metasploit | e9df4a61a9bdfc03cfba5f03e7f0de75d40c5cc9c2d701d7d296f424265a86b3

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
30/09/2023, 02:16

Target

mw1.exe
Size

72KB
MD5

e48556dfdcbfa33e4b5e15d7e462f95d
SHA1

4a480627d858fb88bc90acf241c091c0568fc78a
SHA256

e9df4a61a9bdfc03cfba5f03e7f0de75d40c5cc9c2d701d7d296f424265a86b3
SHA512

d6956a76d9721f5d1aaeef02f9cc34c7b38cb394caab47e2fb452f41990e0aa3ad77bbf4ee9968149320eff61f1e23a50804df545e62336bc81922ab6811256e
SSDEEP

1536:IE9HQPZ6wVYTcMh3ln4jkK3PEpH8CayMb+KR0Nc8QsJq39:N062Y4s8CJe0Nc8QsC9

Score

10^/10

Family

metasploit

Version

windows/exec

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2804	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2804	1180	mw1.exe	28
PID 1180 wrote to memory of 2804	1180	mw1.exe	28
PID 1180 wrote to memory of 2804	1180	mw1.exe	28
PID 1180 wrote to memory of 2804	1180	mw1.exe	28

C:\Users\Admin\AppData\Local\Temp\mw1.exe
"C:\Users\Admin\AppData\Local\Temp\mw1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Get-ADDomain example.com"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

memory/1180-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2804-3-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-4-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-5-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2804-6-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2804-7-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download