metasploit | 2ed3a9866aa5d7cef507a491b7b2fd8e9c564f6e224c501eadced2def0d2b840

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 19:18

Target

NEAS.76cadb3a211d14c02d16204eb1009d70.exe
Size

88KB
MD5

76cadb3a211d14c02d16204eb1009d70
SHA1

531b266bef7320037ee5c5fdee604ef3c256be79
SHA256

2ed3a9866aa5d7cef507a491b7b2fd8e9c564f6e224c501eadced2def0d2b840
SHA512

df7b344fb5910d41f1c6c53d86177d8f33b93d8122e4c0e6a2725c4b8ec188fba07870298eb8ab24e3de4cf591e273bbacba75f54f2cbdcebc3f8b1d46ca1025
SSDEEP

1536:0VJdn9CP6En2lJpX6+KZfGZRaE1TaQmF6kIvvotxaeDMusOJ4c:oJl6FUpX6+SfGmE1Ta6kkAtYoRJ5

Score

10^/10

Family

metasploit

Version

windows/reverse_tcp

192.168.1.8:4444

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2832 created 3300	2832	NEAS.76cadb3a211d14c02d16204eb1009d70.exe	36

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 4436	2832	NEAS.76cadb3a211d14c02d16204eb1009d70.exe	89

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 4436	2832	NEAS.76cadb3a211d14c02d16204eb1009d70.exe	89
PID 2832 wrote to memory of 4436	2832	NEAS.76cadb3a211d14c02d16204eb1009d70.exe	89
PID 2832 wrote to memory of 4436	2832	NEAS.76cadb3a211d14c02d16204eb1009d70.exe	89
PID 2832 wrote to memory of 4436	2832	NEAS.76cadb3a211d14c02d16204eb1009d70.exe	89
PID 2832 wrote to memory of 4436	2832	NEAS.76cadb3a211d14c02d16204eb1009d70.exe	89
PID 2832 wrote to memory of 4436	2832	NEAS.76cadb3a211d14c02d16204eb1009d70.exe	89
PID 2832 wrote to memory of 4436	2832	NEAS.76cadb3a211d14c02d16204eb1009d70.exe	89
PID 2832 wrote to memory of 4436	2832	NEAS.76cadb3a211d14c02d16204eb1009d70.exe	89
PID 2832 wrote to memory of 4436	2832	NEAS.76cadb3a211d14c02d16204eb1009d70.exe	89

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\NEAS.76cadb3a211d14c02d16204eb1009d70.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.76cadb3a211d14c02d16204eb1009d70.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\NEAS.76cadb3a211d14c02d16204eb1009d70.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.76cadb3a211d14c02d16204eb1009d70.exe"
  2⤵
  PID:4436

memory/2832-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4436-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4436-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4436-4-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download