metasploit | ff931eeeeb4dab0545e6261b06ea3f581793406ce9f865ada181972a7b1e7e1e | Triage

Analysis

max time kernel
136s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 12:21

Sharing

Report Analysis Logs

General

Target

tinyxml.dll
Size

24KB
MD5

553fd99899eff49eb8cd3415cd8aa4f0
SHA1

3d6a2190be821d2133ef5464af878d5f4d13e408
SHA256

ff931eeeeb4dab0545e6261b06ea3f581793406ce9f865ada181972a7b1e7e1e
SHA512

4ab56ffba9aca3e9ab0fb3c1ce567f860d83b4f055ada4785ad26e53899d5aa9f5688592e25d21ab1d79dc7b45aef9e12ed0aa1086bfb64cb9c23a7840662719
SSDEEP

384:XtOfB+juJ5j7ICYPUcRlSkSib4bv5ONPWswX/X/:9OsKvALX4LswX/X

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://112.74.126.200:443/jquery-3.3.1.slim.min.js

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1944 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1012 wrote to memory of 1944	1012	rundll32.exe	rundll32.exe
PID 1012 wrote to memory of 1944	1012	rundll32.exe	rundll32.exe
PID 1012 wrote to memory of 1944	1012	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tinyxml.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\tinyxml.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:1944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1944-0-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download