metasploit | 0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
Size

2.3MB
MD5

ae7adf1cb1c34114e6d527a43d5c28b5
SHA1

15b0bc002714e725a805a8bf471a939dcc814fce
SHA256

0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c
SHA512

5454fb6b6b06ade6f9459884999739934ad4a21a211bc48ac20978105ef5d741f2fdd12ba424238116be012e468645936e280f36cbb3d1ab5097edfee8a309b8
SSDEEP

49152:xr/KPLe0RLCxriiiiINsMdRPLe0RLCxriiiiINs8F:xrmLB0WiRIeM/LB0WiRIe8

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_de.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_vi.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File opened for modification	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\BraveUpdateSetup.exe	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\BraveUpdateComRegisterShellArm64.exe	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_bn.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_da.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_fil.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_pt-BR.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_sk.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_sw.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_te.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_es-419.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_pt-PT.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\psmachine.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\psuser_arm64.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_sr.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_uk.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_en.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\BraveUpdate.exe	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\BraveUpdateComRegisterShell64.exe	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\psuser.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_cs.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_sl.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\BraveCrashHandlerArm64.exe	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_hu.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_it.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_kn.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_no.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_sv.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\psmachine_64.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_mr.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_ms.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_ca.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_el.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_fi.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_fa.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_fr.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_ml.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\BraveUpdateSetup.exe	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\BraveUpdateBroker.exe	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\BraveCrashHandler64.exe	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\BraveUpdateCore.exe	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_gu.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_iw.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_ko.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_th.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_zh-CN.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_ar.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_en-GB.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_nl.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_pl.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\psmachine_arm64.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_am.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_bg.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_hr.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File opened for modification	C:\Program Files (x86)\BraveSoftware\Temp\GUTBC8D.tmp	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\BraveUpdateOnDemand.exe	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_es.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_ja.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_lt.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_ta.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_is.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\goopdateres_ro.dll	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUMBC8C.tmp\BraveCrashHandler.exe	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe

C:\Users\Admin\AppData\Local\Temp\0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe
"C:\Users\Admin\AppData\Local\Temp\0203935447a499e04704f48442dac69658ded78defdf6af21d2a7f46fb83ef1c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2260-0-0x0000000000400000-0x0000000000648538-memory.dmp

Filesize
2.3MB

Download
memory/2260-147-0x0000000000400000-0x0000000000648538-memory.dmp

Filesize
2.3MB

Download