metasploit | 41786d15008e2675fbcb8d543647bd6871eeabbb9f4a7f3346aa1f7e786eb7b7

Analysis

max time kernel
126s
max time network
132s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/03/2025, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

812adobe_update.exe
Size

87KB
MD5

3f16a2de1242fc887a4b955300946b50
SHA1

94262ade0e49262c1f5e1fb4ad8e3b4a22048013
SHA256

41786d15008e2675fbcb8d543647bd6871eeabbb9f4a7f3346aa1f7e786eb7b7
SHA512

c51b7e97ccdd52ead4c303219f3eb172859580c3ddd83dab57134d4cb061a01ccada315f5944110015850c101a8975a9e466a9aa4322120344613f1fd4acc124
SSDEEP

1536:pAJX27T5dgGQEOLwKhZxlAbd7dkMeDmyOvMt0K3uSqGaVpd:p827T5dKw0AxZwSZ0tP3uRp

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

51.68.213.100:1440

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1500	812adobe_update.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1180	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	812adobe_update.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1180	AcroRd32.exe
1180	AcroRd32.exe
1180	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1180	1500	812adobe_update.exe	31
PID 1500 wrote to memory of 1180	1500	812adobe_update.exe	31
PID 1500 wrote to memory of 1180	1500	812adobe_update.exe	31
PID 1500 wrote to memory of 1180	1500	812adobe_update.exe	31

C:\Users\Admin\AppData\Local\Temp\812adobe_update.exe
"C:\Users\Admin\AppData\Local\Temp\812adobe_update.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Digital Ocean CFS.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Digital Ocean CFS.pdf

Filesize
74KB

MD5
d03e65cf99648dc339b8bdc036d50d19

SHA1
74b1cda3e72bbce92bdf90f4088e3871c0027c3a

SHA256
708782a8853132c2948352bc2e79bcd67c0cd5b5cf2bc8fe98d8e4a46779b837

SHA512
69dd3c0a57736e1d2caeb4e4f7c4febe1197122cda5254ad95a17de0290ff33e47d019a50ccb52025ad5b3a8a45702edd9760224e6c69540ad95f12d58727824

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c79f78fcf42bbfc952eb65c80e8f1f5f

SHA1
706f25a336689c7e543d3648272853bd63a21d5b

SHA256
32ee3671edeeb80d4586f789e15eb5b3b83acd46ba2a4faaa4a2617f482a5ba8

SHA512
e158975a0dd9fee420ac7eb6e45b4ca9245124901d8a377eae4e17a1346409cd074c051f36f9cf120d9999067ce5af80faec2da9de5c86ec8a916ea1746eb923

Download Submit
memory/1500-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/1500-1-0x000000013F5D0000-0x000000013F5EA000-memory.dmp

Filesize
104KB

Download
memory/1500-3-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1500-4-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1500-22-0x0000000002530000-0x0000000002569000-memory.dmp

Filesize
228KB

Download
memory/1500-27-0x0000000002530000-0x0000000002569000-memory.dmp

Filesize
228KB

Download
memory/1500-28-0x0000000002530000-0x0000000002569000-memory.dmp

Filesize
228KB

Download
memory/1500-34-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/1500-35-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download