exe	94
PID 2916 wrote to memory of 4068	2916	wplayer.exe	94
PID 2916 wrote to memory of 4068	2916	wplayer.exe	94
PID 4068 wrote to memory of 916	4068	wplayer.exe	95
PID 4068 wrote to memory of 916	4068	wplayer.exe	95
PID 4068 wrote to memory of 916	4068	wplayer.exe	95
PID 916 wrote to memory of 2572	916	wplayer.exe	96
PID 916 wrote to memory of 2572	916	wplayer.exe	96
PID 916 wrote to memory of 2572	916	wplayer.exe	96
PID 2572 wrote to memory of 4996	2572	wplayer.exe	97
PID 2572 wrote to memory of 4996	2572	wplayer.exe	97
PID 2572 wrote to memory of 4996	2572	wplayer.exe	97
PID 4996 wrote to memory of 2376	4996	wplayer.exe	98
PID 4996 wrote to memory of 2376	4996	wplayer.exe	98
PID 4996 wrote to memory of 2376	4996	wplayer.exe	98

C:\Users\Admin\AppData\Local\Temp\78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe
"C:\Users\Admin\AppData\Local\Temp\78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SysWOW64\wplayer.exe
  C:\Windows\system32\wplayer.exe 1016 "C:\Users\Admin\AppData\Local\Temp\78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\wplayer.exe
    C:\Windows\system32\wplayer.exe 1144 "C:\Windows\SysWOW64\wplayer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\SysWOW64\wplayer.exe
      C:\Windows\system32\wplayer.exe 1116 "C:\Windows\SysWOW64\wplayer.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 1112 "C:\Windows\SysWOW64\wplayer.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4068
      - C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 1120 "C:\Windows\SysWOW64\wplayer.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 1124 "C:\Windows\SysWOW64\wplayer.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 1056 "C:\Windows\SysWOW64\wplayer.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 1132 "C:\Windows\SysWOW64\wplayer.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wplayer.exe

Filesize
441KB

MD5
5c08ca135ff9d8316dd10845db00f635

SHA1
a24c9ccc818e192356169c409c265645e6f39824

SHA256
78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e

SHA512
a38b1c2db66416d96e966960ef394da048065f981d1386851581e43c579ebddc623bbfb4dac8a2079ddf1190ab3548e57a7b5abef6d0ca186aae438e84b0f9db

Download Submit
memory/916-16-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1368-10-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2376-22-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2572-18-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2916-12-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3468-8-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3680-0-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3680-7-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4068-14-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4996-20-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing