metasploit | 9cb3018084777f026a18cadb289d895ee8bf74082ba4d8b1860d2ba12d6a96ea

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe
Size

9.5MB
MD5

fb895d45dea1114be6ed66ce0f608a83
SHA1

50a53cd7c291645d0aceceb0c179e86bb2fabfc3
SHA256

9cb3018084777f026a18cadb289d895ee8bf74082ba4d8b1860d2ba12d6a96ea
SHA512

697d08761170748eafb68e42ea0be12c747eec8582bd51d49a276c27b10d11e50cead1783fe5a5fd73acb24f635641c95f07996e681c7c1b7a7488883b4245e5
SSDEEP

196608:0cbx59onJ5hrZERMB2WZufOuD9LP48RmU/3ZlsPv1KyI5DTs8CxsffacgUi:hx59c5hlERo2WmfDZPtN3ZWAyuBgU

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.2.213:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Loads dropped DLL 6 IoCs

pid	Process
4568	2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe
4568	2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe
4568	2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe
4568	2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe
4568	2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe
4568	2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4568	4384	2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe	93
PID 4384 wrote to memory of 4568	4384	2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe	93

C:\Users\Admin\AppData\Local\Temp\2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Local\Temp\2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-03-19_fb895d45dea1114be6ed66ce0f608a83_ryuk.exe"
  2⤵
  - Loads dropped DLL
  PID:4568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI43842\22.exe.manifest

Filesize
1KB

MD5
674f5079cb5fb94ee3740e2eda6ed880

SHA1
0a7ba7eaad338943e59b9ce7fd550809bcda1863

SHA256
6a2fdf983f58479923c657fc18941feee0daa500f3435adcd4291c2961f13212

SHA512
f4ec6acb3cbd426e7e800677ba941a2653ebd81592a9f2b2e97820e2ce7c0c18ff534065ea700275dd676890210f357173c5a65bed8000490d2a2356a73f3323

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43842\VCRUNTIME140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43842\_ctypes.pyd

Filesize
123KB

MD5
4d13a7b3ecc8c7dc96a0424c465d7251

SHA1
0c72f7259ac9108d956aede40b6fcdf3a3943cb5

SHA256
2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed

SHA512
68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43842\_socket.pyd

Filesize
77KB

MD5
eb974aeda30d7478bb800bb4c5fbc0a2

SHA1
c5b7bc326bd003d42bcf620d657cac3f46f9d566

SHA256
1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016

SHA512
f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43842\base_library.zip

Filesize
764KB

MD5
959d65c30ca8109e1d261afabe0f8093

SHA1
fac678088e4143339f32ecac5d8c97a81e00c209

SHA256
8e5518bf5dea43f9a8ecf304cd92a224e5f7a860894e391c53d4ea64de4b361f

SHA512
0321f7e62e9e36055e1d3bea652689396ff741d957099d9efb9092048aa86d3c572aa4e950e0d0319a031861af18896d55d029b6121c49a4238eb55bf5d4962e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43842\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43842\python38.dll

Filesize
4.0MB

MD5
3cd1e87aeb3d0037d52c8e51030e1084

SHA1
49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af

SHA256
13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8

SHA512
497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43842\select.pyd

Filesize
26KB

MD5
08b499ae297c5579ba05ea87c31aff5b

SHA1
4a1a9f1bf41c284e9c5a822f7d018f8edc461422

SHA256
940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281

SHA512
ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9

Download Submit
memory/4568-961-0x00000258D6630000-0x00000258D6631000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads