metasploit | 31d83642449bc805b39c3c96ede7eb92b0c1fe96e8e80a3668452549d9448bf9

Analysis

max time kernel
129s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3885ab0ba1f5696660edb2ff83f748f0_NeikiAnalytics.exe
Size

1.3MB
MD5

3885ab0ba1f5696660edb2ff83f748f0
SHA1

9111c9ac9aae58821902c702d9c6cfa40a80635e
SHA256

31d83642449bc805b39c3c96ede7eb92b0c1fe96e8e80a3668452549d9448bf9
SHA512

f256e73c28c9ed0f4bb75bb0882f68c8a4920a3c31ef62f1a8943e089399551634643960dd84dee4a478d06244c33759136802698c2a813df712f3728d0b3bb7
SSDEEP

24576:VaPnAOx5SUXJW/D4xUa38vKdTIkpgSWC+osF0jzZVb+t35cMYlG96NMBJMncaMvT:V0x5SUW/cxUitIGLsF0nb+tJVYleAMzH

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://2dbd-103-21-170-170.ngrok.io:80/Hth8

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 2dbd-103-21-170-170.ngrok.io
8 2dbd-103-21-170-170.ngrok.io

flow	ioc
3	2dbd-103-21-170-170.ngrok.io
8	2dbd-103-21-170-170.ngrok.io

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1504	4948	WerFault.exe	3885ab0ba1f5696660edb2ff83f748f0_NeikiAnalytics.exe
5092	4948	WerFault.exe	3885ab0ba1f5696660edb2ff83f748f0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\3885ab0ba1f5696660edb2ff83f748f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3885ab0ba1f5696660edb2ff83f748f0_NeikiAnalytics.exe"
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1540
2⤵
- Program crash
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1516
2⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4948 -ip 4948
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4948 -ip 4948
1⤵
PID:2272

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4948-0-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/4948-7-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download