metasploit | 56be81e4170f3c4077c11fc094e593737690110a9bafa16b623e680ff4c0b387

Analysis

Target

d.exe
Size

556KB
MD5

525d814ba020a890dd87677747f01f90
SHA1

7525642890e312224a14754dcf4006b5cd9d1575
SHA256

814af02b5de01b583cad8808550f7f44c06b473cf92e04da6708120a30fbefcd
SHA512

e350caf0d73b9335e2544f4e63e7abd14dde08060044cf91a7259314561800f696647c7242b43a726ac7e3fe7b0fe3765b9246b8950eded7449705a3e2dc2a59

Score

10^/10

Family

metasploit

Version

windows/download_exec

http://globalcert.io.global.prod.fastly.net:443/api/v1/user/512/avatar

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3800 1636 WerFault.exe d.exe

pid	pid_target	process	target process
3800	1636	WerFault.exe	d.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3800 WerFault.exe
Token: SeBackupPrivilege 3800 WerFault.exe
Token: SeDebugPrivilege 3800 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d.exe

description	pid	process	target process
PID 500 wrote to memory of 1636	500	d.exe	d.exe
PID 500 wrote to memory of 1636	500	d.exe	d.exe
PID 500 wrote to memory of 1636	500	d.exe	d.exe

C:\Users\Admin\AppData\Local\Temp\d.exe
"C:\Users\Admin\AppData\Local\Temp\d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Users\Admin\AppData\Local\Temp\d.exe
C:\Users\Admin\AppData\Local\Temp\d.exe wcOwQpG
2⤵
PID:1636

memory/1636-114-0x0000000000000000-mapping.dmp

Download
memory/1636-115-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1636-116-0x00000000032D0000-0x00000000036D0000-memory.dmp

Filesize
4.0MB

Download