metasploit | 8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41

Analysis

max time kernel
112s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe
Size

53KB
MD5

5feb792c104aeabc7ffbbcc25135e826
SHA1

e27f80b801efd609ea13da700dc6443365d29e17
SHA256

8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41
SHA512

4c35856071a25eb2435e4e94194df6e64518eb66b02948971b349a281553d7934be9468e9f4c681c32c40bb946ef3324376397357e03d10ac2f48d33c27e94eb
SSDEEP

1536:yRDv/y56VTjZ8BfynyMnGiL2I6GtQB1h:yHyyTj2BfMyMzy

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2864-136-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/2864-138-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/2864-137-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/2864-141-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/2864-142-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/2864-143-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1336 set thread context of 2864	1336	8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe	81

Program crash 1 IoCs

pid	pid_target	Process	procid_target
392	2864	WerFault.exe	81

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 2864	1336	8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe	81
PID 1336 wrote to memory of 2864	1336	8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe	81
PID 1336 wrote to memory of 2864	1336	8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe	81
PID 1336 wrote to memory of 2864	1336	8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe	81
PID 1336 wrote to memory of 2864	1336	8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe	81
PID 1336 wrote to memory of 2864	1336	8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe	81
PID 1336 wrote to memory of 2864	1336	8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe	81
PID 1336 wrote to memory of 2864	1336	8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe	81

C:\Users\Admin\AppData\Local\Temp\8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe
"C:\Users\Admin\AppData\Local\Temp\8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe
  "C:\Users\Admin\AppData\Local\Temp\8f343eb8c2c5e4a68c10a52c6dce60ad2b77e23a1fbc911b6cb0d7552dff5b41.exe"
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1100
    3⤵
    - Program crash
    PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2864 -ip 2864
1⤵
PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2864-136-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2864-138-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2864-137-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2864-141-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2864-142-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2864-143-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download