Analysis
-
max time kernel
152s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 18:04
Static task
static1
Behavioral task
behavioral1
Sample
28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe
Resource
win10v2004-20220414-en
General
-
Target
28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe
-
Size
2.9MB
-
MD5
6056cb47164323c9bacfea777afffe0f
-
SHA1
678e3415cad90165942024bb1a00a886685f1b83
-
SHA256
28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581
-
SHA512
5616f5cc04221b676cdb21ae2c3283fbb64f8435c5ab18ba9f310f916675c5ba0b919fa03e2bba79da346cea6a0ece0b385866916a77ee941152becac8c842d8
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
192.168.10.3:5555
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2304 4332 WerFault.exe 28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe 2804 4332 WerFault.exe 28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exedescription pid process target process PID 4332 wrote to memory of 2304 4332 28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe WerFault.exe PID 4332 wrote to memory of 2304 4332 28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe WerFault.exe PID 4332 wrote to memory of 2304 4332 28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe"C:\Users\Admin\AppData\Local\Temp\28435fa2051fa4bf5425d52b5c1b16781e4b2553be726b152796eaf9d1d49581.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 3842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 3842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4332 -ip 43321⤵