metasploit | 894d86fb6f89f89108966284fca6573e4f83ab81004768bc2fde1a92c65fbc9c

Analysis

max time kernel
140s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/09/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894d86fb6f89f89108966284fca6573e4f83ab81004768bc2fde1a92c65fbc9c.exe
Size

14KB
MD5

60887a5da3edb20ffc21893510b11735
SHA1

2cf22313d80f5bfa6b79dc881849fb8e5fe31acb
SHA256

894d86fb6f89f89108966284fca6573e4f83ab81004768bc2fde1a92c65fbc9c
SHA512

cdfa333eaed0f9fbde1d2768c0cd24ba4c1f8b7f024fd4dead11bb15cbdecbba2876097661ffc9544dd5fd4f38ba5f22a576017f72ced7cf2cee4119e532090f
SSDEEP

192:53mbPYCfMcrfOIuZmvKQxtzlSIVX6NOlqQ3p6ejDMN1:AMCfrfQ6tBSIGQoeUN1

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://89.197.154.115:7700/LXvB

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; Touch; MASPJS)

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2564	2796	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	894d86fb6f89f89108966284fca6573e4f83ab81004768bc2fde1a92c65fbc9c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2564	2796	894d86fb6f89f89108966284fca6573e4f83ab81004768bc2fde1a92c65fbc9c.exe	30
PID 2796 wrote to memory of 2564	2796	894d86fb6f89f89108966284fca6573e4f83ab81004768bc2fde1a92c65fbc9c.exe	30
PID 2796 wrote to memory of 2564	2796	894d86fb6f89f89108966284fca6573e4f83ab81004768bc2fde1a92c65fbc9c.exe	30
PID 2796 wrote to memory of 2564	2796	894d86fb6f89f89108966284fca6573e4f83ab81004768bc2fde1a92c65fbc9c.exe	30

C:\Users\Admin\AppData\Local\Temp\894d86fb6f89f89108966284fca6573e4f83ab81004768bc2fde1a92c65fbc9c.exe
"C:\Users\Admin\AppData\Local\Temp\894d86fb6f89f89108966284fca6573e4f83ab81004768bc2fde1a92c65fbc9c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 744
  2⤵
  - Program crash
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2796-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2796-1-0x0000000003CD0000-0x00000000040D0000-memory.dmp

Filesize
4.0MB

Download
memory/2796-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download