metasploit | dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f

Analysis

max time kernel
117s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe
Size

85KB
MD5

ad19353c8bc17322f767b6d74b5abd64
SHA1

f5a7c9815615d208427638547bac0e186b14a829
SHA256

dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f
SHA512

63fcdf6c0fac65a993f8be2cda5d0b4fd1fe53c7939947caa259a3ee012b411175751070e51a6e532d3fe8346e6e08da5cf7f2f02de4e4355090af26363bf058
SSDEEP

1536:qKwAl4uglgtS5fpGI1X1O9BKgYqQKBuAhqQzhBl17AsWvDBcdP9axGQZE/:7zonT1X9qQKEA3lvP9axGQZE/

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.8.219:3333

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3012 2476 WerFault.exe dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe

pid	pid_target	process	target process
3012	2476	WerFault.exe	dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe

description	pid	process	target process
PID 2476 wrote to memory of 3012	2476	dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe	WerFault.exe
PID 2476 wrote to memory of 3012	2476	dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe	WerFault.exe
PID 2476 wrote to memory of 3012	2476	dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe	WerFault.exe
PID 2476 wrote to memory of 3012	2476	dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe
"C:\Users\Admin\AppData\Local\Temp\dd45f4bab326a2d9a1eab543fd3f34584fb276c9c0f2ced514105511c293367f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 44
  2⤵
  - Program crash
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2476-0-0x0000000000870000-0x0000000000889000-memory.dmp

Filesize
100KB

Download
memory/2476-1-0x0000000000870000-0x0000000000889000-memory.dmp

Filesize
100KB

Download