metasploit | 7f5b8433af510730ded102d29e7ccd1c715d76b7532fdd063c6273765e511e3b | Triage

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 14:12

Sharing

Report Analysis Logs

General

Target

level0.exe
Size

12.2MB
MD5

f9f0a80d33560d81f5d26938d1571e52
SHA1

d493ad026b8ad0b11822acd807ed8b4471af712c
SHA256

24a73f79cd0dc350f85c9f11a0ce6b97963b3f7191c09e29959f08819140caef
SHA512

7a4be5d34ada64955d5cc9c5a13fd614860bb23e657180f239df4400a8cabd254b2afb58d4945c041192f118fcaef3582c17689133a57554eb73461fa34d18c3
SSDEEP

196608:xwdXfHnmfdf0r/acj5a6m9oZOujWBLKOiGaz33:WdPGfdf0vHZOujgobzH

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

192.168.122.1:31337

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

level0.exe

pid process

2216 level0.exe
2216 level0.exe
Suspicious use of WriteProcessMemory 1 IoCs

Processes:

level0.exe

description pid process target process

PID 2216 wrote to memory of 1080 2216 level0.exe taskhost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\level0.exe
"C:\Users\Admin\AppData\Local\Temp\level0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-0-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1080-1-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2216-3-0x000000013FA70000-0x00000001404D1000-memory.dmp

Filesize
10.4MB

Download