metasploit | 9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b

Analysis

max time kernel
118s
max time network
109s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe
Size

81KB
MD5

462fb18088c13d9105863706425eb3cd
SHA1

c3fac93466588085104c6eae707ae5c6a2cb3a13
SHA256

9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b
SHA512

e1cf2310c0aa811cab56da743c15e198b22b94bea11085ea985dae2e5457302fc2f2b363a7e87b0184e9b1bd1d06e20d87a3e17f92980a1008c552b6c380d4e8
SSDEEP

1536:3oW1fP3KxQOLowx1jGznkLjmnX4XfD2Gz9HfF3HAy:4sKxLoEGznijmnXC/z9Hd3d

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

84.228.136.34:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 884	1208	9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe	27

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 884	1208	9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe	27
PID 1208 wrote to memory of 884	1208	9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe	27
PID 1208 wrote to memory of 884	1208	9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe	27
PID 1208 wrote to memory of 884	1208	9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe	27
PID 1208 wrote to memory of 884	1208	9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe	27
PID 1208 wrote to memory of 884	1208	9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe	27
PID 1208 wrote to memory of 884	1208	9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe	27
PID 1208 wrote to memory of 884	1208	9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe	27
PID 1208 wrote to memory of 884	1208	9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe	27
PID 1208 wrote to memory of 884	1208	9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe	27

C:\Users\Admin\AppData\Local\Temp\9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe
"C:\Users\Admin\AppData\Local\Temp\9060680477e8ffd6cca0cb9ae06d4db94c4a5f8ea9d03854ba18c1915c41be8b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/884-56-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/884-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/884-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/884-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/884-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/884-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/884-66-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1208-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1208-55-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1208-67-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads