metasploit | b157c19e65749b948c98c865d91ea86e7071fd3f6250d3a174c1dd858f82f600

Analysis

max time kernel
97s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Win32.Meterpreter.exe
Size

72KB
MD5

ce230081a5cfa59dcbdd6eb62add34d0
SHA1

52fc1f1e36ccb0a3dc420a0f2da744bd8e1fea60
SHA256

b157c19e65749b948c98c865d91ea86e7071fd3f6250d3a174c1dd858f82f600
SHA512

90178c839c2c6435f60482e03b4bab15ae12d44d860a8c1a610bd03ee506d9b227e266b9211022fe6551c298724455e5910f43c08c1b8720e75d1003478f6532
SSDEEP

1536:ILTYdVOXow5KtNuEzzy45xD3uqBGMb+KR0Nc8QsJq39:u4w4i+Ge0Nc8QsC9

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/exec

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Win32.Meterpreter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1736	1668	Trojan.Win32.Meterpreter.exe	82
PID 1668 wrote to memory of 1736	1668	Trojan.Win32.Meterpreter.exe	82
PID 1668 wrote to memory of 1736	1668	Trojan.Win32.Meterpreter.exe	82

C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Meterpreter.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Meterpreter.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C echo 'OS{52f77b037b810a6294ad47031d9c93a3}'
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-0-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download