metasploit | 3febb5ec66331640d256ed6021be850f122d9cc1cc27bae921b80b00828ec255

Analysis

max time kernel
104s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3febb5ec66331640d256ed6021be850f122d9cc1cc27bae921b80b00828ec255.dll
Size

9KB
MD5

7da82665c5b4b3cabeb91e15b3151194
SHA1

1ca3d24e49fd700f8f7dba15836bc8c42ba48b5b
SHA256

3febb5ec66331640d256ed6021be850f122d9cc1cc27bae921b80b00828ec255
SHA512

6293e2cdc24ddcae7600261bcc01acae28f1b45b926d5fe5385d2ed23203b40378243fd55fe11286944d215c87730bcefff012ab187d9744a1b84b4af25bc9b8
SSDEEP

48:q0kV3zU9G4aNVh7XphlhEF57/ncCYxZrCO1LapHvfbOEe:vDIKkfB0v4

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

http://134.195.90.78:8087/5Mum3OyRa87-4__imdajzAxKXjhcQsuMcGQRPA50eK8AZD4OxYErkz-FgvzGH5bDnSInM5JBqmxslDEWpd3AFbuWtXiKY7mHY96PhlJzv9SEcnS-FTBTooFAcR9QD9FgDpDjKiwhU5592pbo8ks-VcKyJNPUIyghWQ

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow	pid	Process
6	3700	rundll32.exe
23	3700	rundll32.exe
37	3700	rundll32.exe
41	3700	rundll32.exe
46	3700	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 2784 set thread context of 3700	2784	rundll32.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exerundll32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	Process	procid_target
PID 3032 wrote to memory of 2784	3032	rundll32.exe	83
PID 3032 wrote to memory of 2784	3032	rundll32.exe	83
PID 3032 wrote to memory of 2784	3032	rundll32.exe	83
PID 2784 wrote to memory of 3700	2784	rundll32.exe	84
PID 2784 wrote to memory of 3700	2784	rundll32.exe	84
PID 2784 wrote to memory of 3700	2784	rundll32.exe	84
PID 2784 wrote to memory of 3700	2784	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3febb5ec66331640d256ed6021be850f122d9cc1cc27bae921b80b00828ec255.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3febb5ec66331640d256ed6021be850f122d9cc1cc27bae921b80b00828ec255.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3700-0-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download