metasploit | 18ba6cd59749904247bade4b75429e2ac2c4ee2a6fe206ebd114e89283f8f5db | Triage

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 22:41

Sharing

Report Analysis Logs

General

Target

tmp.exe
Size

31KB
MD5

e9dc029457e9d23c8db988c4c0585bfa
SHA1

3d670aa59c97d831e5097b69734b994bf4144cbb
SHA256

18ba6cd59749904247bade4b75429e2ac2c4ee2a6fe206ebd114e89283f8f5db
SHA512

3a6138fd199b3cd0a12f4a1ca193823b32afa557a3d7af5e279cc96edb3fcab31fcf6bbff357d089331f47a295e83222f17a45be3dd4254de88b06bf98f379a9
SSDEEP

192:+np66k5gQDVAU3l6+eKdv3Zn4TJrJfsQ5XfDcyLwaBg1+Cfs2LzwYDK7UlVSq7j4:GO/5AwJtZ4RFskLt

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

124.221.70.199:8983

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tmp.exe

pid process

1172 tmp.exe
1172 tmp.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE
Token: SeShutdownPrivilege	3504	Explorer.EXE
Token: SeCreatePagefilePrivilege	3504	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3504 Explorer.EXE
3504 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3504 Explorer.EXE
Suspicious use of WriteProcessMemory 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1172 wrote to memory of 3504 1172 tmp.exe Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3504

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3504-0-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3504-1-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download