metasploit | 44fd76bed4f91723940931c035a1e92f7d26d7c94dabd15f2e4a8db4f6e48273

Analysis

max time kernel
93s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Transfer-https.vbs
Size

7KB
MD5

e2f4a3c6e7570b4424089b24b059c9d0
SHA1

19c12a30f1cde384d948d32d1efa6f8a541e2a60
SHA256

44fd76bed4f91723940931c035a1e92f7d26d7c94dabd15f2e4a8db4f6e48273
SHA512

646e2cd0517745c4b36a3178edd8f48fe46eb29a2053d83f6beb61d9e5205cc97d1a7f9a65ea0190044b87b1275d998779025d7ede2253b455782d5e40e8c0f8
SSDEEP

96:ZGze5ePQfJEgaGscxriEto+TE9sfQcHOB7uczr05LaGejhVPPCyCsB3fD+r2:UzezgfEtoRGocHOBDzr05KbPKyNBG2

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_http

http://89.197.154.116:7810/GHCSKLHA62xAo0GiJ65tlwmFvMO6tQNKeTswMuKxpybsim_N2RnNTId_j8dnBmA9vnYOyNR6EU7eXYS6AY-Rox46MWUiLVByUmCfxHjNCsvWTIsFuGs9e3XKhc2dJ6Jls10lHzhDwU0eh84XVkCbmUwBJfgF33CNXlpD8tpFnQKUyLbbyQTF_Cn32t6uqwBi89JgBGKEY_FfUBSCI4FljPsd9uXGcHm2BThT

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe
Executes dropped EXE 1 IoCs

Processes:

hTSebfAkRTedaXH.exe

pid process

3996 hTSebfAkRTedaXH.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

hTSebfAkRTedaXH.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hTSebfAkRTedaXH.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
3996	hTSebfAkRTedaXH.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hTSebfAkRTedaXH.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 3088 wrote to memory of 3996	3088	WScript.exe	hTSebfAkRTedaXH.exe
PID 3088 wrote to memory of 3996	3088	WScript.exe	hTSebfAkRTedaXH.exe
PID 3088 wrote to memory of 3996	3088	WScript.exe	hTSebfAkRTedaXH.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Transfer-https.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\rad55C6B.tmp\hTSebfAkRTedaXH.exe
  "C:\Users\Admin\AppData\Local\Temp\rad55C6B.tmp\hTSebfAkRTedaXH.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rad55C6B.tmp\hTSebfAkRTedaXH.exe

Filesize
4KB

MD5
862eb49999210f509381d9a87db9dcc6

SHA1
16d1a6c105179b483bdac3445b045916621aafb9

SHA256
bb68d7a2978199a199689ac40cb70926c7fbb90ed55364fa8c562964732193ca

SHA512
93955f21cdbb8f28b24838597cfa0e264dc5e2bdcdd24165d9a158cbf46f857745ab0ea33f59942b56968ab4e876397eb4f537b1bea5f571cb48fd4b1924c0aa

Download Submit
memory/3996-7-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3996-9-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download