metasploit | a33f295649eea0542da21ed408566d07f7c3729c058ff07580326d0a9956aa75

Analysis

max time kernel
95s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.exe
Size

2.8MB
MD5

cf14880e3a7fba74c80f21685cd15718
SHA1

11239529295f20e5a99a8fd82bf1ffbe492b66b1
SHA256

a33f295649eea0542da21ed408566d07f7c3729c058ff07580326d0a9956aa75
SHA512

ed9d6c6f07a6a6235f36d04f23d360a7762dfca75590c649b740375111e95a3e6eb510c5a26c98762c834cb3938c583bf3545c1939e28ac8efc2ae10b1892ec5
SSDEEP

49152:VstPILbiw+k7U5kl/qLigcrOJEYkB7OJv6073bIVmRTqRLDIPHo:VwgLGwjI5klUigKYkBEvHPIoRQDI

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://123.60.104.67:32132/EoDd

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATM)

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Loads dropped DLL 3 IoCs

pid	Process
3364	.exe
3364	.exe
3364	.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	3364	.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 3364	2824	.exe	83
PID 2824 wrote to memory of 3364	2824	.exe	83
PID 2824 wrote to memory of 3364	2824	.exe	83

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\.exe
  "C:\Users\Admin\AppData\Local\Temp\.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28242\VCRUNTIME140.dll

Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\_ctypes.pyd

Filesize
106KB

MD5
4e83a56251ca7dfb90cb00bf5b09f94d

SHA1
330de9842a3d08fc2c0bc06a25d49215cb6bbccd

SHA256
8d70a587e9ed176c832d77303cbea5a13ed8842e849901e60366866843142dc7

SHA512
3d03bcb7ec27dc80b9c024af6f6759358fd8fea2fe8d7965b91e149b36c9329599313340f2084755968b0f0852e7f0fadd47f868a77890beca336e5aee1c517f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\base_library.zip

Filesize
777KB

MD5
0e6058a5f76271c2e67f526ecf1dd1e7

SHA1
9266d66b72db5e3d1dfcf7e8be0dd2dc409cb53a

SHA256
ab3b96de6190cd8aa7d49f41530047e7aa39e4d620d79665bd88e4e1beed6a62

SHA512
f71f8d85974520546951105e0ccb6c49df0f561498648182eec6c983e27d775a7d8b38ca4b01b46c9f0660d974291fc78ed57042ab0a543273aac6a34fd37323

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28242\python37.dll

Filesize
3.4MB

MD5
b2e185e8c4d4363be4c36daa937fe9af

SHA1
6f87fef0e80e27c7bae8d19d872757c0b672c6d1

SHA256
ff6f30872f09494bfdf0f79e94a0e52a2d7a8a9aecb348b1e5c44c5921ace76e

SHA512
1b3242ea029e9d32ca1044367422a46ee06e5008cf0b9cb7e3f8ec8d9c79e2bea419ecbc5ce6d5899b267733c39709df084386ffda2720f3aff1885acceccb51

Download Submit
memory/3364-14-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download