metasploit | c2a38907a61f9a5185bbc98129951b2ca8480c03030693375a9e172811ef9ae5

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 10:19

Target

c2a38907a61f9a5185bbc98129951b2ca8480c03030693375a9e172811ef9ae5.exe
Size

1.7MB
MD5

4989b3eee2a60d4768ac5cbac0b02b0a
SHA1

7ac86d2ce6991181584129fbb7be618174982f5b
SHA256

c2a38907a61f9a5185bbc98129951b2ca8480c03030693375a9e172811ef9ae5
SHA512

6dfec7c2374781892e9ac5ca65c686483686e896b81a782146fbc503d10882f037fd0bb3e32b7643f5c61312722c466359dc7f9dbd97a3424f1ff98dd5000966
SSDEEP

24576:vDOZAx3kzexuUsmPKQw6zj6FQxo5DoMFe:qA6ze/s+Sr5MM4

Score

10^/10

Family

metasploit

Version

metasploit_stager

192.168.4.126:3333

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 2180	3124	c2a38907a61f9a5185bbc98129951b2ca8480c03030693375a9e172811ef9ae5.exe	85
PID 3124 wrote to memory of 2180	3124	c2a38907a61f9a5185bbc98129951b2ca8480c03030693375a9e172811ef9ae5.exe	85
PID 2180 wrote to memory of 2428	2180	cmd.exe	87
PID 2180 wrote to memory of 2428	2180	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\c2a38907a61f9a5185bbc98129951b2ca8480c03030693375a9e172811ef9ae5.exe
"C:\Users\Admin\AppData\Local\Temp\c2a38907a61f9a5185bbc98129951b2ca8480c03030693375a9e172811ef9ae5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\system32\cmd.exe
  cmd /C curl http://192.168.4.70
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\curl.exe
    curl http://192.168.4.70
    3⤵
    PID:2428

memory/3124-0-0x000001DB7DD00000-0x000001DB7DD01000-memory.dmp

Filesize
4KB

Download