metasploit | 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab

Analysis

max time kernel
140s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
Size

5.4MB
MD5

499e5b15ad0f2c512ee8225ed06103d5
SHA1

97cb3cebd8702b712c8f7bfb7bb27a724729a0d9
SHA256

2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab
SHA512

53eb82197556342410df21d1d701a42f47722191a03e802115948fbf6a306ea31f036b566396288f6001f268a03a3d9649cd829e578b15ce59d48bd1baba5757
SSDEEP

98304:LZ3l32PjR/7JNk2heNhj786Hw9oecJllmv9QxTdTtkgC9LIx4ZSCQ:Xwl585soVmEtnCWSZB

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://45.61.136.138:443/Ew8h

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Loads dropped DLL 3 IoCs

Processes:

2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe

pid	process
3188	2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
3188	2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
3188	2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3076 3188 WerFault.exe 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe

description pid process

Token: 35 3188 2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe

pid	pid_target	process	target process
3076	3188	WerFault.exe	2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe

description	pid	process
Token: 35	3188	2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe

description	pid	process	target process
PID 1532 wrote to memory of 3188	1532	2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe	2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
PID 1532 wrote to memory of 3188	1532	2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe	2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
PID 1532 wrote to memory of 3188	1532	2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe	2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe

C:\Users\Admin\AppData\Local\Temp\2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
"C:\Users\Admin\AppData\Local\Temp\2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe
"C:\Users\Admin\AppData\Local\Temp\2999e6c141e1938be10947a5ee456d0deb20cd5dfd0caaf36ee2285abfc258ab.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1912
3⤵
- Program crash
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3188 -ip 3188
1⤵
PID:4888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI15322\VCRUNTIME140.dll
Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15322\_ctypes.pyd
Filesize
106KB

MD5
a4dbe885d83a752b7bde32bf7f447959

SHA1
abdf727dbafb65fa6c153bb27f83b1248dc0dee1

SHA256
57c6fc42b59f8ab7fb24c12345c56e3ffb32b7e21ab34a7c32a96fb71e7cf177

SHA512
280616583576073fe0651457698ce2dc7e2a11549610d6d085790f6ad054993a2d54fa691769f2b0172dd5b474271022a9aec02483743e83e5ba08b0417859e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15322\base_library.zip
Filesize
768KB

MD5
3b3c618ee8a07c6c5e3ca7724e949e52

SHA1
2278f971a1bb73c205efa63f779990e36e99d063

SHA256
a8a52e2cfc1ac3f66c4fce7503f6fd99bd57aae36113ecf813f9c4d73e0f8e47

SHA512
ac56ee4e7c4b1bbf8aead3d293732b69e23f2506354365a2f9f806d823df325d87bcc19a778ec3c53fc592496577af44c4e65df313f98937e663e84319ad665d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15322\python37.dll
Filesize
3.4MB

MD5
d3773a598d5ee7000b780baeee632c89

SHA1
fad27813c9363865314f170b1f9307295a1b9527

SHA256
ce2fba169806999fe554031b3f65e6361d9fa3e280ed8bf886c97c96d5d623df

SHA512
372b80dae1886b3fb74cf0e733487ec8d69fb72cedaac16afa6272b7d4b3201455a752ef0cb8b8843f8389bd92b149960a18d33509aa6d8c33fe9308ae927564

Download Submit
memory/3188-61-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/3188-64-0x0000000004670000-0x0000000004A70000-memory.dmp

Filesize
4.0MB

Download