metasploit | 144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe
Size

7.7MB
MD5

2e50203cad64085331e5700d30f97f79
SHA1

1ab052c24ee4f172be5764472f9ba9364c9c8e1d
SHA256

144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514
SHA512

207baaef535e35d206b0c3b96e62db68b5dd133f18db6dd54cf3630e680f369742aef6acf472563994e15d3db1f189ac980b85aa2fd2602fe146ed06201f8582
SSDEEP

196608:NcvnSjQK8LhKn1mbdIJSHDxnSP6fzsP4oR+JP5A5:NYnSokcbdIWVglw25

Score

10^/10

metasploit backdoor discovery pyinstaller trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

147.93.131.12:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 2 IoCs

pid	Process
2508	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
2664	Calculator.exe

Loads dropped DLL 3 IoCs

pid	Process
2516	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe
2508	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
2664	Calculator.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-8TFNT.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-B9G50.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\SystemV\is-9JU2T.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\encoding\is-ARLOU.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-09G58.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Etc\is-08T03.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\is-5RV0M.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-T9PDV.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Australia\is-7TF3B.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Indian\is-T54KQ.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\is-AM2G8.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\encoding\is-UOVVA.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-UP5MK.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Asia\is-BJB9U.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Pacific\is-T9I2I.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\msgs\is-V2U4L.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-T7O0T.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-MS55N.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Pacific\is-A2F8E.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\US\is-81P6L.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Asia\is-RM3HV.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tk\images\is-7J4P6.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tk\ttk\is-DTK39.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tk\ttk\is-63L22.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\msgs\is-69AD2.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Africa\is-2QPCA.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-F8Q9P.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Etc\is-NVHQJ.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\is-3D2T1.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\is-64L99.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\encoding\is-M57UJ.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Canada\is-L3CTV.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Europe\is-EAO31.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\US\is-I18DG.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Atlantic\is-TONCF.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tk\is-KR1QA.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tk\msgs\is-JQ0JH.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tk\ttk\is-TAGBV.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-P3F65.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\encoding\is-KNTFQ.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\msgs\is-02H96.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Africa\is-K0BV8.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Asia\is-JUN5C.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\msgs\is-KPTBK.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\is-OSOVL.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\is-8SR1I.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Asia\is-N84NE.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\msgs\is-6H04U.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\msgs\is-DPTQD.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\msgs\is-RBUBT.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-64IU8.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Africa\is-LJJAV.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-NSQEQ.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Asia\is-1NBIL.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Australia\is-59S15.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tk\msgs\is-81PRG.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\encoding\is-RUKJ6.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\msgs\is-74877.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Africa\is-U79QA.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\America\is-8UJNH.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Asia\is-8S596.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Atlantic\is-18ENQ.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\tzdata\Asia\is-RVJ70.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
File created	C:\Program Files (x86)\Calculator\tcl\encoding\is-6U8KM.tmp	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000600000001903d-30.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calculator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2508	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
2508	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2508	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2508	2516	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe	30
PID 2516 wrote to memory of 2508	2516	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe	30
PID 2516 wrote to memory of 2508	2516	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe	30
PID 2516 wrote to memory of 2508	2516	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe	30
PID 2516 wrote to memory of 2508	2516	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe	30
PID 2516 wrote to memory of 2508	2516	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe	30
PID 2516 wrote to memory of 2508	2516	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe	30
PID 2508 wrote to memory of 2664	2508	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp	32
PID 2508 wrote to memory of 2664	2508	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp	32
PID 2508 wrote to memory of 2664	2508	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp	32
PID 2508 wrote to memory of 2664	2508	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp	32
PID 2508 wrote to memory of 2664	2508	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp	32
PID 2508 wrote to memory of 2664	2508	144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp	32

C:\Users\Admin\AppData\Local\Temp\144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe
"C:\Users\Admin\AppData\Local\Temp\144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\is-DFBV1.tmp\144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DFBV1.tmp\144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp" /SL5="$400E0,7230745,947712,C:\Users\Admin\AppData\Local\Temp\144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Program Files (x86)\Calculator\Calculator.exe
    "C:\Program Files (x86)\Calculator\Calculator.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Calculator\Calculator.exe

Filesize
2.1MB

MD5
7fcfc4cba752e08280cc26e5a6167423

SHA1
04062cbb125cbb42d10c106cfb714c2844f257d0

SHA256
0a27a1e5b10338c95ce446227d12903b907aedda68cfcfcce84a987ae9496dd2

SHA512
925da9267619a09a4c28c4ce40d4cb95471448eeeabc6289e4da308a9bd7fd49826bac153556b3e0e4c9b665b38e919e3d5c266177592c20827f7e14422a192a

Download Submit
\Program Files (x86)\Calculator\python39.dll

Filesize
4.3MB

MD5
6ea7584918af755ba948a64654a0a61a

SHA1
aa6bfb6f97c37d79e5499b54dc24f753b47f6de0

SHA256
3007a651d8d704fc73428899aec8788b8c8c7b150067e31b35bf5a3bd913f9b6

SHA512
d00e244b7fccdbec67e6b147827c82023dd9cb28a14670d13461462f0fbbe9e3c5b422a5207a3d08484eb2e05986386729a4973023519eb453ee4467f59d4a80

Download Submit
\Users\Admin\AppData\Local\Temp\is-DFBV1.tmp\144eb5d99347a93b3eba1fc45f756f2a833a9eb023a062ee7745c731007d5514.tmp

Filesize
3.1MB

MD5
e1b77f21aa3871899eeac9b167ab1917

SHA1
471fc8c835d08f75a90892640cd5acbc03808125

SHA256
fee8b99bed3f5eb23cf9dca40accd0719582f128da302274fa517ac92e33450a

SHA512
2b7f2c3c04436e4a7a3ba68089e3f70d4699d85ae5030d29c871deff90f1b49881c9805179881ab3fd88f46f5bc2e6ec27d271cdf1369d67a3fdf7950b565eb0

Download Submit
memory/2508-15-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2508-11-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2508-615-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2508-1925-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2516-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2516-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2516-13-0x0000000000400000-0x0000000000BCB000-memory.dmp

Filesize
7.8MB

Download
memory/2516-2-0x0000000000400000-0x0000000000BCB000-memory.dmp

Filesize
7.8MB

Download
memory/2516-4-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2516-1926-0x0000000000400000-0x0000000000BCB000-memory.dmp

Filesize
7.8MB

Download