metasploit | 59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 14:08

Target

59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2.exe
Size

7.5MB
MD5

38a9ddc33fb45b4c576eda18c9b33819
SHA1

3c40a0eb5310f2af0ae9d8565c06af07a44701db
SHA256

59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2
SHA512

7dbedf356eb0500ee4be2b0bf8000708094d875c3fe10284f1301705cc142d48dc9985110c9247fbc209fc56b080b190132b91d3547674fd94e411a131174a56
SSDEEP

49152:0ug+zejoF8v8F/nlnLRpSct4whtfVKevv7m9gcQYPbH51a7y58SsSFct4whtfVKX:Hzeo80F/nNRMPbjAyK7MPbjAGfU

Score

10^/10

Family

metasploit

Version

metasploit_stager

192.168.207.137:8000

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2312 2088 WerFault.exe 59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2.exe

pid	pid_target	process	target process
2312	2088	WerFault.exe	59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2.exe

description	pid	process	target process
PID 2088 wrote to memory of 2312	2088	59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2.exe	WerFault.exe
PID 2088 wrote to memory of 2312	2088	59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2.exe	WerFault.exe
PID 2088 wrote to memory of 2312	2088	59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2.exe	WerFault.exe
PID 2088 wrote to memory of 2312	2088	59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2.exe
"C:\Users\Admin\AppData\Local\Temp\59857a747a83ec979f5e4774968a5cd5e0327f52125b5fa431df8cd173dbb1f2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 256
2⤵
- Program crash
PID:2312

memory/2088-0-0x0000000000400000-0x0000000000BB094C-memory.dmp

Filesize
7.7MB

Download
memory/2088-1-0x0000000000400000-0x0000000000BB094C-memory.dmp

Filesize
7.7MB

Download