metasploit | 0daa391a7ced1527a38b7bfcbbe9998d19fc6b9aab60d3bfdcf3f13d9df1859b

Analysis

max time kernel
27s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
29-05-2022 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0daa391a7ced1527a38b7bfcbbe9998d19fc6b9aab60d3bfdcf3f13d9df1859b.exe
Size

2.3MB
MD5

5b3685025d690e226948be017a1d4aee
SHA1

100628a63e150c4a7d30b89068037b66269981ec
SHA256

0daa391a7ced1527a38b7bfcbbe9998d19fc6b9aab60d3bfdcf3f13d9df1859b
SHA512

390e301b7c6c3276f8b91285c390ea46b0443e5b64209f9d83e40b2f40e03091d8834020424a005882b06c7b12ebdde3fc62d04c638446083dbc37c834653121

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

165.22.98.128:1123

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1904-54-0x0000000000400000-0x000000000075D000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

900 1904 WerFault.exe 0daa391a7ced1527a38b7bfcbbe9998d19fc6b9aab60d3bfdcf3f13d9df1859b.exe

pid	pid_target	process	target process
900	1904	WerFault.exe	0daa391a7ced1527a38b7bfcbbe9998d19fc6b9aab60d3bfdcf3f13d9df1859b.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0daa391a7ced1527a38b7bfcbbe9998d19fc6b9aab60d3bfdcf3f13d9df1859b.exe

description	pid	process	target process
PID 1904 wrote to memory of 900	1904	0daa391a7ced1527a38b7bfcbbe9998d19fc6b9aab60d3bfdcf3f13d9df1859b.exe	WerFault.exe
PID 1904 wrote to memory of 900	1904	0daa391a7ced1527a38b7bfcbbe9998d19fc6b9aab60d3bfdcf3f13d9df1859b.exe	WerFault.exe
PID 1904 wrote to memory of 900	1904	0daa391a7ced1527a38b7bfcbbe9998d19fc6b9aab60d3bfdcf3f13d9df1859b.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0daa391a7ced1527a38b7bfcbbe9998d19fc6b9aab60d3bfdcf3f13d9df1859b.exe
"C:\Users\Admin\AppData\Local\Temp\0daa391a7ced1527a38b7bfcbbe9998d19fc6b9aab60d3bfdcf3f13d9df1859b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1904 -s 40
2⤵
- Program crash
PID:900

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-55-0x0000000000000000-mapping.dmp

Download
memory/1904-54-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads