metasploit | 3febb5ec66331640d256ed6021be850f122d9cc1cc27bae921b80b00828ec255

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3febb5ec66331640d256ed6021be850f122d9cc1cc27bae921b80b00828ec255.dll
Size

9KB
MD5

7da82665c5b4b3cabeb91e15b3151194
SHA1

1ca3d24e49fd700f8f7dba15836bc8c42ba48b5b
SHA256

3febb5ec66331640d256ed6021be850f122d9cc1cc27bae921b80b00828ec255
SHA512

6293e2cdc24ddcae7600261bcc01acae28f1b45b926d5fe5385d2ed23203b40378243fd55fe11286944d215c87730bcefff012ab187d9744a1b84b4af25bc9b8
SSDEEP

48:q0kV3zU9G4aNVh7XphlhEF57/ncCYxZrCO1LapHvfbOEe:vDIKkfB0v4

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

http://134.195.90.78:8087/5Mum3OyRa87-4__imdajzAxKXjhcQsuMcGQRPA50eK8AZD4OxYErkz-FgvzGH5bDnSInM5JBqmxslDEWpd3AFbuWtXiKY7mHY96PhlJzv9SEcnS-FTBTooFAcR9QD9FgDpDjKiwhU5592pbo8ks-VcKyJNPUIyghWQ

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

4 3020 rundll32.exe
7 3020 rundll32.exe
8 3020 rundll32.exe
9 3020 rundll32.exe
10 3020 rundll32.exe
11 3020 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3016 set thread context of 3020 3016 rundll32.exe rundll32.exe

flow	pid	process
4	3020	rundll32.exe
7	3020	rundll32.exe
8	3020	rundll32.exe
9	3020	rundll32.exe
10	3020	rundll32.exe
11	3020	rundll32.exe

description	pid	process	target process
PID 3016 set thread context of 3020	3016	rundll32.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2516 wrote to memory of 3016	2516	rundll32.exe	rundll32.exe
PID 2516 wrote to memory of 3016	2516	rundll32.exe	rundll32.exe
PID 2516 wrote to memory of 3016	2516	rundll32.exe	rundll32.exe
PID 2516 wrote to memory of 3016	2516	rundll32.exe	rundll32.exe
PID 2516 wrote to memory of 3016	2516	rundll32.exe	rundll32.exe
PID 2516 wrote to memory of 3016	2516	rundll32.exe	rundll32.exe
PID 2516 wrote to memory of 3016	2516	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 3020	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 3020	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 3020	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 3020	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 3020	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 3020	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 3020	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 3020	3016	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3febb5ec66331640d256ed6021be850f122d9cc1cc27bae921b80b00828ec255.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3febb5ec66331640d256ed6021be850f122d9cc1cc27bae921b80b00828ec255.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3020-0-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/3020-2-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download