metasploit | a0d38a85c78a89886c93e627b25e888f79078e6751d4ef5e0aa918ef7663cbbd

Analysis

max time kernel
133s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0d38a85c78a89886c93e627b25e888f79078e6751d4ef5e0aa918ef7663cbbd.exe
Size

1.5MB
MD5

8373d49cba039770879b66b45257ce51
SHA1

3335b6adf81c41269a8267209244904967e867d7
SHA256

a0d38a85c78a89886c93e627b25e888f79078e6751d4ef5e0aa918ef7663cbbd
SHA512

5fe691958ea6822a1ee0e595495288c776e3718fddbd25995081f359a1f1d3f734379ab37f5706ed25a58a70c16c690d637a0cbbfe422aec094e45b3a27e7ae9
SSDEEP

24576:b5ZWs+OZVEWry8AFHG3zmr1BE3FOwIPSXotdjrpUT8qU0m:1ZB1G8YmOGFO/tp/j0m

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.80.136:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	a0d38a85c78a89886c93e627b25e888f79078e6751d4ef5e0aa918ef7663cbbd.exe

Executes dropped EXE 1 IoCs

pid	Process
3872	dongman.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dongman.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 3872	1552	a0d38a85c78a89886c93e627b25e888f79078e6751d4ef5e0aa918ef7663cbbd.exe	84
PID 1552 wrote to memory of 3872	1552	a0d38a85c78a89886c93e627b25e888f79078e6751d4ef5e0aa918ef7663cbbd.exe	84
PID 1552 wrote to memory of 3872	1552	a0d38a85c78a89886c93e627b25e888f79078e6751d4ef5e0aa918ef7663cbbd.exe	84

C:\Users\Admin\AppData\Local\Temp\a0d38a85c78a89886c93e627b25e888f79078e6751d4ef5e0aa918ef7663cbbd.exe
"C:\Users\Admin\AppData\Local\Temp\a0d38a85c78a89886c93e627b25e888f79078e6751d4ef5e0aa918ef7663cbbd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\Temp\dongman.exe
  "C:\Windows\Temp\dongman.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\dongman.exe

Filesize
72KB

MD5
efc258b65124f8dbb670d177c445af19

SHA1
447861ed06f2021ff86d76170c378a2dd59b18e9

SHA256
ba0157cca9c8bc8c02e843963d52535a9266a7ecdf251e3f1f5d0bfe023f5d20

SHA512
bfa9d9a742659c8091ec42f76d4609ef41af9239c0142948b3732ad39b8fed703ab0165e4d59203ce03eb8f3e3b08fc4e8c4556ebb694ab90aece38aa054967b

Download Submit
memory/3872-14-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download