metasploit | 84fe9be1d3918d0e8bdb0ee7c5f303c917bdbbe2f64d9fd2b2b6852806367188

Analysis

max time kernel
91s
max time network
138s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-03-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f6fc9e1e9a5b1c319afefeab6519eb4.exe
Size

72KB
MD5

1f6fc9e1e9a5b1c319afefeab6519eb4
SHA1

21d843ef5d1068fed822fe2a68c61cbc8e9801b9
SHA256

84fe9be1d3918d0e8bdb0ee7c5f303c917bdbbe2f64d9fd2b2b6852806367188
SHA512

6c024e155746c0fa366e51bbb8d27b3212ddc029a178fad42098dc0504054064009792e27865251f2c24877c5b5d7bff39cefde5600f0ea0d35d76cadb669aad
SSDEEP

1536:IaP9IlTNbrXFkpG6w9jpr87Mb+KR0Nc8QsJq39:sNPFkjaF2e0Nc8QsC9

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

3.142.71.14:28193

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe
2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe
2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe
1020	notepad.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe
Token: SeDebugPrivilege	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe
Token: SeDebugPrivilege	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe
Token: SeDebugPrivilege	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe
Token: SeDebugPrivilege	1020	notepad.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1020	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe	28
PID 2044 wrote to memory of 1020	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe	28
PID 2044 wrote to memory of 1020	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe	28
PID 2044 wrote to memory of 1020	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe	28
PID 2044 wrote to memory of 1020	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe	28
PID 2044 wrote to memory of 1020	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe	28
PID 2044 wrote to memory of 1020	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe	28
PID 2044 wrote to memory of 1020	2044	1f6fc9e1e9a5b1c319afefeab6519eb4.exe	28

C:\Users\Admin\AppData\Local\Temp\1f6fc9e1e9a5b1c319afefeab6519eb4.exe
"C:\Users\Admin\AppData\Local\Temp\1f6fc9e1e9a5b1c319afefeab6519eb4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-114-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/1020-122-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/1020-109-0x00000000001F0000-0x000000000021B000-memory.dmp

Filesize
172KB

Download
memory/1020-110-0x00000000001F0000-0x000000000021B000-memory.dmp

Filesize
172KB

Download
memory/1020-108-0x00000000001F0000-0x000000000021B000-memory.dmp

Filesize
172KB

Download
memory/1020-131-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/1020-129-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/1020-113-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/1020-121-0x0000000000860000-0x00000000008BF000-memory.dmp

Filesize
380KB

Download
memory/1020-117-0x00000000001F0000-0x000000000021B000-memory.dmp

Filesize
172KB

Download
memory/1020-106-0x00000000001F0000-0x000000000021B000-memory.dmp

Filesize
172KB

Download
memory/1020-107-0x00000000001F0000-0x000000000021B000-memory.dmp

Filesize
172KB

Download
memory/1020-136-0x0000000000860000-0x00000000008BF000-memory.dmp

Filesize
380KB

Download
memory/1020-116-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/2044-81-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/2044-111-0x0000000002170000-0x00000000021CF000-memory.dmp

Filesize
380KB

Download
memory/2044-112-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/2044-57-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/2044-54-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/2044-56-0x0000000000240000-0x000000000026B000-memory.dmp

Filesize
172KB

Download
memory/2044-100-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/2044-83-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2044-55-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2044-66-0x0000000002170000-0x00000000021CF000-memory.dmp

Filesize
380KB

Download
memory/2044-65-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/2044-58-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download