Overview

overview

10

Static

static

3

MFA_migrat....5.exe

windows7-x64

10

MFA_migrat....5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MFA_migration_patchv3.5.exe

  • Size

    2.9MB

  • MD5

    889b3e191a04ab49d4073595d75f588c

  • SHA1

    69f26dd90da1023d642803840d8c0683ed145721

  • SHA256

    75f8b70d8625cede00db1108c56ebcd577e6fc7b029b9eb2e47ffafefa669f88

  • SHA512

    c4a6d14abe872af5edfc1fb90da6787271ec624d6e1639f6c19c55be7d6d0cb563609abf78288695c4b63368f33cf84344659b4ba1c07d23e01ff0a3560fc6a8

  • SSDEEP

    49152:otg7ETQsdPk46ZJxwe8OGQQzqhwCdxKKTUqZIt7tTt+YsaGGCj/TeDeJQxHEExLS:mtdPRGS5maKZUga7tMFGNDtNEoJM

Score
10/10
metasploitbackdoordiscoverytrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://105.112.107.100:80/TncD

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Loads dropped DLL 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MFA_migration_patchv3.5.exe
    "C:\Users\Admin\AppData\Local\Temp\MFA_migration_patchv3.5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\MFA_migration_patchv3.5.exe
      "C:\Users\Admin\AppData\Local\Temp\MFA_migration_patchv3.5.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI12842\Crypto.Cipher._AES.pyd
    Filesize

    28KB

    MD5

    dd3db5480eb52e8f69d47f3b725e6bfb

    SHA1

    cb14cda7f5e3e2b88c823e4d15643680398b361e

    SHA256

    51054f4d28782b6698b1b6510317650e797e11f87fa29fceaf8559b6bcbf4dfe

    SHA512

    c94216dcd0dc3000304b2b4704dd29bfeed35c9b6158d3ff1cc86084a1753060b72bd48678d5662c8e10205e1a866361f7a455f177dbf364814ee317679bff23

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI12842\_ctypes.pyd
    Filesize

    85KB

    MD5

    d0e6bee31c7f2b0de979562ce5f6444f

    SHA1

    9223853061b067f7af17007067d24ce746917d1d

    SHA256

    f6fb937147342609a793a1ccb839ad504ec0e7807d072a9ac6eb51ba846e17a9

    SHA512

    3d64a460178479eec3cd1a65421dafb78b15011fcae472873ab28fb1ecc42482d00b141426874b12beef9247ad6b4afe1bd723d398f37d44316bc1b9c4dba434

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI12842\python27.dll
    Filesize

    2.3MB

    MD5

    df1a706ed563fa3f0b48f427609708f4

    SHA1

    5c479ffca8a2d71023c2522f54ed3f6f36f88e79

    SHA256

    5c4f7eb850cb4ebd35c039be7319e2ed05439418884d414001e015c4637585fc

    SHA512

    8757e27d78291f48237a5b4b15cea26d08d03c8b9ff1ad61c50d890b3e8b62fd0db819959b9c13b3d88ebe3e54ae176fc67d02ffe62c89c577af1866cb238a73

    Download Submit

  • memory/1668-18-0x0000000002410000-0x0000000002411000-memory.dmp

    Filesize

    4KB

    Download