metasploit | aaebe94f90f33e30b24bbce26899e6c5d6dfb63abd91d32e45d42abc5933755a

Analysis

max time kernel
285s
max time network
297s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nDqOiSmU.vbs
Size

10KB
MD5

161b4e988b395a2942c84f127f36a274
SHA1

2d43c412b6939557de9770944eae7bd87c9dc363
SHA256

aaebe94f90f33e30b24bbce26899e6c5d6dfb63abd91d32e45d42abc5933755a
SHA512

dec2fba3fc3ebe45dac3fe80921eaae39044efa5ba37ee19d8838c5eaab2c779ddda57c58df77b44eace700c902eac440f0cf64158ab2bf54c26cdf044e8bc48
SSDEEP

48:ZHG0n6qtcQaryowcGDDuJ22GZSo2ke5ETurr5WeXDatEAc7Aum:Y2KryowcGDDuJ23Te5ETusemQXm

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

51.75.140.195:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 2 IoCs

Processes:

HYIZFiFx.exeHYIZFiFx.exe

pid process

2348 HYIZFiFx.exe
2388 HYIZFiFx.exe
Loads dropped DLL 4 IoCs

Processes:

WScript.exe

pid process

1232 WScript.exe
1232 WScript.exe
1232 WScript.exe
1232 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2348	HYIZFiFx.exe
2388	HYIZFiFx.exe

pid	process
1232	WScript.exe
1232	WScript.exe
1232	WScript.exe
1232	WScript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1232 wrote to memory of 2348	1232	WScript.exe	HYIZFiFx.exe
PID 1232 wrote to memory of 2348	1232	WScript.exe	HYIZFiFx.exe
PID 1232 wrote to memory of 2348	1232	WScript.exe	HYIZFiFx.exe
PID 1232 wrote to memory of 2388	1232	WScript.exe	HYIZFiFx.exe
PID 1232 wrote to memory of 2388	1232	WScript.exe	HYIZFiFx.exe
PID 1232 wrote to memory of 2388	1232	WScript.exe	HYIZFiFx.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nDqOiSmU.vbs"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\radF51D8.tmp\HYIZFiFx.exe
"C:\Users\Admin\AppData\Local\Temp\radF51D8.tmp\HYIZFiFx.exe"
2⤵
- Executes dropped EXE
PID:2348

C:\Users\Admin\AppData\Local\Temp\rad0CB7C.tmp\HYIZFiFx.exe
"C:\Users\Admin\AppData\Local\Temp\rad0CB7C.tmp\HYIZFiFx.exe"
2⤵
- Executes dropped EXE
PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\radF51D8.tmp\HYIZFiFx.exe
Filesize
7KB

MD5
d63f891159c2acc02c59d0585ed9df3f

SHA1
d7d752250189198e88279b8917f4e24973d55c0a

SHA256
ff3b6d8bd5f018c067bfded4c20729487eda1897e01c78a5731252100eb9a569

SHA512
1b0e043bc33e634844dae94cf8e27f0b351a347e148b4fb4c3f2d0f47256e071ec77d9b697b6c1a72d4c2667852b0f8589d9610cc0147c51b4b9f8f7b4816dbb

Download Submit
memory/1232-9-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/1232-8-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/1232-12-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/1232-11-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/1232-23-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/1232-22-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/1232-26-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/1232-25-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2348-10-0x0000000140000000-0x0000000140004240-memory.dmp

Filesize
16KB

Download
memory/2388-24-0x0000000140000000-0x0000000140004240-memory.dmp

Filesize
16KB

Download