metasploit | b4fc8cb5b64f8ed75a66f88243e65ca88bad3fb6cf12fdf611336a44687985d6

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 01:37

Target

b4fc8cb5b64f8ed75a66f88243e65ca88bad3fb6cf12fdf611336a44687985d6.exe
Size

72KB
MD5

20393cd4549f7843ff76a684b1ce2e10
SHA1

b80f76dc9091d05e455f8a53f95d3c5f58928b48
SHA256

b4fc8cb5b64f8ed75a66f88243e65ca88bad3fb6cf12fdf611336a44687985d6
SHA512

6a0ebcfff14267cd1203d83ee9ff5c80a766b4bb8ecb6bec9da6131705c919ee86b7db64bc835bece4303f647743e53bc36b095b91ac58bacf00c3effe5a08ff
SSDEEP

1536:ILTYdVOXoq5KtNuEzzy45xD3uqBGMb+KR0Nc8QsJq39:u4q4i+Ge0Nc8QsC9

Score

10^/10

Family

metasploit

Version

windows/exec

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b4fc8cb5b64f8ed75a66f88243e65ca88bad3fb6cf12fdf611336a44687985d6.exe

description	pid	process	target process
PID 1832 wrote to memory of 1692	1832	b4fc8cb5b64f8ed75a66f88243e65ca88bad3fb6cf12fdf611336a44687985d6.exe	cmd.exe
PID 1832 wrote to memory of 1692	1832	b4fc8cb5b64f8ed75a66f88243e65ca88bad3fb6cf12fdf611336a44687985d6.exe	cmd.exe
PID 1832 wrote to memory of 1692	1832	b4fc8cb5b64f8ed75a66f88243e65ca88bad3fb6cf12fdf611336a44687985d6.exe	cmd.exe
PID 1832 wrote to memory of 1692	1832	b4fc8cb5b64f8ed75a66f88243e65ca88bad3fb6cf12fdf611336a44687985d6.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b4fc8cb5b64f8ed75a66f88243e65ca88bad3fb6cf12fdf611336a44687985d6.exe
"C:\Users\Admin\AppData\Local\Temp\b4fc8cb5b64f8ed75a66f88243e65ca88bad3fb6cf12fdf611336a44687985d6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C echo 'OS{b697e22faf935e66190a1e7a28251850}'
2⤵
PID:1692

memory/1832-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download