metasploit | e1579bd0d471cdfbcadbb1b27454da080a6a5e13021033208b7592ccea607320

Analysis

max time kernel
139s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8597aa1db8457c9b8e2e636c55a56978.exe
Size

72KB
MD5

8597aa1db8457c9b8e2e636c55a56978
SHA1

d6ee74a13ee56eb7556e88b5b646e1c3581bf163
SHA256

e1579bd0d471cdfbcadbb1b27454da080a6a5e13021033208b7592ccea607320
SHA512

943299ec65c1ebf0e74725648419ca76bdba72cbc39accb63305f57bba45c88227e9df80aebea9dfe47014c534e7067e7e844584356c6a39097d816c27c6a22f
SSDEEP

1536:IufFI9hcqd4hsUg072KIw3GbzToOMb+KR0Nc8QsJq39:ffFIIqCsl0SPw3ge0Nc8QsC9

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

http://downsexv.com:8080/pptFudI4N_bZd9h2vlE2HgX6nJupnvnNvPpodtqLmxX2OC5MJtjR8Cw2hx7Jj0FM_ofkLnmJ

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4396	896	WerFault.exe	83
3896	896	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8597aa1db8457c9b8e2e636c55a56978.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8597aa1db8457c9b8e2e636c55a56978.exe

C:\Users\Admin\AppData\Local\Temp\8597aa1db8457c9b8e2e636c55a56978.exe
"C:\Users\Admin\AppData\Local\Temp\8597aa1db8457c9b8e2e636c55a56978.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1168
  2⤵
  - Program crash
  PID:4396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1176
  2⤵
  - Program crash
  PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 896 -ip 896
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 896 -ip 896
1⤵
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/896-0-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/896-1-0x0000000002E10000-0x0000000003210000-memory.dmp

Filesize
4.0MB

Download