metasploit | c9a4b69fd8936fabe1d044c35baaa28e4bd0aa563769a76d4dba7c16e6fc3009 | Triage

Analysis

max time kernel
122s
max time network
121s
platform
windows7_x64
resource
win7v20201028
submitted
08-11-2020 14:13

Sharing

Report Analysis Logs

General

Target

c9a4b69fd8936fabe1d044c35baaa28e4bd0aa563769a76d4dba7c16e6fc3009.dll
Size

5KB
MD5

a3bfdf001d9e5e1276b95a112b74d37f
SHA1

cba777ad1363ad2840d43cfff8833ca22ff8c0d0
SHA256

c9a4b69fd8936fabe1d044c35baaa28e4bd0aa563769a76d4dba7c16e6fc3009
SHA512

4a48b115adaf593997f73c16c3424eb461b752ea39e5247e8252e1b92c02b5d9b0ba42da2cb63fc8592b52116786cf1631608105bf29c617f223c9d13e48fcbc

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://example.com:80/hop.php?/12345

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blacklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

6 832 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1768 set thread context of 832 1768 rundll32.exe rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 364 wrote to memory of 1768	364	rundll32.exe	rundll32.exe
PID 364 wrote to memory of 1768	364	rundll32.exe	rundll32.exe
PID 364 wrote to memory of 1768	364	rundll32.exe	rundll32.exe
PID 364 wrote to memory of 1768	364	rundll32.exe	rundll32.exe
PID 364 wrote to memory of 1768	364	rundll32.exe	rundll32.exe
PID 364 wrote to memory of 1768	364	rundll32.exe	rundll32.exe
PID 364 wrote to memory of 1768	364	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 832	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 832	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 832	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 832	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 832	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 832	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 832	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 832	1768	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9a4b69fd8936fabe1d044c35baaa28e4bd0aa563769a76d4dba7c16e6fc3009.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9a4b69fd8936fabe1d044c35baaa28e4bd0aa563769a76d4dba7c16e6fc3009.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
3⤵
- Blacklisted process makes network request
PID:832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-1-0x000000000015178C-mapping.dmp

Download
memory/1340-2-0x000007FEF5BD0000-0x000007FEF5E4A000-memory.dmp

Filesize
2.5MB

Download
memory/1768-0-0x0000000000000000-mapping.dmp

Download