Malware Analysis Report

2025-04-03 18:49

Sample ID 241109-t2pntsxhlc
Target c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351
SHA256 c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351
Tags
metasploit backdoor discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351

Threat Level: Known bad

The file c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor discovery trojan

MetaSploit

Metasploit family

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 16:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 16:33

Reported

2024-11-09 16:35

Platform

win7-20241023-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Metasploit family

metasploit

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351.exe

"C:\Users\Admin\AppData\Local\Temp\c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351.exe"

Network

Country Destination Domain Proto
CN 106.53.106.50:9091 tcp
CN 106.53.106.50:9091 tcp

Files

memory/108-0-0x0000000000020000-0x0000000000021000-memory.dmp

memory/108-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/108-5-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 16:33

Reported

2024-11-09 16:35

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Metasploit family

metasploit

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351.exe

"C:\Users\Admin\AppData\Local\Temp\c7f16cc86aeeb1446cec2eb0a3b8f269927ae709278893f5fabf3964fe659351.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
CN 106.53.106.50:9091 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1276-0-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1276-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1276-3-0x0000000000400000-0x0000000000409000-memory.dmp