metasploit | 268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 04:15

Target

268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe
Size

1.7MB
MD5

eb9cabcd94a20538086b9f481f3264ab
SHA1

e648e52e26f6484784b8c2c0c7ddd7d6c417110b
SHA256

268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d
SHA512

cbdd8cade72760da4f7c817c6e23ed9b4ef8f9abaee0a92000ee9766ccb0ceb922a66bc351390f64f96d8dca8a0dd405b74591641a6ed5fba28fc1e8ebe473a4
SSDEEP

24576:eDOZAx3kzexuUsmPmRk6zj6FQxo5444Je:pA6ze/snOr5P4M

Score

10^/10

Family

metasploit

Version

metasploit_stager

192.168.4.126:3333

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.execmd.exe

description	pid	process	target process
PID 1780 wrote to memory of 3840	1780	268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe	cmd.exe
PID 1780 wrote to memory of 3840	1780	268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe	cmd.exe
PID 1780 wrote to memory of 3608	1780	268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe	cmd.exe
PID 1780 wrote to memory of 3608	1780	268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe	cmd.exe
PID 1780 wrote to memory of 4372	1780	268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe	cmd.exe
PID 1780 wrote to memory of 4372	1780	268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe	cmd.exe
PID 4372 wrote to memory of 1772	4372	cmd.exe	curl.exe
PID 4372 wrote to memory of 1772	4372	cmd.exe	curl.exe

C:\Users\Admin\AppData\Local\Temp\268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe
"C:\Users\Admin\AppData\Local\Temp\268021c7af108f0006f02e9b5f5999bcbc1173c5a4834c036b13208317690a1d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\cmd.exe
cmd /C echo "The operation completed successfully"
2⤵
PID:3608

C:\Windows\system32\cmd.exe
cmd /C curl http://192.168.4.70
2⤵
- Suspicious use of WriteProcessMemory
PID:4372

memory/1780-0-0x000001B4E8980000-0x000001B4E8981000-memory.dmp

Filesize
4KB

Download