Analysis
-
max time kernel
123s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 18:04
Static task
static1
Behavioral task
behavioral1
Sample
28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe
Resource
win10v2004-20220414-en
General
-
Target
28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe
-
Size
2.9MB
-
MD5
6056cb47164323c9bacfea777afffe0f
-
SHA1
678e3415cad90165942024bb1a00a886685f1b83
-
SHA256
28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581
-
SHA512
5616f5cc04221b676cdb21ae2c3283fbb64f8435c5ab18ba9f310f916675c5ba0b919fa03e2bba79da346cea6a0ece0b385866916a77ee941152becac8c842d8
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
192.168.10.3:5555
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1416 1660 WerFault.exe 28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exedescription pid process target process PID 1660 wrote to memory of 1416 1660 28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe WerFault.exe PID 1660 wrote to memory of 1416 1660 28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe WerFault.exe PID 1660 wrote to memory of 1416 1660 28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe WerFault.exe PID 1660 wrote to memory of 1416 1660 28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe"C:\Users\Admin\AppData\Local\Temp\28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1562⤵
- Program crash