metasploit | 42ae60f29d5f12e14056c8a043556fb53bb1fafd33693135105d6beee3d494db

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe
Size

2.9MB
MD5

d6c4530793537e06d81ed8d4025bf372
SHA1

749eeb5bc7456594354cd587cc614e55e637cc3d
SHA256

42ae60f29d5f12e14056c8a043556fb53bb1fafd33693135105d6beee3d494db
SHA512

577627978c642af4a38c4d10d3ee9596708178c8e936d869c8f1ede1bf6fcbdf91df82e74ba7fb3d6b3c6c2667dab87a0737d78afbec613693586185c1b0e908
SSDEEP

49152:otg7ETQsdSKNQ5bzPQzqhwCdxKKTUqZIt7tTt+YsaGGCj/TeDeJQxHEExLz4k8:mtdSOQ5XImaKZUga7tMFGNDtNEoJ8

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://105.112.178.164:80/SRho

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Loads dropped DLL 3 IoCs

pid	Process
2492	2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe
2492	2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe
2492	2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2492	2708	2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe	30
PID 2708 wrote to memory of 2492	2708	2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe	30
PID 2708 wrote to memory of 2492	2708	2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe	30
PID 2708 wrote to memory of 2492	2708	2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-11-14_d6c4530793537e06d81ed8d4025bf372_karagany_mafia.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27082\python27.dll

Filesize
2.3MB

MD5
df1a706ed563fa3f0b48f427609708f4

SHA1
5c479ffca8a2d71023c2522f54ed3f6f36f88e79

SHA256
5c4f7eb850cb4ebd35c039be7319e2ed05439418884d414001e015c4637585fc

SHA512
8757e27d78291f48237a5b4b15cea26d08d03c8b9ff1ad61c50d890b3e8b62fd0db819959b9c13b3d88ebe3e54ae176fc67d02ffe62c89c577af1866cb238a73

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27082\Crypto.Cipher._AES.pyd

Filesize
28KB

MD5
dd3db5480eb52e8f69d47f3b725e6bfb

SHA1
cb14cda7f5e3e2b88c823e4d15643680398b361e

SHA256
51054f4d28782b6698b1b6510317650e797e11f87fa29fceaf8559b6bcbf4dfe

SHA512
c94216dcd0dc3000304b2b4704dd29bfeed35c9b6158d3ff1cc86084a1753060b72bd48678d5662c8e10205e1a866361f7a455f177dbf364814ee317679bff23

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27082\_ctypes.pyd

Filesize
85KB

MD5
d0e6bee31c7f2b0de979562ce5f6444f

SHA1
9223853061b067f7af17007067d24ce746917d1d

SHA256
f6fb937147342609a793a1ccb839ad504ec0e7807d072a9ac6eb51ba846e17a9

SHA512
3d64a460178479eec3cd1a65421dafb78b15011fcae472873ab28fb1ecc42482d00b141426874b12beef9247ad6b4afe1bd723d398f37d44316bc1b9c4dba434

Download Submit
memory/2492-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download