metasploit | 27d27aac715339306f29e12bd5cf3a4c89626e6c34c7238b9588d70d679cf873

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/11/2024, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27d27aac715339306f29e12bd5cf3a4c89626e6c34c7238b9588d70d679cf873N.exe
Size

98KB
MD5

5a787cec207bca58a7e87537214a6400
SHA1

148f8aee4a80116f5c5ecf91372c4b3931fb5e82
SHA256

27d27aac715339306f29e12bd5cf3a4c89626e6c34c7238b9588d70d679cf873
SHA512

0f1929a9e493546457249737acbbc467a1d589f39f05e50a9e0acc9225a15622fa4aae67690c671969d618879111b16fca0f843546b35905072803a264d9209c
SSDEEP

1536:ZwOJ+QncfQgie0AkOJEBrLLePs1qgashmGjLmZOrxb:ZwDoesrxb

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.42.244:5678

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2652	2676	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27d27aac715339306f29e12bd5cf3a4c89626e6c34c7238b9588d70d679cf873N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2652	2676	27d27aac715339306f29e12bd5cf3a4c89626e6c34c7238b9588d70d679cf873N.exe	31
PID 2676 wrote to memory of 2652	2676	27d27aac715339306f29e12bd5cf3a4c89626e6c34c7238b9588d70d679cf873N.exe	31
PID 2676 wrote to memory of 2652	2676	27d27aac715339306f29e12bd5cf3a4c89626e6c34c7238b9588d70d679cf873N.exe	31
PID 2676 wrote to memory of 2652	2676	27d27aac715339306f29e12bd5cf3a4c89626e6c34c7238b9588d70d679cf873N.exe	31

C:\Users\Admin\AppData\Local\Temp\27d27aac715339306f29e12bd5cf3a4c89626e6c34c7238b9588d70d679cf873N.exe
"C:\Users\Admin\AppData\Local\Temp\27d27aac715339306f29e12bd5cf3a4c89626e6c34c7238b9588d70d679cf873N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 56
  2⤵
  - Program crash
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2676-0-0x0000000000EF0000-0x0000000000F0D000-memory.dmp

Filesize
116KB

Download