metasploit | d31c3152837a19700b108291ab821b3b06a9459dda12cb90267bfd6d2090a377

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2023, 20:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4dad41d722ac8507714ce138b72bf96c.exe
Size

72KB
MD5

4dad41d722ac8507714ce138b72bf96c
SHA1

91105b00a10b13525d8f3d1428fc147851e7da6e
SHA256

d31c3152837a19700b108291ab821b3b06a9459dda12cb90267bfd6d2090a377
SHA512

4ac8a1b5341f6e43538a5ff0c4c2402952882a66f9e5c9aab8be3f6d6cae5bb07ee096eb810e579824d8a583828724cbf2ccc7c45d6442c5908f3bf1e8968fe1
SSDEEP

1536:IwX1x33bD7f4+YlOUnkBHgg6WFMb+KR0Nc8QsJq39:Vf37fTUkHggze0Nc8QsC9

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

3.137.123.63:28193

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1668	4dad41d722ac8507714ce138b72bf96c.exe
1668	4dad41d722ac8507714ce138b72bf96c.exe
1668	4dad41d722ac8507714ce138b72bf96c.exe
1668	4dad41d722ac8507714ce138b72bf96c.exe
1668	4dad41d722ac8507714ce138b72bf96c.exe
1668	4dad41d722ac8507714ce138b72bf96c.exe
3764	notepad.exe
3764	notepad.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	4dad41d722ac8507714ce138b72bf96c.exe
Token: SeDebugPrivilege	1668	4dad41d722ac8507714ce138b72bf96c.exe
Token: SeDebugPrivilege	1668	4dad41d722ac8507714ce138b72bf96c.exe
Token: SeDebugPrivilege	1668	4dad41d722ac8507714ce138b72bf96c.exe
Token: SeDebugPrivilege	3764	notepad.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 3764	1668	4dad41d722ac8507714ce138b72bf96c.exe	88
PID 1668 wrote to memory of 3764	1668	4dad41d722ac8507714ce138b72bf96c.exe	88
PID 1668 wrote to memory of 3764	1668	4dad41d722ac8507714ce138b72bf96c.exe	88
PID 1668 wrote to memory of 3764	1668	4dad41d722ac8507714ce138b72bf96c.exe	88
PID 1668 wrote to memory of 3764	1668	4dad41d722ac8507714ce138b72bf96c.exe	88
PID 1668 wrote to memory of 3764	1668	4dad41d722ac8507714ce138b72bf96c.exe	88
PID 1668 wrote to memory of 3764	1668	4dad41d722ac8507714ce138b72bf96c.exe	88

C:\Users\Admin\AppData\Local\Temp\4dad41d722ac8507714ce138b72bf96c.exe
"C:\Users\Admin\AppData\Local\Temp\4dad41d722ac8507714ce138b72bf96c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-187-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/1668-133-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1668-135-0x0000000000900000-0x0000000000931000-memory.dmp

Filesize
196KB

Download
memory/1668-136-0x0000000000900000-0x0000000000931000-memory.dmp

Filesize
196KB

Download
memory/1668-143-0x0000000000900000-0x0000000000931000-memory.dmp

Filesize
196KB

Download
memory/1668-146-0x00000000026A0000-0x00000000026FF000-memory.dmp

Filesize
380KB

Download
memory/1668-159-0x0000000000900000-0x0000000000931000-memory.dmp

Filesize
196KB

Download
memory/1668-166-0x00000000006B0000-0x00000000006D0000-memory.dmp

Filesize
128KB

Download
memory/1668-185-0x00000000008D0000-0x00000000008FB000-memory.dmp

Filesize
172KB

Download
memory/1668-188-0x0000000000900000-0x0000000000931000-memory.dmp

Filesize
196KB

Download
memory/1668-134-0x00000000008D0000-0x00000000008FB000-memory.dmp

Filesize
172KB

Download
memory/3764-189-0x0000000003FF0000-0x0000000004021000-memory.dmp

Filesize
196KB

Download
memory/3764-183-0x00000000022F0000-0x000000000231B000-memory.dmp

Filesize
172KB

Download
memory/3764-186-0x00000000022F0000-0x000000000231B000-memory.dmp

Filesize
172KB

Download
memory/3764-184-0x0000000003FF0000-0x0000000004021000-memory.dmp

Filesize
196KB

Download
memory/3764-190-0x0000000003FF0000-0x0000000004021000-memory.dmp

Filesize
196KB

Download
memory/3764-195-0x0000000003FF0000-0x0000000004021000-memory.dmp

Filesize
196KB

Download
memory/3764-196-0x00000000041B0000-0x000000000420F000-memory.dmp

Filesize
380KB

Download
memory/3764-203-0x0000000003FF0000-0x0000000004021000-memory.dmp

Filesize
196KB

Download
memory/3764-207-0x00000000041B0000-0x000000000420F000-memory.dmp

Filesize
380KB

Download
memory/3764-209-0x0000000004210000-0x0000000004230000-memory.dmp

Filesize
128KB

Download
memory/3764-210-0x00000000041B0000-0x000000000420F000-memory.dmp

Filesize
380KB

Download