Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:37
Behavioral task
behavioral1
Sample
adb5379a6e7909e2380a29f306eb5dc1.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
adb5379a6e7909e2380a29f306eb5dc1.exe
Resource
win10v2004-20231215-en
General
-
Target
adb5379a6e7909e2380a29f306eb5dc1.exe
-
Size
90KB
-
MD5
adb5379a6e7909e2380a29f306eb5dc1
-
SHA1
b250cec7c1462f972d10772d199cd9ab4082cda5
-
SHA256
3e9bf6ea0933dff4f6d8c7636f9b5431a4254cc91cdc8c44fdf2c17015214da4
-
SHA512
f0a721a9f25e16336005cf873eba1795bc43d8e1504002fee1f3eefb5b860175786fd6d6e025f0481b9b378a66339f8a0d5b175043c4e9e2027ca0adebcdf645
-
SSDEEP
1536:XDcjVohEwitwUV3fG+++++++++++++++++++++++++++++++++++++++++eJi8j:IPtZG++++++++++++++++++++++++++z
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/download_exec
http://192.168.1.21:443/INITM
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1960 2392 WerFault.exe 14 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1960 2392 adb5379a6e7909e2380a29f306eb5dc1.exe 16 PID 2392 wrote to memory of 1960 2392 adb5379a6e7909e2380a29f306eb5dc1.exe 16 PID 2392 wrote to memory of 1960 2392 adb5379a6e7909e2380a29f306eb5dc1.exe 16 PID 2392 wrote to memory of 1960 2392 adb5379a6e7909e2380a29f306eb5dc1.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb5379a6e7909e2380a29f306eb5dc1.exe"C:\Users\Admin\AppData\Local\Temp\adb5379a6e7909e2380a29f306eb5dc1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 442⤵
- Program crash
PID:1960
-