| File name: | windows-meterpreter-staged-reverse-tcp-4444.exe |
| Full analysis: | https://app.any.run/tasks/da3d7b4e-e27f-4fe7-acaa-efad0818c9c1 |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | March 21, 2025, 00:29:48 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections |
| MD5: | 9165A7FD0A5F08F2171582AA5D0687ED |
| SHA1: | BD9443ECD80BF7D8142D77B4FF397FF3E082043B |
| SHA256: | A53DC95C07064B9238715A7A096D96426DC8F3657A748917F40B8601AE570ECB |
| SSDEEP: | 1536:hJoma/ELooLZu5gnGAtlZO3rD0fA6qwFhI8pMb+KR0Nc8QsMqUR:zomHooL05gXDQ/eqwFhI+e0Nc8Qs6R |
MALICIOUS
METASPLOIT has been detected (SURICATA)
- windows-meterpreter-staged-reverse-tcp-4444.exe (PID: 7644)
METASPLOIT has been detected (YARA)
- windows-meterpreter-staged-reverse-tcp-4444.exe (PID: 7644)
MIMIKATZ has been detected (YARA)
- windows-meterpreter-staged-reverse-tcp-4444.exe (PID: 7644)
SUSPICIOUS
The process received data that can be interpreted as shellcode
- windows-meterpreter-staged-reverse-tcp-4444.exe (PID: 7644)
Connects to unusual port
- windows-meterpreter-staged-reverse-tcp-4444.exe (PID: 7644)
INFO
Reads the computer name
- windows-meterpreter-staged-reverse-tcp-4444.exe (PID: 7644)
The sample compiled with english language support
- windows-meterpreter-staged-reverse-tcp-4444.exe (PID: 7644)
Reads the machine GUID from the registry
- windows-meterpreter-staged-reverse-tcp-4444.exe (PID: 7644)
Checks supported languages
- windows-meterpreter-staged-reverse-tcp-4444.exe (PID: 7644)
Checks proxy server information
- slui.exe (PID: 8120)
Reads the software policy settings
- slui.exe (PID: 8120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2009:08:25 17:59:34+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 45056 |
| InitializedDataSize: | 40960 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x7411 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.2.14.0 |
| ProductVersionNumber: | 2.2.14.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| Comments: | Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. |
| CompanyName: | Apache Software Foundation |
| FileDescription: | ApacheBench command line utility |
| FileVersion: | 2.2.14 |
| InternalName: | ab.exe |
| LegalCopyright: | Copyright 2009 The Apache Software Foundation. |
| OriginalFileName: | ab.exe |
| ProductName: | Apache HTTP Server |
| ProductVersion: | 2.2.14 |
Total processes
126
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 7644 | "C:\Users\admin\Desktop\windows-meterpreter-staged-reverse-tcp-4444.exe" | C:\Users\admin\Desktop\windows-meterpreter-staged-reverse-tcp-4444.exe | explorer.exe | ||||||||||||
User: admin Company: Apache Software Foundation Integrity Level: MEDIUM Description: ApacheBench command line utility Version: 2.2.14 Modules
| |||||||||||||||
| 8120 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 556
Read events
3 556
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
6
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2432 | RUXIMICS.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2432 | RUXIMICS.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2104 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
7644 | windows-meterpreter-staged-reverse-tcp-4444.exe | 142.93.125.11:4444 | — | DIGITALOCEAN-ASN | US | unknown |
2104 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
2432 | RUXIMICS.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7524 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8120 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7644 | windows-meterpreter-staged-reverse-tcp-4444.exe | Executable code was detected | BACKDOOR [ANY.RUN] Metasploit Init TCP session (XORed Key) |