metasploit | c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2

Analysis

max time kernel
13s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-06-2022 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2.exe
Size

409KB
MD5

81975bc07440316797677712b7c31194
SHA1

fcfd743b839a318d46f58ac5eebbc4290c6cad49
SHA256

c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2
SHA512

3a0e6cebb3c6124c89615fecda68f2ccbcb9d3077364f4afeddeea30f069c79a25a673458f6c63d7e19e66e5f1e2c0654390b2edaa028bd47130b663918307a5

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.1.101:8080

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1956-54-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2024 1956 WerFault.exe c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2.exe

pid	pid_target	process	target process
2024	1956	WerFault.exe	c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2.exe

description	pid	process	target process
PID 1956 wrote to memory of 2024	1956	c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2.exe	WerFault.exe
PID 1956 wrote to memory of 2024	1956	c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2.exe	WerFault.exe
PID 1956 wrote to memory of 2024	1956	c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2.exe	WerFault.exe
PID 1956 wrote to memory of 2024	1956	c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2.exe
"C:\Users\Admin\AppData\Local\Temp\c5016e158f61adb1d9fd0e452c72416e27d2374cccbfb6013d8618e682ac82f2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 56
2⤵
- Program crash
PID:2024

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1956-54-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2024-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads