metasploit | 42e55c8a45200dde96062e5899518733f8f7c504c72fd4b86a793ba22dec3dcc

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42e55c8a45200dde96062e5899518733f8f7c504c72fd4b86a793ba22dec3dcc.exe
Size

647KB
MD5

74002a194360682b006cca283e1cf4e8
SHA1

6c037c51df859c1dee31ef88300a8a1a325c30e0
SHA256

42e55c8a45200dde96062e5899518733f8f7c504c72fd4b86a793ba22dec3dcc
SHA512

870bbfab1508d9dee43fbb51e1e5be1956274f143fee0095e8f11fec3e4c6ae9a4c20c1a38566d415b62d1b0f9b55d9dfb9b239c93e7f2aae7b6e91eaad1c48a
SSDEEP

12288:cyveQB/fTHIGaPkKEYzURNAwbAgli5/XoEQZOvG/C+O4+S8HiK425O9AJ:cuDXTIGaPhEYzUzA065ovZHtOOML89AJ

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.1.64:1479

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 1 IoCs

pid	Process
2684	ImageViewer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImageViewer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2684	784	42e55c8a45200dde96062e5899518733f8f7c504c72fd4b86a793ba22dec3dcc.exe	32
PID 784 wrote to memory of 2684	784	42e55c8a45200dde96062e5899518733f8f7c504c72fd4b86a793ba22dec3dcc.exe	32
PID 784 wrote to memory of 2684	784	42e55c8a45200dde96062e5899518733f8f7c504c72fd4b86a793ba22dec3dcc.exe	32
PID 784 wrote to memory of 2684	784	42e55c8a45200dde96062e5899518733f8f7c504c72fd4b86a793ba22dec3dcc.exe	32

C:\Users\Admin\AppData\Local\Temp\42e55c8a45200dde96062e5899518733f8f7c504c72fd4b86a793ba22dec3dcc.exe
"C:\Users\Admin\AppData\Local\Temp\42e55c8a45200dde96062e5899518733f8f7c504c72fd4b86a793ba22dec3dcc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ImageViewer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ImageViewer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ImageViewer.exe

Filesize
72KB

MD5
ee0c60c7c2d0f2fff4ca29e158de7ccd

SHA1
2f47fd3d14d20bcd8723a75b141cb57872bc7253

SHA256
5419f2e74b0526c1acd6e09098e81d75251c7666a4208b65020bfe6055eeea47

SHA512
3e29fbb11d1f208e304c99c925f79465ef8db29c51136a15d0df4895cb684e6a06579b004247d9ca328a508e4e6f9f36ca8c1b08c11d6dceb1f60c34272c1b13

Download Submit
memory/784-4-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2684-16-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download