metasploit | 32e4d84e634fd4d7c979f0008fe32c21a0713eed09caba58e85dca3bb9e772dc

Analysis

max time kernel
138s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9b8a0f4d78315c436c9d6b6699952fe.exe
Size

400KB
MD5

b9b8a0f4d78315c436c9d6b6699952fe
SHA1

eb01d19aba86beed4e5ecf88bb7b1565531efa07
SHA256

32e4d84e634fd4d7c979f0008fe32c21a0713eed09caba58e85dca3bb9e772dc
SHA512

ea8ace598443ebccc21fb0e30aff121604ccb28d4bda9e7dd44a2c5d92bfd61467520b75a427a7d79aefcc6d492b04bf6fc1a45b5f3f80583bf3437c87990814
SSDEEP

6144:4u5g79cOY/LnJCPEQ42F+40HG5W2s4ugIueUQjiEzMtm6187Un:4u5g79cV/QELG+40HG504nIuRQjizRn

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
2476	taskmrg.exe
2548	taskmrg.exe
2412	taskmrg.exe
1036	taskmrg.exe
2072	taskmrg.exe
2656	taskmrg.exe
1948	taskmrg.exe
2196	taskmrg.exe
1752	taskmrg.exe
268	taskmrg.exe

Loads dropped DLL 20 IoCs

pid	Process
1908	b9b8a0f4d78315c436c9d6b6699952fe.exe
1908	b9b8a0f4d78315c436c9d6b6699952fe.exe
2476	taskmrg.exe
2476	taskmrg.exe
2548	taskmrg.exe
2548	taskmrg.exe
2412	taskmrg.exe
2412	taskmrg.exe
1036	taskmrg.exe
1036	taskmrg.exe
2072	taskmrg.exe
2072	taskmrg.exe
2656	taskmrg.exe
2656	taskmrg.exe
1948	taskmrg.exe
1948	taskmrg.exe
2196	taskmrg.exe
2196	taskmrg.exe
1752	taskmrg.exe
1752	taskmrg.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	b9b8a0f4d78315c436c9d6b6699952fe.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	b9b8a0f4d78315c436c9d6b6699952fe.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2476	1908	b9b8a0f4d78315c436c9d6b6699952fe.exe	28
PID 1908 wrote to memory of 2476	1908	b9b8a0f4d78315c436c9d6b6699952fe.exe	28
PID 1908 wrote to memory of 2476	1908	b9b8a0f4d78315c436c9d6b6699952fe.exe	28
PID 1908 wrote to memory of 2476	1908	b9b8a0f4d78315c436c9d6b6699952fe.exe	28
PID 2476 wrote to memory of 2548	2476	taskmrg.exe	29
PID 2476 wrote to memory of 2548	2476	taskmrg.exe	29
PID 2476 wrote to memory of 2548	2476	taskmrg.exe	29
PID 2476 wrote to memory of 2548	2476	taskmrg.exe	29
PID 2548 wrote to memory of 2412	2548	taskmrg.exe	32
PID 2548 wrote to memory of 2412	2548	taskmrg.exe	32
PID 2548 wrote to memory of 2412	2548	taskmrg.exe	32
PID 2548 wrote to memory of 2412	2548	taskmrg.exe	32
PID 2412 wrote to memory of 1036	2412	taskmrg.exe	33
PID 2412 wrote to memory of 1036	2412	taskmrg.exe	33
PID 2412 wrote to memory of 1036	2412	taskmrg.exe	33
PID 2412 wrote to memory of 1036	2412	taskmrg.exe	33
PID 1036 wrote to memory of 2072	1036	taskmrg.exe	34
PID 1036 wrote to memory of 2072	1036	taskmrg.exe	34
PID 1036 wrote to memory of 2072	1036	taskmrg.exe	34
PID 1036 wrote to memory of 2072	1036	taskmrg.exe	34
PID 2072 wrote to memory of 2656	2072	taskmrg.exe	35
PID 2072 wrote to memory of 2656	2072	taskmrg.exe	35
PID 2072 wrote to memory of 2656	2072	taskmrg.exe	35
PID 2072 wrote to memory of 2656	2072	taskmrg.exe	35
PID 2656 wrote to memory of 1948	2656	taskmrg.exe	36
PID 2656 wrote to memory of 1948	2656	taskmrg.exe	36
PID 2656 wrote to memory of 1948	2656	taskmrg.exe	36
PID 2656 wrote to memory of 1948	2656	taskmrg.exe	36
PID 1948 wrote to memory of 2196	1948	taskmrg.exe	37
PID 1948 wrote to memory of 2196	1948	taskmrg.exe	37
PID 1948 wrote to memory of 2196	1948	taskmrg.exe	37
PID 1948 wrote to memory of 2196	1948	taskmrg.exe	37
PID 2196 wrote to memory of 1752	2196	taskmrg.exe	38
PID 2196 wrote to memory of 1752	2196	taskmrg.exe	38
PID 2196 wrote to memory of 1752	2196	taskmrg.exe	38
PID 2196 wrote to memory of 1752	2196	taskmrg.exe	38
PID 1752 wrote to memory of 268	1752	taskmrg.exe	39
PID 1752 wrote to memory of 268	1752	taskmrg.exe	39
PID 1752 wrote to memory of 268	1752	taskmrg.exe	39
PID 1752 wrote to memory of 268	1752	taskmrg.exe	39

C:\Users\Admin\AppData\Local\Temp\b9b8a0f4d78315c436c9d6b6699952fe.exe
"C:\Users\Admin\AppData\Local\Temp\b9b8a0f4d78315c436c9d6b6699952fe.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\taskmrg.exe
  C:\Windows\system32\taskmrg.exe 524 "C:\Users\Admin\AppData\Local\Temp\b9b8a0f4d78315c436c9d6b6699952fe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\taskmrg.exe
    C:\Windows\system32\taskmrg.exe 532 "C:\Windows\SysWOW64\taskmrg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\taskmrg.exe
      C:\Windows\system32\taskmrg.exe 528 "C:\Windows\SysWOW64\taskmrg.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\taskmrg.exe
        
        C:\Windows\system32\taskmrg.exe 544 "C:\Windows\SysWOW64\taskmrg.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\taskmrg.exe
        
        C:\Windows\system32\taskmrg.exe 548 "C:\Windows\SysWOW64\taskmrg.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\taskmrg.exe
        
        C:\Windows\system32\taskmrg.exe 552 "C:\Windows\SysWOW64\taskmrg.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\taskmrg.exe
        
        C:\Windows\system32\taskmrg.exe 540 "C:\Windows\SysWOW64\taskmrg.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\taskmrg.exe
        
        C:\Windows\system32\taskmrg.exe 560 "C:\Windows\SysWOW64\taskmrg.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\taskmrg.exe
        
        C:\Windows\system32\taskmrg.exe 556 "C:\Windows\SysWOW64\taskmrg.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\taskmrg.exe
        
        C:\Windows\system32\taskmrg.exe 568 "C:\Windows\SysWOW64\taskmrg.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\taskmrg.exe

Filesize
400KB

MD5
b9b8a0f4d78315c436c9d6b6699952fe

SHA1
eb01d19aba86beed4e5ecf88bb7b1565531efa07

SHA256
32e4d84e634fd4d7c979f0008fe32c21a0713eed09caba58e85dca3bb9e772dc

SHA512
ea8ace598443ebccc21fb0e30aff121604ccb28d4bda9e7dd44a2c5d92bfd61467520b75a427a7d79aefcc6d492b04bf6fc1a45b5f3f80583bf3437c87990814

Download Submit