metasploit | d4f68695285e2f4f3c6565d805a0f89b5301787b6893890c9e0b85617fbc3b14

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Linux-auf-einem-Blatt.exe
Size

72KB
MD5

6fae28b9c46ebdb2c77e7e002dbc59a3
SHA1

66102f83f80037055d5219fd2e16aaa998449d80
SHA256

944f793757f7c34bf6446676a2aca49e98346bf94a1c3b2d7675d16425d95a8b
SHA512

de79e9f3bb629fc8995e14ba0148121184e56e7d971b60086a8695b2f91a8270c211d21ca5e16758e29b127d7eb0f3ed84bdd40d55b7ca10780511d95cda94e5
SSDEEP

1536:IJPDWLtwvFlxmiv9rGvqpG41bS1ywMb+KR0Nc8QsJq39:k0tSFBWqpGebS1Ne0Nc8QsC9

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/exec

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Linux-auf-einem-Blatt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 3056	2512	Linux-auf-einem-Blatt.exe	30
PID 2512 wrote to memory of 3056	2512	Linux-auf-einem-Blatt.exe	30
PID 2512 wrote to memory of 3056	2512	Linux-auf-einem-Blatt.exe	30
PID 2512 wrote to memory of 3056	2512	Linux-auf-einem-Blatt.exe	30

C:\Users\Admin\AppData\Local\Temp\Linux-auf-einem-Blatt.exe
"C:\Users\Admin\AppData\Local\Temp\Linux-auf-einem-Blatt.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\calc.exe
  calc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2512-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download