metasploit | 56be81e4170f3c4077c11fc094e593737690110a9bafa16b623e680ff4c0b387

Analysis

Target

d.exe
Size

556KB
MD5

525d814ba020a890dd87677747f01f90
SHA1

7525642890e312224a14754dcf4006b5cd9d1575
SHA256

814af02b5de01b583cad8808550f7f44c06b473cf92e04da6708120a30fbefcd
SHA512

e350caf0d73b9335e2544f4e63e7abd14dde08060044cf91a7259314561800f696647c7242b43a726ac7e3fe7b0fe3765b9246b8950eded7449705a3e2dc2a59

Score

10^/10

Family

metasploit

Version

windows/download_exec

http://globalcert.io.global.prod.fastly.net:443/api/v1/user/512/avatar

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

332 1996 WerFault.exe d.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

332 WerFault.exe
332 WerFault.exe
332 WerFault.exe
332 WerFault.exe
332 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

332 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 332 WerFault.exe

pid	pid_target	process	target process
332	1996	WerFault.exe	d.exe

pid	process
332	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	332	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d.exed.exe

description	pid	process	target process
PID 1104 wrote to memory of 1996	1104	d.exe	d.exe
PID 1104 wrote to memory of 1996	1104	d.exe	d.exe
PID 1104 wrote to memory of 1996	1104	d.exe	d.exe
PID 1104 wrote to memory of 1996	1104	d.exe	d.exe
PID 1996 wrote to memory of 332	1996	d.exe	WerFault.exe
PID 1996 wrote to memory of 332	1996	d.exe	WerFault.exe
PID 1996 wrote to memory of 332	1996	d.exe	WerFault.exe
PID 1996 wrote to memory of 332	1996	d.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d.exe
"C:\Users\Admin\AppData\Local\Temp\d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\d.exe
C:\Users\Admin\AppData\Local\Temp\d.exe wcOwQpG
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

memory/332-63-0x0000000000000000-mapping.dmp

Download
memory/332-65-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1104-59-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1996-60-0x0000000000000000-mapping.dmp

Download
memory/1996-62-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1996-64-0x0000000003850000-0x0000000003C50000-memory.dmp

Filesize
4.0MB

Download