metasploit | f8a6cd0e823b75e2a78cf192f085a33d3ed00b2e0eb2808eebaddf1c7bb0984e

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

neki.exe
Size

5.5MB
MD5

235dfe8638e036d691e6b844c612921e
SHA1

bc14226d20b69065fe036c1742f84804137aa34a
SHA256

f8a6cd0e823b75e2a78cf192f085a33d3ed00b2e0eb2808eebaddf1c7bb0984e
SHA512

c0401cbf88c28e323a2ecf33337d970244d910ee06725e88d64fd78b51e5980296a27d04bc11ec85ddc243c0f4cc352837c79dc9525040f19087be93e380e67d
SSDEEP

49152:PuJtXnyHGUKf8bdu99LYYk8StNVQsPDLYH4TMcBaPBDATvHi8FjpKOPswdcLMR4i:GejtH32YMcaPBZO9YHPhwpBmGdT

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

69.69.69.69:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 1 IoCs

Processes:

decoded_payload.exe

pid	Process
2320	decoded_payload.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

decoded_payload.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	decoded_payload.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

decoded_payload.exe

pid	Process
2320	decoded_payload.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

neki.execmd.exe

description	pid	Process	procid_target
PID 2816 wrote to memory of 2452	2816	neki.exe	32
PID 2816 wrote to memory of 2452	2816	neki.exe	32
PID 2816 wrote to memory of 2452	2816	neki.exe	32
PID 2452 wrote to memory of 2320	2452	cmd.exe	33
PID 2452 wrote to memory of 2320	2452	cmd.exe	33
PID 2452 wrote to memory of 2320	2452	cmd.exe	33
PID 2452 wrote to memory of 2320	2452	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\neki.exe
"C:\Users\Admin\AppData\Local\Temp\neki.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\decoded_payload.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\decoded_payload.exe
    C:\Users\Admin\AppData\Local\Temp\decoded_payload.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\decoded_payload.exe

Filesize
72KB

MD5
e2105e0cb01b1c6bbb164bdb5b0f96eb

SHA1
e139071588c57844e342f2208674b0b91db0a843

SHA256
5c1fd6dfc9e0547b60c1614b413cfd8fc36c221231824dd1f8e043b7b8b16241

SHA512
ed0e9af653ddf1835a1c41fd3f65e617082fc8e5ea8af6945c6968de1125a951b9b8475706ddd3eb9b86675328e5d29c8b1e4980277d3e8d87809971d5420180

Download Submit
memory/2320-4-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2816-1-0x000000013F0E0000-0x000000013F5F4000-memory.dmp

Filesize
5.1MB

Download