metasploit | 18ba6cd59749904247bade4b75429e2ac2c4ee2a6fe206ebd114e89283f8f5db

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 22:41

Target

tmp.exe
Size

31KB
MD5

e9dc029457e9d23c8db988c4c0585bfa
SHA1

3d670aa59c97d831e5097b69734b994bf4144cbb
SHA256

18ba6cd59749904247bade4b75429e2ac2c4ee2a6fe206ebd114e89283f8f5db
SHA512

3a6138fd199b3cd0a12f4a1ca193823b32afa557a3d7af5e279cc96edb3fcab31fcf6bbff357d089331f47a295e83222f17a45be3dd4254de88b06bf98f379a9
SSDEEP

192:+np66k5gQDVAU3l6+eKdv3Zn4TJrJfsQ5XfDcyLwaBg1+Cfs2LzwYDK7UlVSq7j4:GO/5AwJtZ4RFskLt

Score

10^/10

Family

metasploit

Version

metasploit_stager

124.221.70.199:8983

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tmp.exe

pid process

1440 tmp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Explorer.EXE

description pid process

Token: SeShutdownPrivilege 1268 Explorer.EXE
Suspicious use of WriteProcessMemory 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1440 wrote to memory of 1268 1440 tmp.exe Explorer.EXE

pid	process
1440	tmp.exe

description	pid	process
Token: SeShutdownPrivilege	1268	Explorer.EXE

description	pid	process	target process
PID 1440 wrote to memory of 1268	1440	tmp.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268

memory/1268-0-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1268-1-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1268-2-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download