metasploit | 394bad1d7ae1007fd9faf8277a9c367d9f50462b524ef89dbbbb8398063315de | Triage

Analysis

max time kernel
141s
max time network
151s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
23-07-2022 09:56

Sharing

Report Analysis Logs

General

Target

addCube.dll
Size

5KB
MD5

6f7b94f8618a450e7eb515e510532440
SHA1

52d640160a461827635ad9ce6ca972484f213ec8
SHA256

394bad1d7ae1007fd9faf8277a9c367d9f50462b524ef89dbbbb8398063315de
SHA512

84856a3a4baf462bb55ea4649c134b33e8d9d2f75085fa0ee34907b361e542a2ceaff440f3f68b30652da440cc87272864530597a298f4a00a41f804d60bee7f

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

172.27.0.13:8080

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1908 set thread context of 604 1908 rundll32.exe rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 600 wrote to memory of 1908	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1908	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1908	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1908	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1908	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1908	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1908	600	rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 604	1908	rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 604	1908	rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 604	1908	rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 604	1908	rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 604	1908	rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 604	1908	rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 604	1908	rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 604	1908	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\addCube.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\addCube.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
3⤵
PID:604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/604-56-0x00000000009C178C-mapping.dmp

Download
memory/1908-54-0x0000000000000000-mapping.dmp

Download
memory/1908-55-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download