metasploit | a6bdfb7e8e9933bb7784ca2a3332838687b6872302fd7c5487374f3aacf68457

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6bdfb7e8e9933bb7784ca2a3332838687b6872302fd7c5487374f3aacf68457.exe
Size

2.0MB
MD5

aae6059d749615e36e4f93d5751faadc
SHA1

bc1619075d21a4e153ee1cf1356f7c1e9000c5e3
SHA256

a6bdfb7e8e9933bb7784ca2a3332838687b6872302fd7c5487374f3aacf68457
SHA512

70a2995de5662a90fca59d085017dcc95b886010e34a1dc8f8c04e2f712a268bb09b8374dbb90489e76fda25b570a97de8ba5e0a03ff900d234836d8aa92aba2
SSDEEP

24576:ets+S6JFH0kO0gQpKHOrCdqJAVoGIyZqSH/XBbExnlQJ2k1hwHIhC4fHf:ePS41giv+q+VRBZq8/RbPwHAP

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

121.89.201.85:44444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 2 IoCs

pid	Process
520	mmm.exe
3516	SecureCRT-kg.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecureCRT-kg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmm.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 1416	4700	a6bdfb7e8e9933bb7784ca2a3332838687b6872302fd7c5487374f3aacf68457.exe	82
PID 4700 wrote to memory of 1416	4700	a6bdfb7e8e9933bb7784ca2a3332838687b6872302fd7c5487374f3aacf68457.exe	82
PID 4700 wrote to memory of 1056	4700	a6bdfb7e8e9933bb7784ca2a3332838687b6872302fd7c5487374f3aacf68457.exe	83
PID 4700 wrote to memory of 1056	4700	a6bdfb7e8e9933bb7784ca2a3332838687b6872302fd7c5487374f3aacf68457.exe	83
PID 1416 wrote to memory of 520	1416	cmd.exe	86
PID 1416 wrote to memory of 520	1416	cmd.exe	86
PID 1416 wrote to memory of 520	1416	cmd.exe	86
PID 1056 wrote to memory of 3516	1056	cmd.exe	87
PID 1056 wrote to memory of 3516	1056	cmd.exe	87
PID 1056 wrote to memory of 3516	1056	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\a6bdfb7e8e9933bb7784ca2a3332838687b6872302fd7c5487374f3aacf68457.exe
"C:\Users\Admin\AppData\Local\Temp\a6bdfb7e8e9933bb7784ca2a3332838687b6872302fd7c5487374f3aacf68457.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\system32\cmd.exe
  cmd " /c" c:\mmm.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - \??\c:\mmm.exe
    c:\mmm.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:520
- C:\Windows\system32\cmd.exe
  cmd " /c" c:\SecureCRT-kg.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - \??\c:\SecureCRT-kg.exe
    c:\SecureCRT-kg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SecureCRT-kg.exe

Filesize
280KB

MD5
e7bf3e52d49b48c30f110b1ad01e0fc5

SHA1
49a531a381095adee1d2652305cc4a59ada3b5ec

SHA256
43af5fdebe2006a51a368971924f9c08c919a45da86ec42639351af0c00517bd

SHA512
04cf584edddcbe058139c696d91c7c72232091953e95fa56bbd014eef0e98da17554ab7462c91bd0a32a5b2d6fb02201682cdfb454c3318df7773648808694e8

Download Submit
C:\mmm.exe

Filesize
72KB

MD5
d507e0cf836bb5b68921a527aae1ce12

SHA1
17611ec94dc061669864e4fc22d08970f25cc9ea

SHA256
d320b2394c940b559cfacac9a2313513572b89bbf0fc9e32e009eb40357bff4a

SHA512
0433feb9e8abbc2d39d091afdfd7111023450893c611849966e7792156f8184a719a70f4552513ad60d24d805cdc428dd2284d69602db16a62778548ae3e57ff

Download Submit
memory/520-9-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/3516-8-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/3516-10-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/3516-11-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/3516-12-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/3516-13-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/3516-14-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/3516-15-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads