metasploit | 433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1

Analysis

max time kernel
105s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
Size

723KB
MD5

bae1382ebc9b5bfa167c1f27a2de9a50
SHA1

fffba10e15287bab45038f2698c260bef7574674
SHA256

433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1
SHA512

61eeb9459add2df90bb50ba91497bdf750abcab569b8502852d4b3211d187f15b9fc8aa18b1f40e44ec5bc62ab2ebb2ffd46febe8642a7e7ad7dbcbb20ac6cba
SSDEEP

12288:9Vt+vOLEZ1kxCNYyJElzxRs0uZz5LVI7Tua9dVo4t4qM20Gq7ADHfaZZkz:9+v7kKqXTua9dVjt0CHeQ

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

10.17.65.78:1024

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 5012	4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe	83
PID 4808 wrote to memory of 5012	4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe	83
PID 4808 wrote to memory of 5012	4808	433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe	83

C:\Users\Admin\AppData\Local\Temp\433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe
"C:\Users\Admin\AppData\Local\Temp\433118df41a9d107fe7e07128186fcfb7b934ffcb7a1aadb3cc02fb6900cb4d1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Delete /TN "EVKey - Vietnamese Keyboard" /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setting.ini

Filesize
652B

MD5
923d1830f97cc9c5367cfdea115d2b0d

SHA1
a13584dab18d0b1d56ca241395d6b93071f6c785

SHA256
7dcf9508ce65c31607f1ad282bdfeb640ee4b4519ab2014c1ad31e8b787f843a

SHA512
73d326ae30c801e2f12a2ca61e079d675613289cc815a82ff4bbc958a6193b08791e941738208f0013a1835580c0446d1795999078959f5888338cebb8fb03f2

Download Submit
memory/4808-0-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/4808-65-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download