metasploit | 8320d94d94c77651d4214a27e09c62de9fcbf432c12b159bf66042c149f77bb6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8320d94d94c77651d4214a27e09c62de9fcbf432c12b159bf66042c149f77bb6.exe
Size

2.0MB
MD5

f510c5cd87b5a354d44f6fd8ed4e5903
SHA1

c3d07c218089fc6c12c494c445cf84881a657518
SHA256

8320d94d94c77651d4214a27e09c62de9fcbf432c12b159bf66042c149f77bb6
SHA512

8d1e162ad92845591de07ffd4d7d0f3a07828144a807ef73d97d6fb70cabf313f20802bc1db051fa32d76848559d943a6c6f74a12b62eb7d771e4de4acfb4acb
SSDEEP

24576:nXuI+4Kb6Y1zFGKRtGhoJglmb89ezBNYVx1AnW7/DtB8+TUplflOhR/Tf:D1w64z+hov8g3YVT+65d4EhRL

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.0.53:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 2 IoCs

pid	Process
2132	fuhom.exe
3432	SecureCRT-kg.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecureCRT-kg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuhom.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 760	1588	8320d94d94c77651d4214a27e09c62de9fcbf432c12b159bf66042c149f77bb6.exe	83
PID 1588 wrote to memory of 760	1588	8320d94d94c77651d4214a27e09c62de9fcbf432c12b159bf66042c149f77bb6.exe	83
PID 1588 wrote to memory of 4784	1588	8320d94d94c77651d4214a27e09c62de9fcbf432c12b159bf66042c149f77bb6.exe	84
PID 1588 wrote to memory of 4784	1588	8320d94d94c77651d4214a27e09c62de9fcbf432c12b159bf66042c149f77bb6.exe	84
PID 4784 wrote to memory of 2132	4784	cmd.exe	88
PID 4784 wrote to memory of 2132	4784	cmd.exe	88
PID 4784 wrote to memory of 2132	4784	cmd.exe	88
PID 760 wrote to memory of 3432	760	cmd.exe	87
PID 760 wrote to memory of 3432	760	cmd.exe	87
PID 760 wrote to memory of 3432	760	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\8320d94d94c77651d4214a27e09c62de9fcbf432c12b159bf66042c149f77bb6.exe
"C:\Users\Admin\AppData\Local\Temp\8320d94d94c77651d4214a27e09c62de9fcbf432c12b159bf66042c149f77bb6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\system32\cmd.exe
  cmd " /c " C:/Users/Admin/AppData/Local/Temp/SecureCRT-kg.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\SecureCRT-kg.exe
    C:/Users/Admin/AppData/Local/Temp/SecureCRT-kg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3432
- C:\Windows\system32\cmd.exe
  cmd " /c C:\Users\Public\fuhom.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Public\fuhom.exe
    C:\Users\Public\fuhom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SecureCRT-kg.exe

Filesize
280KB

MD5
e7bf3e52d49b48c30f110b1ad01e0fc5

SHA1
49a531a381095adee1d2652305cc4a59ada3b5ec

SHA256
43af5fdebe2006a51a368971924f9c08c919a45da86ec42639351af0c00517bd

SHA512
04cf584edddcbe058139c696d91c7c72232091953e95fa56bbd014eef0e98da17554ab7462c91bd0a32a5b2d6fb02201682cdfb454c3318df7773648808694e8

Download Submit
C:\Users\Public\fuhom.exe

Filesize
72KB

MD5
e36cf85115029969a637aca6a05118fc

SHA1
f48961710bfec43764aa0a1e2ae4e46ab9d9f01b

SHA256
d3467d8c006026b3a390654e327b8ee831b49e998ba77537afecbaeae4cbbd45

SHA512
5d86c8837728f71901bddf1b94e0add8509b9386af395b7744ef77b8c0fa485ca3b7964b2bf3c9a0af8ee3fffce01e4fa351c2fca4069bcecc4d36a710f19fde

Download Submit
memory/2132-9-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/3432-8-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/3432-11-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3432-12-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download
memory/3432-10-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/3432-13-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3432-14-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/3432-15-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads