metasploit | a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936.exe
Size

404KB
MD5

2acfaf4eb039155976d0ac9685bf4e43
SHA1

973e86e24d8e41db0ce2fe9a09a3bfe67ad6b140
SHA256

a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936
SHA512

bf7778bda716ac24c86e80ae65988a6f8d58e1a380b3dbf01256d38e9390f159c21f78ade0be8099b7e049d69d8134a09d34ba11506dbae460cb2256074e9a23
SSDEEP

6144:hDlB1Lwx1CBBvADVxM2jdakcDGKLOwC5IJIov+MBX+tWdKd6SQ:h7XCVxM2xaPDGjnI+YBX+tWEO

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://206.166.251.28:80/jLOW

Attributes

headers User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 1 IoCs

pid	Process
2992	start64X32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2944	1800	a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936.exe	30
PID 1800 wrote to memory of 2944	1800	a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936.exe	30
PID 1800 wrote to memory of 2944	1800	a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936.exe	30
PID 2944 wrote to memory of 2380	2944	WScript.exe	31
PID 2944 wrote to memory of 2380	2944	WScript.exe	31
PID 2944 wrote to memory of 2380	2944	WScript.exe	31
PID 2380 wrote to memory of 2536	2380	cmd.exe	33
PID 2380 wrote to memory of 2536	2380	cmd.exe	33
PID 2380 wrote to memory of 2536	2380	cmd.exe	33
PID 2536 wrote to memory of 2992	2536	cmd.exe	34
PID 2536 wrote to memory of 2992	2536	cmd.exe	34
PID 2536 wrote to memory of 2992	2536	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936.exe
"C:\Users\Admin\AppData\Local\Temp\a82483d20fc1d574f0d1f4f5fd91a32a5007653e0d0b100b2ca64933300db936.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\start64X32.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Public\start64X32.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Users\Public\start64X32.exe exploit all
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Users\Public\start64X32.exe
        
        C:\Users\Public\start64X32.exe exploit all
        5⤵
        Executes dropped EXE
        
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\start64X32.cmd

Filesize
53B

MD5
9fe897aebae8f04f53fad6c9b56ef95f

SHA1
1767f17445e4b9f03b7088751492a47f6b0e17a9

SHA256
0facc35ee9a222761102527c66f2224d7b86b1c8bff347eefd2bd0a351f53bf9

SHA512
8af3277ee428ffa4d4341cdbad2c52d6e576241efacc966d357d22d06babfeca608b13265948f263577e274e4db6f978b6d3bf4e428393c2a0bb367b6c28a593

Download Submit
C:\Users\Public\start64X32.exe

Filesize
23KB

MD5
d3c46519321800a8c412008247fd89c1

SHA1
3627d8195920ea09c7e62ce94dc64c354aeba78c

SHA256
9662baafc3b1796c67a884a2de426658eb2b22d7dea4da232edecc3f519308e5

SHA512
793923e22bd3ed966be2b6ba7687f50070e6e937ccc3d3d192418c5698938638d4eb2473c22865ad33c12042601c440df275a076f60744dd2e2c1f37149782ad

Download Submit
C:\Users\Public\start64X32.vbs

Filesize
115B

MD5
525366874023a8a95d5dabe50bd63371

SHA1
8636787caa00dfa9c06231f67da8dfb9cd58da49

SHA256
b2211cfa2ecd8cec86e145b4f43333ca7e06a506ba1cf895dd31887a33cfe88e

SHA512
6599082a7b51bcbef5149ef380b41d540a0ce074e49dd8b506953b860959b5f045639770b8e4cfbb008245daeaab92cbad49e3d7914791f4595fa9d7f6f5f9a7

Download Submit
memory/2992-13-0x000007FEF4FD3000-0x000007FEF4FD4000-memory.dmp

Filesize
4KB

Download
memory/2992-14-0x0000000000F40000-0x0000000000F4C000-memory.dmp

Filesize
48KB

Download