metasploit | a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0

Analysis

max time kernel
1562s
max time network
1602s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
05-07-2022 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0.vbs
Size

7KB
MD5

dfb14599941880b99894df47efb1f16a
SHA1

7a825416de64b45bc9e553f6aff9c4ddc098d6db
SHA256

a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0
SHA512

e909cd980d8d319db04e1c550bf09e9618ba0e5e81b30b9acefec28bb89683eb90349472074bb4c409ac1091e3adcb708b56d5d4a87ad38402aff3b6a7274286

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

186.95.209.178:4545

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

AcgwroNrzrb.exe

pid process

2084 AcgwroNrzrb.exe

pid	process
2084	AcgwroNrzrb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 2064 wrote to memory of 2084	2064	WScript.exe	AcgwroNrzrb.exe
PID 2064 wrote to memory of 2084	2064	WScript.exe	AcgwroNrzrb.exe
PID 2064 wrote to memory of 2084	2064	WScript.exe	AcgwroNrzrb.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\rad6CD33.tmp\AcgwroNrzrb.exe
"C:\Users\Admin\AppData\Local\Temp\rad6CD33.tmp\AcgwroNrzrb.exe"
2⤵
- Executes dropped EXE
PID:2084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rad6CD33.tmp\AcgwroNrzrb.exe
Filesize
4KB

MD5
175a9304c628824c24827c464d24fab3

SHA1
b3022defd71196172a5bbdb2e902fc9bb7fa9133

SHA256
fe25fafe0fbf8afa5139996108bcf40e87add4b2b15e2321c17756dceb18f159

SHA512
de4b0c98d0cd1ead7b20bbde368cd5f8246d9e9267d9382567a2391b429df18aa5345aa06e099f1bd45c371adddc28e6e9e8f1207447f91d886d5d322a45b726

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad6CD33.tmp\AcgwroNrzrb.exe
Filesize
4KB

MD5
175a9304c628824c24827c464d24fab3

SHA1
b3022defd71196172a5bbdb2e902fc9bb7fa9133

SHA256
fe25fafe0fbf8afa5139996108bcf40e87add4b2b15e2321c17756dceb18f159

SHA512
de4b0c98d0cd1ead7b20bbde368cd5f8246d9e9267d9382567a2391b429df18aa5345aa06e099f1bd45c371adddc28e6e9e8f1207447f91d886d5d322a45b726

Download Submit
memory/2084-130-0x0000000000000000-mapping.dmp

Download
memory/2084-133-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download