metasploit | a9ca7cef581ef414f1e14589b0af174b21c170d760c40b4e18e88e85b158d35d

Analysis

max time kernel
140s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AsyncRAT/Compiler.exe
Size

35KB
MD5

a199404323bde09f8fd1de83acf6c347
SHA1

189f69f8b68794187b4e0b934094a6e1e6872cc1
SHA256

26f77e60b068688199c48b270b1a0507eae287c4877f1d7f6cc9d2ce9cb51ef4
SHA512

689ad513f1e78edfd1221e9ea5ed894d8ca6d2f8384a0508eec0483697eced51530324df74890049fab084fa375026a03ac075274bde04f21b18dcfc73f5787b
SSDEEP

768:s4KUggoz8KkmtyRaAI3XIOsWrXbOfq1Tk5Rd9:s4KUggoz8Kk6y8rvbOD5RH

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

3.129.187.220:16333

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 1 IoCs

pid	Process
2968	svhost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2688	Compiler.exe
2688	Compiler.exe
2688	Compiler.exe
2688	Compiler.exe
2688	Compiler.exe
2688	Compiler.exe
2688	Compiler.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	Compiler.exe
Token: SeRestorePrivilege	2696	7z.exe
Token: 35	2696	7z.exe
Token: SeSecurityPrivilege	2696	7z.exe
Token: SeSecurityPrivilege	2696	7z.exe
Token: SeRestorePrivilege	5060	7z.exe
Token: 35	5060	7z.exe
Token: SeSecurityPrivilege	5060	7z.exe
Token: SeSecurityPrivilege	5060	7z.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2696	2688	Compiler.exe	84
PID 2688 wrote to memory of 2696	2688	Compiler.exe	84
PID 2688 wrote to memory of 5060	2688	Compiler.exe	89
PID 2688 wrote to memory of 5060	2688	Compiler.exe	89
PID 2688 wrote to memory of 2968	2688	Compiler.exe	93
PID 2688 wrote to memory of 2968	2688	Compiler.exe	93

C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Compiler.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Compiler.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" x "logs.rar" -o"C:\Users\Admin\AppData\Local\Temp\AsyncRAT" -y -pwindows64bit
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" x "logs.rar" -o"C:\Users\Admin\AppData\Local\Temp\" -y -pwindows64bit
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:2968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pzy20onc.mwd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp\svhost.exe

Filesize
7KB

MD5
69d8cd82bc13998cb65eb503e7b8af40

SHA1
020ee8c8e55d87f0e23f87066fb1311d71bafda6

SHA256
0347eb075ac1ce6b6fe2bbbe024ab0061ca4eb978f357b054186746650a2a425

SHA512
5251b25204eaf2d8f4a91db157efee882c2962f0faab168d105ad3199077a310400a50972d3f86bc0f7276105728cbbd0a9ec8eb19f03beb041e86657b53f7ee

Download Submit
memory/2688-1-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/2688-0-0x00007FF8F62D3000-0x00007FF8F62D5000-memory.dmp

Filesize
8KB

Download
memory/2688-11-0x000000001AC60000-0x000000001AC82000-memory.dmp

Filesize
136KB

Download
memory/2688-12-0x00007FF8F62D0000-0x00007FF8F6D91000-memory.dmp

Filesize
10.8MB

Download
memory/2688-25-0x00007FF8F62D3000-0x00007FF8F62D5000-memory.dmp

Filesize
8KB

Download
memory/2688-26-0x00007FF8F62D0000-0x00007FF8F6D91000-memory.dmp

Filesize
10.8MB

Download
memory/2688-28-0x00007FF8F62D0000-0x00007FF8F6D91000-memory.dmp

Filesize
10.8MB

Download
memory/2968-24-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download