metasploit | bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe
Size

401KB
MD5

afcd5cc03a3f1ad37809812677874828
SHA1

bd2f9c861440b5b050a9bb7cf1b7785d2bc4bbac
SHA256

bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461
SHA512

924e0d9e9b8cee9b0250fca5e3074419b253d7332b23e71920377eaf38f7e4578086303acaf141fee428f6370d0c3dc2b6380da8a0877534625877afcf8043fe
SSDEEP

12288:uubsNSOetfARQAPyGU2X+tZ/iU5rhd4Ws0H1o:uubsnafAPyjt/iKrJ9H1o

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.72.128:1234

192.168.72.128:1111

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe

Executes dropped EXE 2 IoCs

Processes:

QQ浏览器.exeroot.exe

pid process

5092 QQ浏览器.exe
432 root.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5092	QQ浏览器.exe
432	root.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe

description	pid	process	target process
PID 1124 wrote to memory of 5092	1124	bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe	QQ浏览器.exe
PID 1124 wrote to memory of 5092	1124	bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe	QQ浏览器.exe
PID 1124 wrote to memory of 5092	1124	bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe	QQ浏览器.exe
PID 1124 wrote to memory of 432	1124	bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe	root.exe
PID 1124 wrote to memory of 432	1124	bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe	root.exe
PID 1124 wrote to memory of 432	1124	bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe	root.exe

C:\Users\Admin\AppData\Local\Temp\bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe
"C:\Users\Admin\AppData\Local\Temp\bc275e53bb36047b5cb68b40ac6b5a9e170599b39f0c4ea4bb781dce3fa20461.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1124

C:\QQ浏览器.exe
"C:\QQ浏览器.exe"
2⤵
- Executes dropped EXE
PID:5092

C:\root.exe
"C:\root.exe"
2⤵
- Executes dropped EXE
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\QQ浏览器.exe
Filesize
72KB

MD5
c1f3078e5d3382cbac8152b21eeba5cb

SHA1
b106fe694e326b02039dafe1e1ed4f20aa19b05c

SHA256
a84bea6cf0e2f9e36bc524fedc51e2ec39e4bd3a5aa346a24b7943eca15cbdfd

SHA512
1b02ae6757986f37578860eda53ff8e433374bb6619b887432f7377d4e8cad9bc0d928c6b05d10e05eaeb0bd38f8659ec9881e836421720f4428f756ebb7bf38

Download Submit
C:\root.exe
Filesize
72KB

MD5
bad1f225aa7e82094d7703f361c0bae0

SHA1
c15b5c91525d3ea0208933411420befccdbfbf52

SHA256
8ab95f9aac9eff432e9c14c75f05392e04a312fce9f0cb4f16309acb59476bb7

SHA512
cc87c5f5cf4a89b74708985faff0fbd6168af07546a1a9c49aba73abc3463d7b3392ddc033c508a8990b51680e611bb944aa9fb06842e8960228951a26171b92

Download Submit
memory/432-25-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/5092-24-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download